Iptables NAT logging

Question

I have a box setup as a router using Iptables (masquerade), logging all network traffic.

The problem:

Connections from LAN IPs to WAN show fine, i.e. SRC=192.168.32.10 -> DST=60.242.67.190

but for traffic coming from WAN to LAN it will show the WAN IP as the source, but the routers IP as the destination, then the router -> LAN IP.

I.e. SRC=60.242.67.190 -> DST=192.168.32.199 SRC=192.168.32.199(router) -> DST=192.168.32.10

How do I configure it so that it logs the conversations correctly?

SRC=192.168.32.10 -> DST=60.242.67.190 SRC=60.242.67.190 > DST=192.168.32.10

Any help appreciated, cheers

score 1 · Answer 1 · answered Apr 11 '10 at 11:00

1

the info you need is only in the connection tracking table. Have a look at conntrack(8) how to get it. Logging it in real time might be tricky though, maybe something using -j ULOG and ulogd.

answered Apr 11 '10 at 11:00

Aleksandar Ivanisevic

3,377
21
24

score 1 · Answer 2 · edited Jul 14 '16 at 21:40

To log all of the information you want, you would need two log rules. One to log the data from the wan interface to router, and a second to log the packet from router to LAN host.

In other words, As the packet passes through your routing tables, the destination will be re-written. If I understand correctly, you want to see that packet's information before it's rewritten, and after (so you can see which host its going to).

The rules may look something like this: Existing rule which shows wan to router:

iptables -I INPUT -m state --state NEW -j LOG --log-prefix " New Incoming Packet"

New Additional Rule:

iptables -I FORWARD -d LAN_HOST_IPADDR -m state --state NEW -j LOG --log-prefix " [>] NEW FORWARD"

Or for extra credit, and to keep things a little cleaner, create a new chain for traffic forwarded to the LAN HOST, something like this:

iptables -t nat -N forward_to_mypc
iptables -t nat -A forward_to_mypc -m state --state NEW -j LOG --log-prefix " [>] New Forward"
iptables -t nat -A forward_to_mypc -j DNAT --to <address_of_mypc>

Then use the new chain like this:

iptables -t nat -I PREROUTING -i <WANADAPTER> -p tcp --dport 3389 -j forward_to_mypc

That would forward any port 3389 tcp packets coming in the wan adapter, to your LAN pc, and if the packet is new, it would get logged.

What does `forward_to_mypc` look like? this is not really clear? — rubo77, Mar 01 '16 at 14:36
The `-N` parameter creates the `forward_to_mypc` table and then we append to it with `-A`. We build it up and then direct packets toward it with the PREROUTING rule that follows. — regulatre, Mar 04 '16 at 20:14

score 0 · Answer 3 · answered Feb 23 '10 at 02:33

0

you can try logging in -t nat -L POSTROUTING before the -j SNAT --to-ip ... line

HTH Oliver

answered Feb 23 '10 at 02:33

I don't have the -j SNAT line. I have the logging configured as: iptables -t nat -A POSTROUTING -j LOG the same for PREROUTING and OUTPUT I also have: iptables -A OUTPUT -j LOG the same for INPUT and FORWARDED Are you saying I should change it to: iptables -t nat -L POSTROUTING -j LOG, dropping the -A switch? Cheers for the reply – Feb 23 '10 at 02:54

score -1 · Answer 4 · answered Apr 27 '10 at 07:33

-1

$iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE

where eth0 is the router interface

answered Apr 27 '10 at 07:33

Razique

2,276
1
19
23

Iptables NAT logging

4 Answers4