Results 1 to 4 of 4

Thread: Logging NAT Transactions

  1. #1
    Join Date
    Apr 2009
    Beans
    35

    Logging NAT Transactions

    Hi Guys,

    Quite new to linux and have been playing quite heavily with iptables/conntrackfor the past few weeks. I have searched high and low for this answer and am sure it can be done -somehow. Basically, I masquerade quite a lot of connections but I now need to be able to track who had what IP/Src port at what time by logging the NEW and TEARDOWN NAT translations. Is this possible?

  2. #2
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    8,092
    Distro
    Kubuntu Development Release

    Re: Logging NAT Transactions

    Just write a rule with syntax identical to the rule you want to log and put the new rule above the old one.

    For instance, I usually have a catch-all rule at the bottom of the iptables ruleset to deny all unmatched traffic. I'll usually include a logging rule just above it like this:

    Code:
    /sbin/iptables -A INPUT -j LOG
    /sbin/iptables -A INPUT -j REJECT
    You can use the --log-prefix option to tag packets that match a particular rule.
    If you ask for help, please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  3. #3
    Join Date
    Apr 2009
    Beans
    35

    Re: Logging NAT Transactions

    Yes but if I am natting i want something like srcIP srcPort destIP destPort NatAddress NatSrcPort. Something similar to conntrack -E output maybe but logging to a file. I can do this with Cisco ACE's (on large scale nat) - was wondering if it could be done on linux as well . Unsure if you can match against transaction status events - ie: teardown

  4. #4
    Join Date
    Feb 2011
    Location
    Coquitlam, B.C. Canada
    Beans
    1,321
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Logging NAT Transactions

    There may be an easier way, but what I do is two tcpdump sessions always running on my system saving the data as files, one on the LAN side and one of the WAN side. The tcpdump files are in 10 minute chunks, auto changing. Then, if I need to trace back something, I figure it out as a post process.

    For example, I got an e-mail from my ISP one time saying that I had been a bad boy. Given the time range of the issue, I was easily able to isolate the issue down to my nephews computer, when it was on my LAN one time so he could print a homework assignment.
    Any follow-up information on your issue would be appreciated. Please have the courtesy to report back.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •