* DNAT/SNAT and logging
@ 2004-01-19 15:04 Johan Ankarloo
2004-01-19 15:21 ` Jeffrey Laramie
0 siblings, 1 reply; 18+ messages in thread
From: Johan Ankarloo @ 2004-01-19 15:04 UTC (permalink / raw)
To: netfilter
Hi
Does anyone know how to log a DNAT/SNAT connection? When logging a NAT
connection you also want to know the origin source/destination/port of
that packet. Is that possible?
Regards
Johan
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: DNAT/SNAT and logging
2004-01-19 15:04 DNAT/SNAT and logging Johan Ankarloo
@ 2004-01-19 15:21 ` Jeffrey Laramie
2004-01-19 15:37 ` Johan Ankarloo
0 siblings, 1 reply; 18+ messages in thread
From: Jeffrey Laramie @ 2004-01-19 15:21 UTC (permalink / raw)
To: netfilter
Johan Ankarloo wrote:
>Hi
>
>Does anyone know how to log a DNAT/SNAT connection? When logging a NAT
>connection you also want to know the origin source/destination/port of
>that packet. Is that possible?
>
>
>
Sure. The easiest way to do it is to add a matching log rule just before
the nat rule:
iptables -t nat -A POSTROUTING -o $Net_Interface -j LOG --log-prefix
"SNAT: "
iptables -t nat -A POSTROUTING -o $Net_Interface -j SNAT --to $Net_IP
Jeff
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: DNAT/SNAT and logging
2004-01-19 15:21 ` Jeffrey Laramie
@ 2004-01-19 15:37 ` Johan Ankarloo
2004-01-19 16:24 ` Jeffrey Laramie
0 siblings, 1 reply; 18+ messages in thread
From: Johan Ankarloo @ 2004-01-19 15:37 UTC (permalink / raw)
To: netfilter
On Mon, 2004-01-19 at 16:21, Jeffrey Laramie wrote:
> Johan Ankarloo wrote:
>
> >Hi
> >
> >Does anyone know how to log a DNAT/SNAT connection? When logging a NAT
> >connection you also want to know the origin source/destination/port of
> >that packet. Is that possible?
> >
> >
> >
>
> Sure. The easiest way to do it is to add a matching log rule just before
> the nat rule:
>
> iptables -t nat -A POSTROUTING -o $Net_Interface -j LOG --log-prefix
> "SNAT: "
> iptables -t nat -A POSTROUTING -o $Net_Interface -j SNAT --to $Net_IP
>
> Jeff
The problem is when doing this is that you doesn't get the original
source/destination or the translating adress. If you look at the logs
you can't see all the information that you need to be able to debug any
problem or to be able to track that connection back to the user.
What i was looking for was a way to have more information in the logs
from that specific connection. The information that needs to be there is:
OriginSource OriginSPort OriginDestination OriginDPort
TranslatedSource TranslatedSPORT TranslatedDest TranslatedDPort
Regards
Johan
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: DNAT/SNAT and logging
2004-01-19 15:37 ` Johan Ankarloo
@ 2004-01-19 16:24 ` Jeffrey Laramie
2004-01-19 18:32 ` Johan Ankarloo
0 siblings, 1 reply; 18+ messages in thread
From: Jeffrey Laramie @ 2004-01-19 16:24 UTC (permalink / raw)
To: netfilter
Johan Ankarloo wrote:
>On Mon, 2004-01-19 at 16:21, Jeffrey Laramie wrote:
>
>
>>Johan Ankarloo wrote:
>>
>>
>>
>>>Hi
>>>
>>>Does anyone know how to log a DNAT/SNAT connection? When logging a NAT
>>>connection you also want to know the origin source/destination/port of
>>>that packet. Is that possible?
>>>
>>>
>>>
>>>
>>>
>>Sure. The easiest way to do it is to add a matching log rule just before
>>the nat rule:
>>
>>iptables -t nat -A POSTROUTING -o $Net_Interface -j LOG --log-prefix
>>"SNAT: "
>>iptables -t nat -A POSTROUTING -o $Net_Interface -j SNAT --to $Net_IP
>>
>>Jeff
>>
>>
>
>The problem is when doing this is that you doesn't get the original
>source/destination or the translating adress. If you look at the logs
>you can't see all the information that you need to be able to debug any
>problem or to be able to track that connection back to the user.
>
>
I don't use DNAT so I can't tell you how it logs connections, but
logging a SNAT connection works fine. Here's the rules I used:
# Masquerade everything leaving the lan as the firewall IP.
$iptables -t nat -A POSTROUTING -o $Net_Interface -j LOG --log-level
debug --log-prefix "SNAT: "
$iptables -t nat -A POSTROUTING -o $Net_Interface -j SNAT --to $Net_IP
And here's the log entry I got:
Jan 19 11:14:21 NS1 kernel: SNAT: IN= OUT=eth1 SRC=192.168.0.4
DST=66.95.2.50 LEN=44 TOS=0x08 PREC=0x00 TTL=63 ID=17955 PROTO=TCP
SPT=1030 DPT=80 WINDOW=28672 RES=0x00 SYN URGP=0
192.168.0.4 is the source host on the local private subnet
66.95.2.50 is the IP of the remote host
Sending port is 1030
Dest port is 80
And $Net_IP is IP the outside will see which is the IP of the firewall.
The SNATed ports will be the same as the original ones.
Isn't this what you're looking for or did I misunderstand you?
