SnapGear 1.7.8 manual Iptables -I Forward -j LOG -i eth+ -o eth+ -p tcp

Page 103

iptables -I FORWARD -j LOG -p tcp --syn -s 5.6.7.8/32 -d 192.168.1.1 --dport 25 --log-prefix "Mail for flubber: "

This will result in log output something like this:

<12> Jan 24 18:17:19 2000 klogd: Mail for flubber: IN=eth1 OUT=eth0 SRC=5.6.7.8 DST=192.168.1.1 LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=45507 DF PROTO=TCP SPT=4088 DPT=25 WINDOW=64240 RES=0x00 SYN URGP=0

Note how the OUT value has now changed to show which interface the access attempt will use to reach the internal host. As this request arrived on eth1 and was destined for eth0, we can determine that it was an inbound request, since eth0 is the LAN port, and eth1 is usually the WAN port.

An outbound request would have IN=eth0 and OUT=eth1.

It is possible to use the -iand -oarguments to specify the interface that are to be considered for IN and OUT respectively. When the ! argument is used before the interface name, the sense is inverted. If the name ends in a +, then any interface which begins with this name will match. e.g.

iptables -I FORWARD -j LOG -i eth0 -p tcp ...

This rule will log outbound from the LAN (eth0) only. We could limit that further by specifying which interface it is outbound to, by using the -ooption.

iptables -I FORWARD -j LOG -i eth0 -o eth1 -p tcp ...

This will log LAN traffic destined for the WAN – but won't log LAN traffic destined for a PPP or perhaps IPSec link.

Similarly, we could construct a rule that looks at all inbound/outbound traffic, but excludes VPN traffic, thus:

iptables -I FORWARD -j LOG -i eth+ -o eth+ -p tcp ...

If we just wanted to look at traffic which went out to the IPSec world, we could use:

iptables -I FORWARD -j LOG -o ipsec+

100

Appendix B – System Log

Image 103

Contents Rev May 2nd Table of contents Virtual Private Networking Introduction Term Meaning TerminologyLAN TCP/IP Document conventionsStep Chapter Installing and configuring your SnapGear applianceLEDs Your SnapGear applianceLabel Activity Description SnapGear appliance back panels Network interconnections Software features SnapGear appliance featuresLAN link features Internet link featuresDial-in connection features Environmental features Getting started Static IP reset10.0.0.0 10.255.255.255 10/8 prefix New Networks192.168.0.0 192.168.0.255 192.168.0/24 prefix Configuring the SnapGear appliance on your network Page Set up IP addresses Multiple SnapGear appliances were found on the network Your SnapGear appliance was found on the networkYour SnapGear appliance needs an IP address SnapGear Management Console web administration pages Administrative passwordUsing linsetip Initial setup using LinuxPing -b subnet broadcast address Arp -a Using an existing local Dhcp or Bootp serverEdit the /etc/inetd.conf file Configuring a new local Dhcp or Bootp serverSnapGear Quick Setup LAN port quick setup LAN port quick setupISP connection quick setup ISP connection quick setupGetting started Configuring the PCs on your network TCP/IP properties Physically connect modem device Connecting to the InternetConnect to Internet cable modem Select Internet connectionConnect to Internet Adsl Connect to Internet modem Connect to Internet directField Description ISP. The Password and Confirm Password fields mustInternet failover Advanced configuration optionFollowing figure shows the failover configuration screen Failed connection Establishing the connection Configure PCs to use SnapGear appliance Internet gatewayDial-in server configuration Dial-in server configuration Dial-in setup Dial-in setupField Description Dial-in user account creation Dial-in user accountsFollowing figure shows the user maintenance screen Account list Dial-in password errorFor Windows 95 and Windows Remote user configurationServer types Connect to dialogue box WindowsClick Next to continue 11 Connection availability 13 Remote access login screen IP configuration Network configurationNetwork configuration Advanced IP configuration Advanced IP configurationNetwork configuration Dhcp server Dhcp server configurationNetwork configuration Traffic shaping Advanced networkingAdditional routes Firewall Incoming accessIncoming access configuration Incoming access administration servicesConfigure external access to services External access to servicesPort forwarding Port forwarding configurationSecurity group classes configuration Outgoing accessFirewall rules Outgoing access settingsIntrusion detection and blocking Intrusion detection and blocking configurationPage Content filtering Content filtering Filtering Level Description Filtering levels and reportingVirtual Private Networking 1VPN tunneling using the Pptp serverPptp client setup Pptp client configuration Pptp server setup Pptp server setup Enable and configure the Pptp VPN serverField Description 4PPTP VPN server accounts screen Configuring user accounts for VPN serverVirtual Private Networking VPN Pptp IP address Configuring the remote VPN clientVirtual Private Networking Windows 95 and Windows VPN client setupYour VPN client is now set up correctly Windows NT Network and dial-up connections This displays the Destination Address window Connecting the remote VPN client 12 IPSec setup IPSec setup13 Add new IPSec connection Virtual Private Networking 14 Automatic keying setup Technique Description Aggressive mode phase 1 settingsIPSec interoperability System PasswordTime server Advanced DiagnosticsReset button Flash upgradeTechnical support Technical supportLED Pattern Status Action Appendix a LED status patternsAppendix B System Log Access LoggingPpp Default DenyEth0 Eth1Creating Custom Log Rules Forward Iptables -I Forward -j LOG -i eth+ -o eth+ -p tcp Rate Limiting Administrative Access LoggingBoot Log Messages