SOLVED Re: [CLUE-Tech] turning on verbose logging for iptables?
Dave Price
davep at kinaole.org
Wed Jul 17 18:58:53 MDT 2002
On Wed, Jul 17, 2002 at 06:28:39PM -0600, David Anselmi wrote:
>
> I think you use the LOG target in iptables--don't know how that impacts
> other rules or how easy it is to set up. It probably isn't designed for
> what you want and I don't know if there is debug type logging where
> netfilter just tells you what it's doing. That may be a compile time thing.
>
> To do what you want, I would use a sniffer. You could run it on the
> firewall, either end of the vpn, or something on a common LAN segment
> (on a hub, preferably). Ethereal is pretty easy to use and GUI, tcpdump
> is command line. Set the sniffer up for just the source and dest IPs
> you care about and it will show you all the ports and what they get used
> for.
>
> The first time I turned on tcpdump, I saw a continual arp sweep by my
> DSL modem. I assume that is part of its dhcp server but haven't dug
> into it yet. At least now I know why the activity lights blink all the
> time.
I got a nice bit of iptables script from the debian-firewall list:
<snip>
iptables -N LOGIT # special chain to log all except fragments
iptables -A LOGIT -m state --state ESTABLISHED -j RETURN # don't log frags
iptables -A LOGIT -j LOG
iptables -A LOGIT -j RETURN
iptables -I FORWARD -s $sourceIPtoSpy -j LOGIT
iptables -I FORWARD -d $sourceIPtoSpy -j LOGIT
It will not change anything in your firewall rules except it will log
*everything* (except fragments) from that $sourceIPtoSpy.
</snip>
This looks fun comes with a warning about the size of the logs that I
might create ...
I also like the suggestion about tcpdump on the firewall - just for
general principles!
Thanks for the input.
aloha,
dave
More information about the clue-tech
mailing list