Jeff
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: DNAT/SNAT and logging
2004-01-19 16:24 ` Jeffrey Laramie
@ 2004-01-19 18:32 ` Johan Ankarloo
2004-01-19 19:17 ` Jeffrey Laramie
0 siblings, 1 reply; 18+ messages in thread
From: Johan Ankarloo @ 2004-01-19 18:32 UTC (permalink / raw)
To: Jeffrey Laramie; +Cc: netfilter
On Mon, 2004-01-19 at 17:24, Jeffrey Laramie wrote:
> Johan Ankarloo wrote:
>
> >On Mon, 2004-01-19 at 16:21, Jeffrey Laramie wrote:
> >
> >
> >>Johan Ankarloo wrote:
> >>
> >>
> >>
> >>>Hi
> >>>
> >>>Does anyone know how to log a DNAT/SNAT connection? When logging a NAT
> >>>connection you also want to know the origin source/destination/port of
> >>>that packet. Is that possible?
> >>>
> >>>
> >>>
> >>>
> >>>
> >>Sure. The easiest way to do it is to add a matching log rule just before
> >>the nat rule:
> >>
> >>iptables -t nat -A POSTROUTING -o $Net_Interface -j LOG --log-prefix
> >>"SNAT: "
> >>iptables -t nat -A POSTROUTING -o $Net_Interface -j SNAT --to $Net_IP
> >>
> >>Jeff
> >>
> >>
> >
> >The problem is when doing this is that you doesn't get the original
> >source/destination or the translating adress. If you look at the logs
> >you can't see all the information that you need to be able to debug any
> >problem or to be able to track that connection back to the user.
> >
> >
> I don't use DNAT so I can't tell you how it logs connections, but
> logging a SNAT connection works fine. Here's the rules I used:
>
> # Masquerade everything leaving the lan as the firewall IP.
> $iptables -t nat -A POSTROUTING -o $Net_Interface -j LOG --log-level
> debug --log-prefix "SNAT: "
> $iptables -t nat -A POSTROUTING -o $Net_Interface -j SNAT --to $Net_IP
>
> And here's the log entry I got:
>
> Jan 19 11:14:21 NS1 kernel: SNAT: IN= OUT=eth1 SRC=192.168.0.4
> DST=66.95.2.50 LEN=44 TOS=0x08 PREC=0x00 TTL=63 ID=17955 PROTO=TCP
> SPT=1030 DPT=80 WINDOW=28672 RES=0x00 SYN URGP=0
>
>
> 192.168.0.4 is the source host on the local private subnet
> 66.95.2.50 is the IP of the remote host
> Sending port is 1030
> Dest port is 80
>
> And $Net_IP is IP the outside will see which is the IP of the firewall.
> The SNATed ports will be the same as the original ones.
>
> Isn't this what you're looking for or did I misunderstand you?
>
> Jeff
No, i don't see all the information in your example above. Look at the
following examples taken from the examples at
http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-6.html
---- SNIP ----
## Change destination addresses to 5.6.7.8, 5.6.7.9 or 5.6.7.10.
# iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 5.6.7.8-5.6.7.10
## Change source addresses to 1.2.3.4, 1.2.3.5 or 1.2.3.6
# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4-1.2.3.6
---- SNIP ----
Here you can se that you can do DNAT and SNAT to an range of ipadresse
so the question may be a bit clearer when i ask the question like this.
How is it possible to log to wich ipadress the connection is translated
to?
That is why i need the following information in the log file.
Original Source
Original SourcePort
Original Destination
Original DestinationPort
Translated Source
Translated SourcePort
Translated Destination
Translated DestinationPort
Regards
Johan
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: DNAT/SNAT and logging
2004-01-19 18:32 ` Johan Ankarloo
@ 2004-01-19 19:17 ` Jeffrey Laramie
2004-01-20 6:41 ` DNAT/SNAT and logging anyone? Johan Ankarloo
0 siblings, 1 reply; 18+ messages in thread
From: Jeffrey Laramie @ 2004-01-19 19:17 UTC (permalink / raw)
To: netfilter
Johan Ankarloo wrote:
>On Mon, 2004-01-19 at 17:24, Jeffrey Laramie wrote:
>
>
>>Johan Ankarloo wrote:
>>
>>
>>
>>>On Mon, 2004-01-19 at 16:21, Jeffrey Laramie wrote:
>>>
>>>
>>>
>>>
>>>>Johan Ankarloo wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>Hi
>>>>>
>>>>>Does anyone know how to log a DNAT/SNAT connection? When logging a NAT
>>>>>connection you also want to know the origin source/destination/port of
>>>>>that packet. Is that possible?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>Sure. The easiest way to do it is to add a matching log rule just before
>>>>the nat rule:
>>>>
>>>>iptables -t nat -A POSTROUTING -o $Net_Interface -j LOG --log-prefix
>>>>"SNAT: "
>>>>iptables -t nat -A POSTROUTING -o $Net_Interface -j SNAT --to $Net_IP
>>>>
>>>>Jeff
>>>>
>>>>
>>>>
>>>>
>>>The problem is when doing this is that you doesn't get the original
>>>source/destination or the translating adress. If you look at the logs
>>>you can't see all the information that you need to be able to debug any
>>>problem or to be able to track that connection back to the user.
>>>
>>>
>>>
>>>
>>I don't use DNAT so I can't tell you how it logs connections, but
>>logging a SNAT connection works fine. Here's the rules I used:
>>
>># Masquerade everything leaving the lan as the firewall IP.
>>$iptables -t nat -A POSTROUTING -o $Net_Interface -j LOG --log-level
>>debug --log-prefix "SNAT: "
>>$iptables -t nat -A POSTROUTING -o $Net_Interface -j SNAT --to $Net_IP
>>
>>And here's the log entry I got:
>>
>>Jan 19 11:14:21 NS1 kernel: SNAT: IN= OUT=eth1 SRC=192.168.0.4
>>DST=66.95.2.50 LEN=44 TOS=0x08 PREC=0x00 TTL=63 ID=17955 PROTO=TCP
>>SPT=1030 DPT=80 WINDOW=28672 RES=0x00 SYN URGP=0
>>
>>
>>192.168.0.4 is the source host on the local private subnet
>>66.95.2.50 is the IP of the remote host
>>Sending port is 1030
>>Dest port is 80
>>
>>And $Net_IP is IP the outside will see which is the IP of the firewall.
>>The SNATed ports will be the same as the original ones.
>>
>>Isn't this what you're looking for or did I misunderstand you?
>>
>>Jeff
>>
>>
>
>No, i don't see all the information in your example above. Look at the
>following examples taken from the examples at
>http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-6.html
>
>---- SNIP ----
>## Change destination addresses to 5.6.7.8, 5.6.7.9 or 5.6.7.10.
># iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 5.6.7.8-5.6.7.10
>
>## Change source addresses to 1.2.3.4, 1.2.3.5 or 1.2.3.6
># iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4-1.2.3.6
>---- SNIP ----
>
>Here you can se that you can do DNAT and SNAT to an range of ipadresse
>so the question may be a bit clearer when i ask the question like this.
>How is it possible to log to wich ipadress the connection is translated
>to?
>
>
Ahh, I see what the issue is. You 'know' the translated IP because you
explicitly set it within the NAT rule, not because it's in the log. In
the case of a target range there is no way for a prior logging rule to
tell which of the range addresses will be assigned by the NAT rule. I
think you'll need to use a tool like snort to get that kind of detail.
Maybe someone else knows another way, sorry I couldn't help you.
Jeff
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: DNAT/SNAT and logging anyone?
2004-01-19 19:17 ` Jeffrey Laramie
@ 2004-01-20 6:41 ` Johan Ankarloo
2004-01-20 11:47 ` T. Horsnell (tsh)
0 siblings, 1 reply; 18+ messages in thread
From: Johan Ankarloo @ 2004-01-20 6:41 UTC (permalink / raw)
To: netfilter
Hi all. This is a repost. Thanks to Jeffrey for trying to help me.
I need a way to log SNAT/DNAT packets. In the log i need all the
information about what have happend to the packet. Since the log target
is above the actually mangle line, the log target won't know how the
packet will be mangle. What i need in the log files are:
Original Source
Original SourcePort
Original Destination
Original DestinationPort
Translated Source
Translated SourcePort
Translated Destination
Translated DestinationPort
As an example, take a look at the documentaion about nat and look at the
examples below taken from
http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-6.html
---- SNIP ----
## Change destination addresses to 5.6.7.8, 5.6.7.9 or 5.6.7.10.
# iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 5.6.7.8-5.6.7.10
## Change source addresses to 1.2.3.4, 1.2.3.5 or 1.2.3.6
# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4-1.2.3.6
---- SNIP ----
Here you can se that you can do DNAT and SNAT to an range of ipadresse
so the question may be a bit clearer when i ask the question like this.
How is it possible to log to wich ipadress the connection is translated
to?
Regards
Johan
On Mon, 2004-01-19 at 20:17, Jeffrey Laramie wrote:
> Johan Ankarloo wrote:
>
> >On Mon, 2004-01-19 at 17:24, Jeffrey Laramie wrote:
> >
> >
> >>Johan Ankarloo wrote:
> >>
> >>
> >>
> >>>On Mon, 2004-01-19 at 16:21, Jeffrey Laramie wrote:
> >>>
> >>>
> >>>
> >>>
> >>>>Johan Ankarloo wrote:
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>>Hi
> >>>>>
> >>>>>Does anyone know how to log a DNAT/SNAT connection? When logging a NAT
> >>>>>connection you also want to know the origin source/destination/port of
> >>>>>that packet. Is that possible?
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>Sure. The easiest way to do it is to add a matching log rule just before
> >>>>the nat rule:
> >>>>
> >>>>iptables -t nat -A POSTROUTING -o $Net_Interface -j LOG --log-prefix
> >>>>"SNAT: "
> >>>>iptables -t nat -A POSTROUTING -o $Net_Interface -j SNAT --to $Net_IP
> >>>>
> >>>>Jeff
> >>>>
> >>>>
> >>>>
> >>>>
> >>>The problem is when doing this is that you doesn't get the original
> >>>source/destination or the translating adress. If you look at the logs
> >>>you can't see all the information that you need to be able to debug any
> >>>problem or to be able to track that connection back to the user.
> >>>
> >>>
> >>>
> >>>
> >>I don't use DNAT so I can't tell you how it logs connections, but
> >>logging a SNAT connection works fine. Here's the rules I used:
> >>
> >># Masquerade everything leaving the lan as the firewall IP.
> >>$iptables -t nat -A POSTROUTING -o $Net_Interface -j LOG --log-level
> >>debug --log-prefix "SNAT: "
> >>$iptables -t nat -A POSTROUTING -o $Net_Interface -j SNAT --to $Net_IP
> >>
> >>And here's the log entry I got:
> >>
> >>Jan 19 11:14:21 NS1 kernel: SNAT: IN= OUT=eth1 SRC=192.168.0.4
> >>DST=66.95.2.50 LEN=44 TOS=0x08 PREC=0x00 TTL=63 ID=17955 PROTO=TCP
> >>SPT=1030 DPT=80 WINDOW=28672 RES=0x00 SYN URGP=0
> >>
> >>
> >>192.168.0.4 is the source host on the local private subnet
> >>66.95.2.50 is the IP of the remote host
> >>Sending port is 1030
> >>Dest port is 80
> >>
> >>And $Net_IP is IP the outside will see which is the IP of the firewall.
> >>The SNATed ports will be the same as the original ones.
> >>
> >>Isn't this what you're looking for or did I misunderstand you?
> >>
> >>Jeff
> >>
> >>
> >
> >No, i don't see all the information in your example above. Look at the
> >following examples taken from the examples at
> >http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-6.html
> >
> >---- SNIP ----
> >## Change destination addresses to 5.6.7.8, 5.6.7.9 or 5.6.7.10.
> ># iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 5.6.7.8-5.6.7.10
> >
> >## Change source addresses to 1.2.3.4, 1.2.3.5 or 1.2.3.6
> ># iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4-1.2.3.6
> >---- SNIP ----
> >
> >Here you can se that you can do DNAT and SNAT to an range of ipadresse
> >so the question may be a bit clearer when i ask the question like this.
> >How is it possible to log to wich ipadress the connection is translated
> >to?
> >
> >
>
> Ahh, I see what the issue is. You 'know' the translated IP because you
> explicitly set it within the NAT rule, not because it's in the log. In
> the case of a target range there is no way for a prior logging rule to
> tell which of the range addresses will be assigned by the NAT rule. I
> think you'll need to use a tool like snort to get that kind of detail.
> Maybe someone else knows another way, sorry I couldn't help you.
>
> Jeff
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: DNAT/SNAT and logging anyone?
2004-01-20 6:41 ` DNAT/SNAT and logging anyone? Johan Ankarloo
@ 2004-01-20 11:47 ` T. Horsnell (tsh)
2004-01-20 13:05 ` Johan Ankarloo
0 siblings, 1 reply; 18+ messages in thread
From: T. Horsnell (tsh) @ 2004-01-20 11:47 UTC (permalink / raw)
To: Johan Ankarloo; +Cc: netfilter
I'm in the same boat. In fact not only do I want to log that
info when the NAT'ing takes place, I would also like to log
when the connection is broken.
The only thing I can think of at the moment, is some process
which continuously monitors /proc/net/ip_conntrack :(
Cheers,
Terry.
>Hi all. This is a repost. Thanks to Jeffrey for trying to help me.
>
>I need a way to log SNAT/DNAT packets. In the log i need all the
>information about what have happend to the packet. Since the log target
>is above the actually mangle line, the log target won't know how the
>packet will be mangle. What i need in the log files are:
>
>Original Source
>Original SourcePort
>Original Destination
>Original DestinationPort
>Translated Source
>Translated SourcePort
>Translated Destination
>Translated DestinationPort
>
>As an example, take a look at the documentaion about nat and look at the
>examples below taken from
>http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-6.html
>
>---- SNIP ----
>## Change destination addresses to 5.6.7.8, 5.6.7.9 or 5.6.7.10.
># iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 5.6.7.8-5.6.7.10
>## Change source addresses to 1.2.3.4, 1.2.3.5 or 1.2.3.6
># iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4-1.2.3.6
>---- SNIP ----
>
>Here you can se that you can do DNAT and SNAT to an range of ipadresse
>so the question may be a bit clearer when i ask the question like this.
>How is it possible to log to wich ipadress the connection is translated
>to?
>
>Regards
>
>Johan
>
>On Mon, 2004-01-19 at 20:17, Jeffrey Laramie wrote:
>> Johan Ankarloo wrote:
>>
>> >On Mon, 2004-01-19 at 17:24, Jeffrey Laramie wrote:
>> >
>> >
>> >>Johan Ankarloo wrote:
>> >>
>> >>
>> >>
>> >>>On Mon, 2004-01-19 at 16:21, Jeffrey Laramie wrote:
>> >>>
>> >>>
>> >>>
>> >>>
>> >>>>Johan Ankarloo wrote:
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>>>Hi
>> >>>>>
>> >>>>>Does anyone know how to log a DNAT/SNAT connection? When logging a NAT
>> >>>>>connection you also want to know the origin source/destination/port of
>> >>>>>that packet. Is that possible?
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>Sure. The easiest way to do it is to add a matching log rule just before
>> >>>>the nat rule:
>> >>>>
>> >>>>iptables -t nat -A POSTROUTING -o $Net_Interface -j LOG --log-prefix
>> >>>>"SNAT: "
>> >>>>iptables -t nat -A POSTROUTING -o $Net_Interface -j SNAT --to $Net_IP
>> >>>>
>> >>>>Jeff
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>The problem is when doing this is that you doesn't get the original
>> >>>source/destination or the translating adress. If you look at the logs
>> >>>you can't see all the information that you need to be able to debug any
>> >>>problem or to be able to track that connection back to the user.
>> >>>
>> >>>
>> >>>
>> >>>
>> >>I don't use DNAT so I can't tell you how it logs connections, but
>> >>logging a SNAT connection works fine. Here's the rules I used:
>> >>
>> >># Masquerade everything leaving the lan as the firewall IP.
>> >>$iptables -t nat -A POSTROUTING -o $Net_Interface -j LOG --log-level
>> >>debug --log-prefix "SNAT: "
>> >>$iptables -t nat -A POSTROUTING -o $Net_Interface -j SNAT --to $Net_IP
>> >>
>> >>And here's the log entry I got:
>> >>
>> >>Jan 19 11:14:21 NS1 kernel: SNAT: IN= OUT=eth1 SRC=192.168.0.4
>> >>DST=66.95.2.50 LEN=44 TOS=0x08 PREC=0x00 TTL=63 ID=17955 PROTO=TCP
>> >>SPT=1030 DPT=80 WINDOW=28672 RES=0x00 SYN URGP=0
>> >>
>> >>
>> >>192.168.0.4 is the source host on the local private subnet
>> >>66.95.2.50 is the IP of the remote host
>> >>Sending port is 1030
>> >>Dest port is 80
>> >>
>> >>And $Net_IP is IP the outside will see which is the IP of the firewall.
>> >>The SNATed ports will be the same as the original ones.
>> >>
>> >>Isn't this what you're looking for or did I misunderstand you?
>> >>
>> >>Jeff
>> >>
>> >>
>> >
>> >No, i don't see all the information in your example above. Look at the
>> >following examples taken from the examples at
>> >http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-6.html
>> >
>> >---- SNIP ----
>> >## Change destination addresses to 5.6.7.8, 5.6.7.9 or 5.6.7.10.
>> ># iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 5.6.7.8-5.6.7.10
>> >
>> >## Change source addresses to 1.2.3.4, 1.2.3.5 or 1.2.3.6
>> ># iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4-1.2.3.6
>> >---- SNIP ----
>> >
>> >Here you can se that you can do DNAT and SNAT to an range of ipadresse
>> >so the question may be a bit clearer when i ask the question like this.
>> >How is it possible to log to wich ipadress the connection is translated
>> >to?
>> >
>> >
>>
>> Ahh, I see what the issue is. You 'know' the translated IP because you
>> explicitly set it within the NAT rule, not because it's in the log. In
>> the case of a target range there is no way for a prior logging rule to
>> tell which of the range addresses will be assigned by the NAT rule. I
>> think you'll need to use a tool like snort to get that kind of detail.
>> Maybe someone else knows another way, sorry I couldn't help you.
>>
>> Jeff
>
>
>
>
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: DNAT/SNAT and logging anyone?
2004-01-20 11:47 ` T. Horsnell (tsh)
@ 2004-01-20 13:05 ` Johan Ankarloo
0 siblings, 0 replies; 18+ messages in thread
From: Johan Ankarloo @ 2004-01-20 13:05 UTC (permalink / raw)
To: netfilter
The question then is if this is something that is missing in iptables or
that we just haven't found a way to do this kind of logging. Mayby i
should send this to the development list instead.
Is there anyone else who knows if this is possible to do?
Johan
On Tue, 2004-01-20 at 12:47, T. Horsnell (tsh) wrote:
> I'm in the same boat. In fact not only do I want to log that
> info when the NAT'ing takes place, I would also like to log
> when the connection is broken.
>
> The only thing I can think of at the moment, is some process
> which continuously monitors /proc/net/ip_conntrack :(
>
> Cheers,
> Terry.
>
>
>
>
> >Hi all. This is a repost. Thanks to Jeffrey for trying to help me.
> >
> >I need a way to log SNAT/DNAT packets. In the log i need all the
> >information about what have happend to the packet. Since the log target
> >is above the actually mangle line, the log target won't know how the
> >packet will be mangle. What i need in the log files are:
> >
> >Original Source
> >Original SourcePort
> >Original Destination
> >Original DestinationPort
> >Translated Source
> >Translated SourcePort
> >Translated Destination
> >Translated DestinationPort
> >
> >As an example, take a look at the documentaion about nat and look at the
> >examples below taken from
> >http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-6.html
> >
> >---- SNIP ----
> >## Change destination addresses to 5.6.7.8, 5.6.7.9 or 5.6.7.10.
> ># iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 5.6.7.8-5.6.7.10
> >## Change source addresses to 1.2.3.4, 1.2.3.5 or 1.2.3.6
> ># iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4-1.2.3.6
> >---- SNIP ----
> >
> >Here you can se that you can do DNAT and SNAT to an range of ipadresse
> >so the question may be a bit clearer when i ask the question like this.
> >How is it possible to log to wich ipadress the connection is translated
> >to?
> >
> >Regards
> >
> >Johan
> >
> >On Mon, 2004-01-19 at 20:17, Jeffrey Laramie wrote:
> >> Johan Ankarloo wrote:
> >>
> >> >On Mon, 2004-01-19 at 17:24, Jeffrey Laramie wrote:
> >> >
> >> >
> >> >>Johan Ankarloo wrote:
> >> >>
> >> >>
> >> >>
> >> >>>On Mon, 2004-01-19 at 16:21, Jeffrey Laramie wrote:
> >> >>>
> >> >>>
> >> >>>
> >> >>>
> >> >>>>Johan Ankarloo wrote:
> >> >>>>
> >> >>>>
> >> >>>>
> >> >>>>
> >> >>>>
> >> >>>>>Hi
> >> >>>>>
> >> >>>>>Does anyone know how to log a DNAT/SNAT connection? When logging a NAT
> >> >>>>>connection you also want to know the origin source/destination/port of
> >> >>>>>that packet. Is that possible?
