* RE: logging mac address
@ 2003-07-15 23:23 George Vieira
2003-07-16 2:24 ` Ramin Dousti
0 siblings, 1 reply; 7+ messages in thread
From: George Vieira @ 2003-07-15 23:23 UTC (permalink / raw)
To: Ramin Dousti, Antonio Paulo Salgado Forster; +Cc: netfilter
>>It makes sense though that you don't get that in FORWARD since the routing
decision has not yet been made.
Sorry, that's not true, routing decision HAS been made which is why it's FORWARDing onto another interface. But remember that MAC addresses are visible only as they come off the wire.. that's what I've found.. so INPUT and PREROUTING see it but once they are in, the macs are dropped off into limbo...
Thanks,
____________________________________________
George Vieira
Systems Manager
georgev@citadelcomputer.com.au
Citadel Computer Systems Pty Ltd
http://www.citadelcomputer.com.au
Phone : +61 2 9955 2644
HelpDesk: +61 2 9955 2698
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: logging mac address
2003-07-15 23:23 logging mac address George Vieira
@ 2003-07-16 2:24 ` Ramin Dousti
0 siblings, 0 replies; 7+ messages in thread
From: Ramin Dousti @ 2003-07-16 2:24 UTC (permalink / raw)
To: George Vieira; +Cc: Antonio Paulo Salgado Forster, netfilter
On Wed, Jul 16, 2003 at 09:23:38AM +1000, George Vieira wrote:
> >>It makes sense though that you don't get that in FORWARD since the routing
> decision has not yet been made.
>
> Sorry, that's not true, routing decision HAS been made
Absolutely. This was my nonsense of the day...
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: logging mac address
2003-07-15 21:25 ` Antonio Paulo Salgado Forster
@ 2003-07-15 23:03 ` Ramin Dousti
0 siblings, 0 replies; 7+ messages in thread
From: Ramin Dousti @ 2003-07-15 23:03 UTC (permalink / raw)
To: Antonio Paulo Salgado Forster; +Cc: netfilter
On Tue, Jul 15, 2003 at 06:25:20PM -0300, Antonio Paulo Salgado Forster wrote:
> Thanks for the response. I'm using the same rule for logging on the
> input and forward CHAINS ;-) but the behavior of the rule is different
> depending on what chain it's in.. for input, by default it shows the MAC
> addresses, but for forward, no MAC address is shown.
OK. I think I learned something today. It seems the only chains giving you
the MAC is INPUT in filter and PREROUTING in mangle.
It makes sense though that you don't get that in FORWARD since the routing
decision has not yet been made.
On the other hand it also makes sense that you don't get it for the outgoing
packets (POSTROUTING) as the MAC info belongs to another subsystem and is
"apparently" not available to netfilter...
Ramin
>
> For instance:
>
> iptables -A INPUT -j LOG --log-level notice --log-prefix " INPUT BLOCK: "
> iptables -A FORWARD -j LOG --log-level info --log-prefix " FORWARD BLOCK: "
>
>
> Jul 15 17:51:25 fw kernel: INPUT BLOCK: IN=eth0 OUT=
> MAC=00:xx:xx:xx:xx:xx:00:yy:yy:yy:yy:yy:yy:00 SRC=t.t.t.t DST=r.r.r.r
> LEN=64 TOS=0x00 PREC=0x00 TTL=128 ID=57828 PROTO=UDP SPT=1756 DPT=53 LEN=44
>
> Jul 15 18:22:31 fw kernel: FORWARD BLOCK: IN=eth0 OUT=eth1 SRC=x.x.x.x
> DST=y.y.y.y LEN=1492 TOS=0x00 PREC=0x00 TTL=253 ID=37603 DF PROTO=ICMP
> TYPE=8 CODE=0 ID=0 SEQ=2
>
> Any hints? Thanks
>
> Forster
>
>
>
>
> Ramin Dousti <ramin@cannon.eng.us.uu.net>@lists.netfilter.org on 07/15/2003
> 05:59:36 PM
>
> Sent by: netfilter-admin@lists.netfilter.org
>
>
> To: aforster@br.ibm.com
> cc: netfilter@lists.netfilter.org
> Subject: Re: logging mac address
>
>
>
> On Tue, Jul 15, 2003 at 05:06:04PM -0300, Antonio Paulo Salgado Forster
> wrote:
>
> >
> >
> > Hello all,
> >
> > Is there any known way to log the mac address for packets blocked
> on
> > the forward table just like in the input table? I've been searching the
> > archives and documentations but found nothing so far.
>
> forward and input are chains and not tables. nat, mangle and filter are
> tables. But anyhow, you just use the same rule for logging that you
> used for INPUT logging and replace INPUT with FORWARD. You also need
> to make sure what and where you're logging so that you don't DoS yourself.
>
> Ramin
>
> >
> > Thanks in advance.
> >
> > Forster
> >
> >
>
>
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: logging mac address
2003-07-15 20:59 ` Ramin Dousti
@ 2003-07-15 21:25 ` Antonio Paulo Salgado Forster
2003-07-15 23:03 ` Ramin Dousti
0 siblings, 1 reply; 7+ messages in thread
From: Antonio Paulo Salgado Forster @ 2003-07-15 21:25 UTC (permalink / raw)
To: netfilter
Hi Ramin,
Thanks for the response. I'm using the same rule for logging on the
input and forward CHAINS ;-) but the behavior of the rule is different
depending on what chain it's in.. for input, by default it shows the MAC
addresses, but for forward, no MAC address is shown.
