DNAT/SNAT and logging

DNAT/SNAT and logging

[Johan Ankarloo]

Hi

Does anyone know how to log a DNAT/SNAT connection? When logging a NAT
connection you also want to know the origin source/destination/port of
that packet. Is that possible?

Regards

Johan

Re: DNAT/SNAT and logging

[Jeffrey Laramie]

Johan Ankarloo wrote:

>Hi
>
>Does anyone know how to log a DNAT/SNAT connection? When logging a NAT
>connection you also want to know the origin source/destination/port of
>that packet. Is that possible?
>
>  
>

Sure. The easiest way to do it is to add a matching log rule just before 
the nat rule:

iptables -t nat -A POSTROUTING -o $Net_Interface -j LOG --log-prefix 
"SNAT: "
iptables -t nat -A POSTROUTING -o $Net_Interface -j SNAT --to $Net_IP

Jeff

Re: DNAT/SNAT and logging

[Johan Ankarloo]

On Mon, 2004-01-19 at 16:21, Jeffrey Laramie wrote:
> Johan Ankarloo wrote:
> 
> >Hi
> >
> >Does anyone know how to log a DNAT/SNAT connection? When logging a NAT
> >connection you also want to know the origin source/destination/port of
> >that packet. Is that possible?
> >
> >  
> >
> 
> Sure. The easiest way to do it is to add a matching log rule just before 
> the nat rule:
> 
> iptables -t nat -A POSTROUTING -o $Net_Interface -j LOG --log-prefix 
> "SNAT: "
> iptables -t nat -A POSTROUTING -o $Net_Interface -j SNAT --to $Net_IP
> 
> Jeff

The problem is when doing this is that you doesn't get the original 
source/destination or the translating adress. If you look at the logs
you can't see all the information that you need to be able to debug any
problem or to be able to track that connection back to the user.

What i was looking for was a way to have more information in the logs 
from that specific connection. The information that needs to be there is:

OriginSource OriginSPort OriginDestination OriginDPort
TranslatedSource TranslatedSPORT TranslatedDest TranslatedDPort

Regards

Johan

Re: DNAT/SNAT and logging

[Jeffrey Laramie]

Johan Ankarloo wrote:

>On Mon, 2004-01-19 at 16:21, Jeffrey Laramie wrote:
>  
>
>>Johan Ankarloo wrote:
>>
>>    
>>
>>>Hi
>>>
>>>Does anyone know how to log a DNAT/SNAT connection? When logging a NAT
>>>connection you also want to know the origin source/destination/port of
>>>that packet. Is that possible?
>>>
>>> 
>>>
>>>      
>>>
>>Sure. The easiest way to do it is to add a matching log rule just before 
>>the nat rule:
>>
>>iptables -t nat -A POSTROUTING -o $Net_Interface -j LOG --log-prefix 
>>"SNAT: "
>>iptables -t nat -A POSTROUTING -o $Net_Interface -j SNAT --to $Net_IP
>>
>>Jeff
>>    
>>
>
>The problem is when doing this is that you doesn't get the original 
>source/destination or the translating adress. If you look at the logs
>you can't see all the information that you need to be able to debug any
>problem or to be able to track that connection back to the user.
>  
>
I don't use DNAT so I can't tell you how it logs connections, but 
logging a SNAT connection works fine. Here's the rules I used:

# Masquerade everything leaving the lan as the firewall IP.
$iptables -t nat -A POSTROUTING -o $Net_Interface -j LOG --log-level 
debug --log-prefix "SNAT: "
$iptables -t nat -A POSTROUTING -o $Net_Interface -j SNAT --to $Net_IP

And here's the log entry I got:

Jan 19 11:14:21 NS1 kernel: SNAT: IN= OUT=eth1 SRC=192.168.0.4 
DST=66.95.2.50 LEN=44 TOS=0x08 PREC=0x00 TTL=63 ID=17955 PROTO=TCP 
SPT=1030 DPT=80 WINDOW=28672 RES=0x00 SYN URGP=0


192.168.0.4 is the source host on the local private subnet
66.95.2.50 is the IP of the remote host
Sending port is 1030
Dest port is 80

And $Net_IP is IP the outside will see which is the IP of the firewall. 
The SNATed ports will be the same as the original ones.

Isn't this what you're looking for or did I misunderstand you?