> >> >>>>>
> >> >>>>>
> >> >>>>>
> >> >>>>>
> >> >>>>>
> >> >>>>>
> >> >>>>>
> >> >>>>Sure. The easiest way to do it is to add a matching log rule just before
> >> >>>>the nat rule:
> >> >>>>
> >> >>>>iptables -t nat -A POSTROUTING -o $Net_Interface -j LOG --log-prefix
> >> >>>>"SNAT: "
> >> >>>>iptables -t nat -A POSTROUTING -o $Net_Interface -j SNAT --to $Net_IP
> >> >>>>
> >> >>>>Jeff
> >> >>>>
> >> >>>>
> >> >>>>
> >> >>>>
> >> >>>The problem is when doing this is that you doesn't get the original
> >> >>>source/destination or the translating adress. If you look at the logs
> >> >>>you can't see all the information that you need to be able to debug any
> >> >>>problem or to be able to track that connection back to the user.
> >> >>>
> >> >>>
> >> >>>
> >> >>>
> >> >>I don't use DNAT so I can't tell you how it logs connections, but
> >> >>logging a SNAT connection works fine. Here's the rules I used:
> >> >>
> >> >># Masquerade everything leaving the lan as the firewall IP.
> >> >>$iptables -t nat -A POSTROUTING -o $Net_Interface -j LOG --log-level
> >> >>debug --log-prefix "SNAT: "
> >> >>$iptables -t nat -A POSTROUTING -o $Net_Interface -j SNAT --to $Net_IP
> >> >>
> >> >>And here's the log entry I got:
> >> >>
> >> >>Jan 19 11:14:21 NS1 kernel: SNAT: IN= OUT=eth1 SRC=192.168.0.4
> >> >>DST=66.95.2.50 LEN=44 TOS=0x08 PREC=0x00 TTL=63 ID=17955 PROTO=TCP
> >> >>SPT=1030 DPT=80 WINDOW=28672 RES=0x00 SYN URGP=0
> >> >>
> >> >>
> >> >>192.168.0.4 is the source host on the local private subnet
> >> >>66.95.2.50 is the IP of the remote host
> >> >>Sending port is 1030
> >> >>Dest port is 80
> >> >>
> >> >>And $Net_IP is IP the outside will see which is the IP of the firewall.
> >> >>The SNATed ports will be the same as the original ones.
> >> >>
> >> >>Isn't this what you're looking for or did I misunderstand you?
> >> >>
> >> >>Jeff
> >> >>
> >> >>
> >> >
> >> >No, i don't see all the information in your example above. Look at the
> >> >following examples taken from the examples at
> >> >http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-6.html
> >> >
> >> >---- SNIP ----
> >> >## Change destination addresses to 5.6.7.8, 5.6.7.9 or 5.6.7.10.
> >> ># iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 5.6.7.8-5.6.7.10
> >> >
> >> >## Change source addresses to 1.2.3.4, 1.2.3.5 or 1.2.3.6
> >> ># iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4-1.2.3.6
> >> >---- SNIP ----
> >> >
> >> >Here you can se that you can do DNAT and SNAT to an range of ipadresse
> >> >so the question may be a bit clearer when i ask the question like this.
> >> >How is it possible to log to wich ipadress the connection is translated
> >> >to?
> >> >
> >> >
> >>
> >> Ahh, I see what the issue is. You 'know' the translated IP because you
> >> explicitly set it within the NAT rule, not because it's in the log. In
> >> the case of a target range there is no way for a prior logging rule to
> >> tell which of the range addresses will be assigned by the NAT rule. I
> >> think you'll need to use a tool like snort to get that kind of detail.
> >> Maybe someone else knows another way, sorry I couldn't help you.
> >>
> >> Jeff
> >
> >
> >
> >
--
Mvh
Johan Ankarloo
Volvo IT
Network & Security Engineer
Tel: +46 31 32 70949
====================================================================
This message may contain confidential and/or proprietary information,
and is intended only for the person/entity to whom it was originally
addressed. The content of this message may contain private views and
opinions which do not constitute a formal disclosure or commitment
unless specifically stated.
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: DNAT/SNAT and logging
2004-01-22 10:25 ` Henrik Nordstrom
@ 2004-01-22 11:12 ` Johan Ankarloo
0 siblings, 0 replies; 18+ messages in thread
From: Johan Ankarloo @ 2004-01-22 11:12 UTC (permalink / raw)
To: Henrik Nordstrom; +Cc: netfilter-devel
So then you agree that this is a problem that has to be fixed one way or
another?
I don't want to be a pain in the butt here but this is a really big
problem for me. When i have problem with Nat or mangle ( either i
haven't understood iptables correctly or there could be a bug ) i can't
really tell what has happened with the packet. Or if i get a court order
to get the person accessing some specific machine at a specific time i
can't rely on the log since all the necessary information about that
connection isn't in the logs.
Regards
Johan
On Thu, 2004-01-22 at 11:25, Henrik Nordstrom wrote:
> On Thu, 22 Jan 2004, Johan Ankarloo wrote:
>
> > Do you understand why this is important?
>
> Yes. The existing LOG target is a mess if NAT is used.
>
> Regards
> Henrik
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: DNAT/SNAT and logging
2004-01-22 6:52 ` Johan Ankarloo
@ 2004-01-22 10:25 ` Henrik Nordstrom
2004-01-22 11:12 ` Johan Ankarloo
0 siblings, 1 reply; 18+ messages in thread
From: Henrik Nordstrom @ 2004-01-22 10:25 UTC (permalink / raw)
To: Johan Ankarloo; +Cc: netfilter-devel
On Thu, 22 Jan 2004, Johan Ankarloo wrote:
> Do you understand why this is important?
