0

I want to log all INPUT packets that do not originate in the LAN for audit purposes, I have a script with tcpdump basically appending to a file the result from this:

tcpdump "(dst net 192.168.0.0/24 and ! src net 192.168.0.0/24)"

however, I've seen some outside attempts in /var/log/syslog

[567325.985994] iptables INPUT denied: IN=eth1 OUT= MAC=..... SRC=69.163.149.200 DST=192.168.0.2 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=50281 DF PROTO=TCP SPT=51380 DPT=1194 WINDOW=5840 RES=0x00 SYN URGP=0 
[567895.076532] iptables INPUT denied: IN=eth1 OUT= MAC=.... SRC=72.21.91.19 DST=192.168.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=59 ID=0 DF PROTO=TCP SPT=80 DPT=52589 WINDOW=0 RES=0x00 RST URGP=0

which don't show up in tcpdump outout. I want to add a rule like

-A INPUT -j LOG

but I would like (if it makes sense) to avoid putting in the log input packets from the LAN

is it enough to put this?

-A INPUT ! -s 192.168.0.0/24 -j LOG

BTW, as an a side question, does iptables support logging different things to different files?

user9517
  • 115,471
  • 20
  • 215
  • 297
lurscher
  • 172
  • 1
  • 3
  • 17

1 Answers1

2

iptables always logs to syslog's kernel facility, you can separate your syslog facilities into different files - see the syslog.conf documentation for details.

Your rule

-A INPUT ! -s 192.168.0.0/24 -j LOG

would log packets which do not have the source IP 192.168.0.0/24, but the iptables logging only covers some of the packet header data, not the packet's payload.

so, how can I capture the payload?

tcpdump is the tool that would capture payload. You should either specify the interface you expect the traffic to come in at explicitly (-i eth1) or use any interface (-i any). You might also want to increase the snaplen (-s parameter) and write the capture to a file in binary format (-W parameter).

But due to the fact that tcpdump is not a security tool but a diagnosis tool with a difficult security history and probably runs with root priveleges in your config (although there are ways to run it non-root), you should consider a different solution written with security in mind - IDS systems might be suitable.

the-wabbit
  • 40,737
  • 13
  • 111
  • 174