Jeff

Re: DNAT/SNAT and logging

[Johan Ankarloo]

On Mon, 2004-01-19 at 17:24, Jeffrey Laramie wrote:
> Johan Ankarloo wrote:
> 
> >On Mon, 2004-01-19 at 16:21, Jeffrey Laramie wrote:
> >  
> >
> >>Johan Ankarloo wrote:
> >>
> >>    
> >>
> >>>Hi
> >>>
> >>>Does anyone know how to log a DNAT/SNAT connection? When logging a NAT
> >>>connection you also want to know the origin source/destination/port of
> >>>that packet. Is that possible?
> >>>
> >>> 
> >>>
> >>>      
> >>>
> >>Sure. The easiest way to do it is to add a matching log rule just before 
> >>the nat rule:
> >>
> >>iptables -t nat -A POSTROUTING -o $Net_Interface -j LOG --log-prefix 
> >>"SNAT: "
> >>iptables -t nat -A POSTROUTING -o $Net_Interface -j SNAT --to $Net_IP
> >>
> >>Jeff
> >>    
> >>
> >
> >The problem is when doing this is that you doesn't get the original 
> >source/destination or the translating adress. If you look at the logs
> >you can't see all the information that you need to be able to debug any
> >problem or to be able to track that connection back to the user.
> >  
> >
> I don't use DNAT so I can't tell you how it logs connections, but 
> logging a SNAT connection works fine. Here's the rules I used:
> 
> # Masquerade everything leaving the lan as the firewall IP.
> $iptables -t nat -A POSTROUTING -o $Net_Interface -j LOG --log-level 
> debug --log-prefix "SNAT: "
> $iptables -t nat -A POSTROUTING -o $Net_Interface -j SNAT --to $Net_IP
> 
> And here's the log entry I got:
> 
> Jan 19 11:14:21 NS1 kernel: SNAT: IN= OUT=eth1 SRC=192.168.0.4 
> DST=66.95.2.50 LEN=44 TOS=0x08 PREC=0x00 TTL=63 ID=17955 PROTO=TCP 
> SPT=1030 DPT=80 WINDOW=28672 RES=0x00 SYN URGP=0
> 
> 
> 192.168.0.4 is the source host on the local private subnet
> 66.95.2.50 is the IP of the remote host
> Sending port is 1030
> Dest port is 80
> 
> And $Net_IP is IP the outside will see which is the IP of the firewall. 
> The SNATed ports will be the same as the original ones.
> 
> Isn't this what you're looking for or did I misunderstand you?
> 
> Jeff

No, i don't see all the information in your example above. Look at the 
following examples taken from the examples at
http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-6.html

---- SNIP ----
## Change destination addresses to 5.6.7.8, 5.6.7.9 or 5.6.7.10.
# iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 5.6.7.8-5.6.7.10

## Change source addresses to 1.2.3.4, 1.2.3.5 or 1.2.3.6
# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4-1.2.3.6
---- SNIP ----

Here you can se that you can do DNAT and SNAT to an range of ipadresse
so the question may be a bit clearer when i ask the question like this. 
How is it possible to log to wich ipadress the connection is translated
to?
That is why i need the following information in the log file.
Original Source 
Original SourcePort 
Original Destination 
Original DestinationPort
Translated Source 
Translated SourcePort 
Translated Destination 
Translated DestinationPort

Regards

Johan

Re: DNAT/SNAT and logging

[Jeffrey Laramie]

Johan Ankarloo wrote:

>On Mon, 2004-01-19 at 17:24, Jeffrey Laramie wrote:
>  
>
>>Johan Ankarloo wrote:
>>
>>    
>>
>>>On Mon, 2004-01-19 at 16:21, Jeffrey Laramie wrote:
>>> 
>>>
>>>      
>>>
>>>>Johan Ankarloo wrote:
>>>>
>>>>   
>>>>
>>>>        
>>>>
>>>>>Hi
>>>>>
>>>>>Does anyone know how to log a DNAT/SNAT connection? When logging a NAT
>>>>>connection you also want to know the origin source/destination/port of
>>>>>that packet. Is that possible?
>>>>>
>>>>>
>>>>>
>>>>>     
>>>>>
>>>>>          
>>>>>
>>>>Sure. The easiest way to do it is to add a matching log rule just before 
>>>>the nat rule:
>>>>
>>>>iptables -t nat -A POSTROUTING -o $Net_Interface -j LOG --log-prefix 
>>>>"SNAT: "
>>>>iptables -t nat -A POSTROUTING -o $Net_Interface -j SNAT --to $Net_IP
>>>>
>>>>Jeff
>>>>   
>>>>
>>>>        
>>>>
>>>The problem is when doing this is that you doesn't get the original 
>>>source/destination or the translating adress. If you look at the logs
>>>you can't see all the information that you need to be able to debug any
>>>problem or to be able to track that connection back to the user.
>>> 
>>>
>>>      
>>>
>>I don't use DNAT so I can't tell you how it logs connections, but 
>>logging a SNAT connection works fine. Here's the rules I used:
>>
>># Masquerade everything leaving the lan as the firewall IP.
>>$iptables -t nat -A POSTROUTING -o $Net_Interface -j LOG --log-level 
>>debug --log-prefix "SNAT: "
>>$iptables -t nat -A POSTROUTING -o $Net_Interface -j SNAT --to $Net_IP
>>
>>And here's the log entry I got:
>>
>>Jan 19 11:14:21 NS1 kernel: SNAT: IN= OUT=eth1 SRC=192.168.0.4 
>>DST=66.95.2.50 LEN=44 TOS=0x08 PREC=0x00 TTL=63 ID=17955 PROTO=TCP 
>>SPT=1030 DPT=80 WINDOW=28672 RES=0x00 SYN URGP=0
>>
>>
>>192.168.0.4 is the source host on the local private subnet
>>66.95.2.50 is the IP of the remote host
>>Sending port is 1030
>>Dest port is 80
>>
>>And $Net_IP is IP the outside will see which is the IP of the firewall. 
>>The SNATed ports will be the same as the original ones.
>>
>>Isn't this what you're looking for or did I misunderstand you?
>>
>>Jeff
>>    
>>
>
>No, i don't see all the information in your example above. Look at the 
>following examples taken from the examples at
>http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-6.html
>
>---- SNIP ----
>## Change destination addresses to 5.6.7.8, 5.6.7.9 or 5.6.7.10.
># iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 5.6.7.8-5.6.7.10
>
>## Change source addresses to 1.2.3.4, 1.2.3.5 or 1.2.3.6
># iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4-1.2.3.6
>---- SNIP ----
>
>Here you can se that you can do DNAT and SNAT to an range of ipadresse
>so the question may be a bit clearer when i ask the question like this. 
>How is it possible to log to wich ipadress the connection is translated
>to?
>  
>