For instance:
iptables -A INPUT -j LOG --log-level notice --log-prefix " INPUT BLOCK: "
iptables -A FORWARD -j LOG --log-level info --log-prefix " FORWARD BLOCK: "
Jul 15 17:51:25 fw kernel: INPUT BLOCK: IN=eth0 OUT=
MAC=00:xx:xx:xx:xx:xx:00:yy:yy:yy:yy:yy:yy:00 SRC=t.t.t.t DST=r.r.r.r
LEN=64 TOS=0x00 PREC=0x00 TTL=128 ID=57828 PROTO=UDP SPT=1756 DPT=53 LEN=44
Jul 15 18:22:31 fw kernel: FORWARD BLOCK: IN=eth0 OUT=eth1 SRC=x.x.x.x
DST=y.y.y.y LEN=1492 TOS=0x00 PREC=0x00 TTL=253 ID=37603 DF PROTO=ICMP
TYPE=8 CODE=0 ID=0 SEQ=2
Any hints? Thanks
Forster
Ramin Dousti <ramin@cannon.eng.us.uu.net>@lists.netfilter.org on 07/15/2003
05:59:36 PM
Sent by: netfilter-admin@lists.netfilter.org
To: aforster@br.ibm.com
cc: netfilter@lists.netfilter.org
Subject: Re: logging mac address
On Tue, Jul 15, 2003 at 05:06:04PM -0300, Antonio Paulo Salgado Forster
wrote:
>
>
> Hello all,
>
> Is there any known way to log the mac address for packets blocked
on
> the forward table just like in the input table? I've been searching the
> archives and documentations but found nothing so far.
forward and input are chains and not tables. nat, mangle and filter are
tables. But anyhow, you just use the same rule for logging that you
used for INPUT logging and replace INPUT with FORWARD. You also need
to make sure what and where you're logging so that you don't DoS yourself.
Ramin
>
> Thanks in advance.
>
> Forster
>
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* RE: logging mac address
@ 2003-07-15 20:59 Daniel Chemko
0 siblings, 0 replies; 7+ messages in thread
From: Daniel Chemko @ 2003-07-15 20:59 UTC (permalink / raw)
To: Antonio Paulo Salgado Forster, netfilter
I don't recommend it, but I guess it is possible to filter them on the
nat prerouting chain instead if you really must have the MAC address
recorded...
-----Original Message-----
From: Antonio Paulo Salgado Forster [mailto:aforster@br.ibm.com]
Sent: Tuesday, July 15, 2003 1:06 PM
To: netfilter@lists.netfilter.org
Subject: logging mac address
Hello all,
Is there any known way to log the mac address for packets blocked
on
the forward table just like in the input table? I've been searching the
archives and documentations but found nothing so far.
Thanks in advance.
Forster
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: logging mac address
2003-07-15 20:06 ` logging mac address Antonio Paulo Salgado Forster
@ 2003-07-15 20:59 ` Ramin Dousti
2003-07-15 21:25 ` Antonio Paulo Salgado Forster
0 siblings, 1 reply; 7+ messages in thread
From: Ramin Dousti @ 2003-07-15 20:59 UTC (permalink / raw)
To: Antonio Paulo Salgado Forster; +Cc: netfilter
On Tue, Jul 15, 2003 at 05:06:04PM -0300, Antonio Paulo Salgado Forster wrote:
>
>
> Hello all,
>
> Is there any known way to log the mac address for packets blocked on
> the forward table just like in the input table? I've been searching the
> archives and documentations but found nothing so far.
forward and input are chains and not tables. nat, mangle and filter are
tables. But anyhow, you just use the same rule for logging that you
used for INPUT logging and replace INPUT with FORWARD. You also need
to make sure what and where you're logging so that you don't DoS yourself.
Ramin
>
> Thanks in advance.
>
> Forster
>
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* logging mac address
2003-07-15 19:44 Round Robin Load Balancing Daniel Chemko
@ 2003-07-15 20:06 ` Antonio Paulo Salgado Forster
2003-07-15 20:59 ` Ramin Dousti
0 siblings, 1 reply; 7+ messages in thread
From: Antonio Paulo Salgado Forster @ 2003-07-15 20:06 UTC (permalink / raw)
To: netfilter
Hello all,
Is there any known way to log the mac address for packets blocked on
the forward table just like in the input table? I've been searching the
archives and documentations but found nothing so far.
Thanks in advance.
Forster
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2003-07-16 2:24 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2003-07-15 23:23 logging mac address George Vieira
2003-07-16 2:24 ` Ramin Dousti
-- strict thread matches above, loose matches on Subject: below --
2003-07-15 20:59 Daniel Chemko
2003-07-15 19:44 Round Robin Load Balancing Daniel Chemko
2003-07-15 20:06 ` logging mac address Antonio Paulo Salgado Forster
2003-07-15 20:59 ` Ramin Dousti
2003-07-15 21:25 ` Antonio Paulo Salgado Forster
2003-07-15 23:03 ` Ramin Dousti
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.