Yes. The existing LOG target is a mess if NAT is used.
Regards
Henrik
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: DNAT/SNAT and logging
2004-01-21 20:16 ` Henrik Nordstrom
@ 2004-01-22 6:52 ` Johan Ankarloo
2004-01-22 10:25 ` Henrik Nordstrom
0 siblings, 1 reply; 18+ messages in thread
From: Johan Ankarloo @ 2004-01-22 6:52 UTC (permalink / raw)
To: Henrik Nordstrom; +Cc: netfilter-devel
Ok, i will try to look into that and see what i can find. I still think
that the packet should be logged from the SNAT/DNAT module in some way
since that is the module that is doing that mangle ( with this i mean
that the module changes the packet in some way ) and already has all the
information about what has been done to the packet.
The next question then is:
Do you understand why this is important?
On Wed, 2004-01-21 at 21:16, Henrik Nordstrom wrote:
> On Wed, 21 Jan 2004, Johan Ankarloo wrote:
>
> > So you don't think that this is a lot of work just to get the logging to
> > work correctly? I mean that this is something that ( in my opinion )
> > should be done out of the box so to say.
>
> It is some work, but not very much.
>
> > How should this be done through /dev/net/ip_conntrack?
>
> When I say conntrack I mean in the kernel, not the proc files. By writing
> another LOG target using the information from conntrack rather than the
> packet you can log the information you requested.
>
> See the LOG target and the conntrack match for details, also read the NAT
> & Conntrack sections of the hacking howto.
>
> The most tricky part is when to log the first packet of the session. This
> has to be done after all information has been entered into the session,
> i.e. after any SNAT targets have been applied.
>
> Another approach is to look into using ctnetlink for detailed session
> logging. This is something we are currently implementing.
>
> Regards
> Henrik
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: DNAT/SNAT and logging
2004-01-21 18:48 ` Johan Ankarloo
@ 2004-01-21 20:16 ` Henrik Nordstrom
2004-01-22 6:52 ` Johan Ankarloo
0 siblings, 1 reply; 18+ messages in thread
From: Henrik Nordstrom @ 2004-01-21 20:16 UTC (permalink / raw)
To: Johan Ankarloo; +Cc: netfilter-devel
On Wed, 21 Jan 2004, Johan Ankarloo wrote:
> So you don't think that this is a lot of work just to get the logging to
> work correctly? I mean that this is something that ( in my opinion )
> should be done out of the box so to say.
It is some work, but not very much.
> How should this be done through /dev/net/ip_conntrack?
When I say conntrack I mean in the kernel, not the proc files. By writing
another LOG target using the information from conntrack rather than the
packet you can log the information you requested.
See the LOG target and the conntrack match for details, also read the NAT
& Conntrack sections of the hacking howto.
The most tricky part is when to log the first packet of the session. This
has to be done after all information has been entered into the session,
i.e. after any SNAT targets have been applied.
Another approach is to look into using ctnetlink for detailed session
logging. This is something we are currently implementing.
Regards
Henrik
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: DNAT/SNAT and logging
2004-01-21 12:05 ` Henrik Nordstrom
@ 2004-01-21 18:48 ` Johan Ankarloo
2004-01-21 20:16 ` Henrik Nordstrom
0 siblings, 1 reply; 18+ messages in thread
From: Johan Ankarloo @ 2004-01-21 18:48 UTC (permalink / raw)
To: Henrik Nordstrom; +Cc: netfilter-devel
So you don't think that this is a lot of work just to get the logging to
work correctly? I mean that this is something that ( in my opinion )
should be done out of the box so to say.
How should this be done through /dev/net/ip_conntrack? Do you have any
examples?
//Johan
On Wed, 2004-01-21 at 13:05, Henrik Nordstrom wrote:
> On Wed, 21 Jan 2004, Johan Ankarloo wrote:
>
> > I'm not shure i agree. The problem here is that the logging is done
> > seperate from the modules that mangle the packets.
>
> Yes, and so is the NAT rules.
>
> > The right way ( for me ) would be to have the mangle modules send the
> > logging information to the logging module. In this way the mangle
> > modules could say what has been altered in the packet.
>
> If you log the addressing information from conntrack then this is exacly
> what is done.
>
> Regards
> Henrik
--
Mvh
Johan Ankarloo
Volvo IT
Network & Security Engineer
Tel: +46 31 32 70949
====================================================================
This message may contain confidential and/or proprietary information,
and is intended only for the person/entity to whom it was originally
addressed. The content of this message may contain private views and
opinions which do not constitute a formal disclosure or commitment
unless specifically stated.
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: DNAT/SNAT and logging
2004-01-21 9:33 ` Johan Ankarloo
@ 2004-01-21 12:05 ` Henrik Nordstrom
2004-01-21 18:48 ` Johan Ankarloo
0 siblings, 1 reply; 18+ messages in thread
From: Henrik Nordstrom @ 2004-01-21 12:05 UTC (permalink / raw)
To: Johan Ankarloo; +Cc: netfilter-devel
On Wed, 21 Jan 2004, Johan Ankarloo wrote:
> I'm not shure i agree. The problem here is that the logging is done
> seperate from the modules that mangle the packets.
Yes, and so is the NAT rules.
> The right way ( for me ) would be to have the mangle modules send the
> logging information to the logging module. In this way the mangle
> modules could say what has been altered in the packet.
If you log the addressing information from conntrack then this is exacly
what is done.
