Iptables -I Forward -j LOG -i eth+ -o eth+ -p tcp | SnapGear 1.7.8

iptables -I FORWARD -j LOG -p tcp --syn -s 5.6.7.8/32 -d 192.168.1.1 --dport 25 --log-prefix "Mail for flubber: "

This will result in log output something like this:

<12> Jan 24 18:17:19 2000 klogd: Mail for flubber: IN=eth1 OUT=eth0 SRC=5.6.7.8 DST=192.168.1.1 LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=45507 DF PROTO=TCP SPT=4088 DPT=25 WINDOW=64240 RES=0x00 SYN URGP=0

Note how the OUT value has now changed to show which interface the access attempt will use to reach the internal host. As this request arrived on eth1 and was destined for eth0, we can determine that it was an inbound request, since eth0 is the LAN port, and eth1 is usually the WAN port.

An outbound request would have IN=eth0 and OUT=eth1.

It is possible to use the -iand -oarguments to specify the interface that are to be considered for IN and OUT respectively. When the ! argument is used before the interface name, the sense is inverted. If the name ends in a +, then any interface which begins with this name will match. e.g.

iptables -I FORWARD -j LOG -i eth0 -p tcp ...

This rule will log outbound from the LAN (eth0) only. We could limit that further by specifying which interface it is outbound to, by using the -ooption.

iptables -I FORWARD -j LOG -i eth0 -o eth1 -p tcp ...

This will log LAN traffic destined for the WAN – but won't log LAN traffic destined for a PPP or perhaps IPSec link.

Similarly, we could construct a rule that looks at all inbound/outbound traffic, but excludes VPN traffic, thus:

iptables -I FORWARD -j LOG -i eth+ -o eth+ -p tcp ...

If we just wanted to look at traffic which went out to the IPSec world, we could use:

iptables -I FORWARD -j LOG -o ipsec+

100

Appendix B – System Log

Image 103

SnapGear 1.7.8 manual Iptables -I Forward -j LOG -i eth+ -o eth+ -p tcp

Contents

Rev May 2nd Table of contents Virtual Private Networking Introduction Term Meaning Terminology LAN TCP/IP Document conventions Step Chapter Installing and configuring your SnapGear appliance LEDs Your SnapGear applianceLabel Activity Description SnapGear appliance back panels Network interconnections Software features SnapGear appliance features LAN link features Internet link featuresDial-in connection features Environmental features Getting started Static IP reset 10.0.0.0 10.255.255.255 10/8 prefix New Networks 192.168.0.0 192.168.0.255 192.168.0/24 prefix Configuring the SnapGear appliance on your network Page Set up IP addresses Multiple SnapGear appliances were found on the network Your SnapGear appliance was found on the network Your SnapGear appliance needs an IP address SnapGear Management Console web administration pages Administrative password Using linsetip Initial setup using Linux Ping -b subnet broadcast address Arp -a Using an existing local Dhcp or Bootp server Edit the /etc/inetd.conf file Configuring a new local Dhcp or Bootp server SnapGear Quick Setup LAN port quick setup LAN port quick setup ISP connection quick setup ISP connection quick setup Getting started Configuring the PCs on your network TCP/IP properties Physically connect modem device Connecting to the Internet Connect to Internet cable modem Select Internet connectionConnect to Internet Adsl Connect to Internet modem Connect to Internet direct Field Description ISP. The Password and Confirm Password fields must Internet failover Advanced configuration option Following figure shows the failover configuration screen Failed connection Establishing the connection Configure PCs to use SnapGear appliance Internet gateway Dial-in server configuration Dial-in server configuration Dial-in setup Dial-in setup Field Description Dial-in user account creation Dial-in user accounts Following figure shows the user maintenance screen Account list Dial-in password error For Windows 95 and Windows Remote user configuration Server types Connect to dialogue box Windows Click Next to continue 11 Connection availability 13 Remote access login screen IP configuration Network configuration Network configuration Advanced IP configuration Advanced IP configuration Network configuration Dhcp server Dhcp server configuration Network configuration Traffic shaping Advanced networkingAdditional routes Firewall Incoming access Incoming access configuration Incoming access administration services Configure external access to services External access to services Port forwarding Port forwarding configuration Security group classes configuration Outgoing access Firewall rules Outgoing access settings Intrusion detection and blocking Intrusion detection and blocking configurationPage Content filtering Content filtering Filtering Level Description Filtering levels and reporting Virtual Private Networking 1VPN tunneling using the Pptp server Pptp client setup Pptp client configuration Pptp server setup Pptp server setup Enable and configure the Pptp VPN server Field Description 4PPTP VPN server accounts screen Configuring user accounts for VPN server Virtual Private Networking VPN Pptp IP address Configuring the remote VPN client Virtual Private Networking Windows 95 and Windows VPN client setup Your VPN client is now set up correctly Windows NT Network and dial-up connections This displays the Destination Address window Connecting the remote VPN client 12 IPSec setup IPSec setup 13 Add new IPSec connection Virtual Private Networking 14 Automatic keying setup Technique Description Aggressive mode phase 1 settings IPSec interoperability System PasswordTime server Advanced Diagnostics Reset button Flash upgrade Technical support Technical support LED Pattern Status Action Appendix a LED status patterns Appendix B System Log Access Logging Ppp Default DenyEth0 Eth1 Creating Custom Log Rules Forward Iptables -I Forward -j LOG -i eth+ -o eth+ -p tcp Rate Limiting Administrative Access Logging Boot Log Messages