Regards
Henrik
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: DNAT/SNAT and logging
2004-01-21 9:21 ` Henrik Nordstrom
@ 2004-01-21 9:33 ` Johan Ankarloo
2004-01-21 12:05 ` Henrik Nordstrom
0 siblings, 1 reply; 18+ messages in thread
From: Johan Ankarloo @ 2004-01-21 9:33 UTC (permalink / raw)
To: netfilter-devel
I'm not shure i agree. The problem here is that the logging is done
seperate from the modules that mangle the packets. The right way ( for
me ) would be to have the mangle modules send the logging information to
the logging module. In this way the mangle modules could say what has
been altered in the packet.
This information has to be included so that it is possible to trace the
packet back. Think of a large company that do a lot of nat for big
networks. How is it possible for the IT-staff to see what have happend?
In other brands ( read checkpoint, cisco .... ) they include this
information.
Regards
Johan
On Wed, 2004-01-21 at 10:21, Henrik Nordstrom wrote:
> On Tue, 20 Jan 2004, Johan Ankarloo wrote:
>
> > is above the actually mangle line, the log target won't know how the
> > packet will be mangle. What i need in the log files are something like:
> >
> > Original Source
> > Original SourcePort
> > Original Destination
> > Original DestinationPort
> > Translated Source
> > Translated SourcePort
> > Translated Destination
> > Translated DestinationPort
>
> Then you need another LOG type target which logs the conntrack information
> rather than the packet information, and on NEW packets you need to have
> this logged after the SNAT rule have been applied.
>
> Maybe ctnetlink can help.
>
> Regards
> Henrik
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: DNAT/SNAT and logging
2004-01-20 19:15 DNAT/SNAT and logging Johan Ankarloo
@ 2004-01-21 9:21 ` Henrik Nordstrom
2004-01-21 9:33 ` Johan Ankarloo
0 siblings, 1 reply; 18+ messages in thread
From: Henrik Nordstrom @ 2004-01-21 9:21 UTC (permalink / raw)
To: Johan Ankarloo; +Cc: netfilter-devel
On Tue, 20 Jan 2004, Johan Ankarloo wrote:
> is above the actually mangle line, the log target won't know how the
> packet will be mangle. What i need in the log files are something like:
>
> Original Source
> Original SourcePort
> Original Destination
> Original DestinationPort
> Translated Source
> Translated SourcePort
> Translated Destination
> Translated DestinationPort
Then you need another LOG type target which logs the conntrack information
rather than the packet information, and on NEW packets you need to have
this logged after the SNAT rule have been applied.
Maybe ctnetlink can help.
Regards
Henrik
^ permalink raw reply [flat|nested] 18+ messages in thread
* DNAT/SNAT and logging
@ 2004-01-20 19:15 Johan Ankarloo
2004-01-21 9:21 ` Henrik Nordstrom
0 siblings, 1 reply; 18+ messages in thread
From: Johan Ankarloo @ 2004-01-20 19:15 UTC (permalink / raw)
To: netfilter-devel
Hi all. This is a repost. I first tried the
netfilter@lists.netfilter.org list with no luck. Mayby someone here can
help me with an answer to this question?
I need a way to log SNAT/DNAT packets. In the log i need all the
information about what have happend to the packet. Since the log target
is above the actually mangle line, the log target won't know how the
packet will be mangle. What i need in the log files are something like:
Original Source
Original SourcePort
Original Destination
Original DestinationPort
Translated Source
Translated SourcePort
Translated Destination
Translated DestinationPort
As an example, take a look at the documentaion about nat and look at the
examples below taken from
http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-6.html
---- SNIP ----
## Change destination addresses to 5.6.7.8, 5.6.7.9 or 5.6.7.10.
# iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 5.6.7.8-5.6.7.10
## Change source addresses to 1.2.3.4, 1.2.3.5 or 1.2.3.6
# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4-1.2.3.6
---- SNIP ----
Here you can se that you can do DNAT and SNAT to an range of ipadresse
so the question may be a bit clearer when i ask the question like this.
How is it possible to log to wich ipadress the connection is translated
to? The logs should contain all that the information that is needed to
tell what have happend to a packet.
Regards
Johan
^ permalink raw reply [flat|nested] 18+ messages in thread
end of thread, other threads:[~2004-01-22 11:12 UTC | newest]
Thread overview: 18+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2004-01-19 15:04 DNAT/SNAT and logging Johan Ankarloo
2004-01-19 15:21 ` Jeffrey Laramie
2004-01-19 15:37 ` Johan Ankarloo
2004-01-19 16:24 ` Jeffrey Laramie
2004-01-19 18:32 ` Johan Ankarloo
2004-01-19 19:17 ` Jeffrey Laramie
2004-01-20 6:41 ` DNAT/SNAT and logging anyone? Johan Ankarloo
2004-01-20 11:47 ` T. Horsnell (tsh)
2004-01-20 13:05 ` Johan Ankarloo
2004-01-20 19:15 DNAT/SNAT and logging Johan Ankarloo
2004-01-21 9:21 ` Henrik Nordstrom
2004-01-21 9:33 ` Johan Ankarloo
2004-01-21 12:05 ` Henrik Nordstrom
2004-01-21 18:48 ` Johan Ankarloo
2004-01-21 20:16 ` Henrik Nordstrom
2004-01-22 6:52 ` Johan Ankarloo
2004-01-22 10:25 ` Henrik Nordstrom
2004-01-22 11:12 ` Johan Ankarloo
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.