Ahh, I see what the issue is. You 'know' the translated IP because you 
explicitly set it within the NAT rule, not because it's in the log. In 
the case of a target range there is no way for a prior logging rule to 
tell which of the range addresses will be assigned by the NAT rule. I 
think you'll need to use a tool like snort to get that kind of detail. 
Maybe someone else knows another way, sorry I couldn't help you.

Jeff

Re: DNAT/SNAT and logging anyone?

[Johan Ankarloo]

Hi all. This is a repost. Thanks to Jeffrey for trying to help me.

I need a way to log SNAT/DNAT packets. In the log i need all the
information about what have happend to the packet. Since the log target
is above the actually mangle line, the log target won't know how the
packet will be mangle. What i need in the log files are:

Original Source 
Original SourcePort 
Original Destination 
Original DestinationPort
Translated Source 
Translated SourcePort 
Translated Destination 
Translated DestinationPort

As an example, take a look at the documentaion about nat and look at the
examples below taken from
http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-6.html

---- SNIP ----
## Change destination addresses to 5.6.7.8, 5.6.7.9 or 5.6.7.10.
# iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 5.6.7.8-5.6.7.10
## Change source addresses to 1.2.3.4, 1.2.3.5 or 1.2.3.6
# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4-1.2.3.6
---- SNIP ----

Here you can se that you can do DNAT and SNAT to an range of ipadresse
so the question may be a bit clearer when i ask the question like this. 
How is it possible to log to wich ipadress the connection is translated
to?

Regards

Johan

On Mon, 2004-01-19 at 20:17, Jeffrey Laramie wrote:
> Johan Ankarloo wrote:
> 
> >On Mon, 2004-01-19 at 17:24, Jeffrey Laramie wrote:
> >  
> >
> >>Johan Ankarloo wrote:
> >>
> >>    
> >>
> >>>On Mon, 2004-01-19 at 16:21, Jeffrey Laramie wrote:
> >>> 
> >>>
> >>>      
> >>>
> >>>>Johan Ankarloo wrote:
> >>>>
> >>>>   
> >>>>
> >>>>        
> >>>>
> >>>>>Hi
> >>>>>
> >>>>>Does anyone know how to log a DNAT/SNAT connection? When logging a NAT
> >>>>>connection you also want to know the origin source/destination/port of
> >>>>>that packet. Is that possible?
> >>>>>
> >>>>>
> >>>>>
> >>>>>     
> >>>>>
> >>>>>          
> >>>>>
> >>>>Sure. The easiest way to do it is to add a matching log rule just before 
> >>>>the nat rule:
> >>>>
> >>>>iptables -t nat -A POSTROUTING -o $Net_Interface -j LOG --log-prefix 
> >>>>"SNAT: "
> >>>>iptables -t nat -A POSTROUTING -o $Net_Interface -j SNAT --to $Net_IP
> >>>>
> >>>>Jeff
> >>>>   
> >>>>
> >>>>        
> >>>>
> >>>The problem is when doing this is that you doesn't get the original 
> >>>source/destination or the translating adress. If you look at the logs
> >>>you can't see all the information that you need to be able to debug any
> >>>problem or to be able to track that connection back to the user.
> >>> 
> >>>
> >>>      
> >>>
> >>I don't use DNAT so I can't tell you how it logs connections, but 
> >>logging a SNAT connection works fine. Here's the rules I used:
> >>
> >># Masquerade everything leaving the lan as the firewall IP.
> >>$iptables -t nat -A POSTROUTING -o $Net_Interface -j LOG --log-level 
> >>debug --log-prefix "SNAT: "
> >>$iptables -t nat -A POSTROUTING -o $Net_Interface -j SNAT --to $Net_IP
> >>
> >>And here's the log entry I got:
> >>
> >>Jan 19 11:14:21 NS1 kernel: SNAT: IN= OUT=eth1 SRC=192.168.0.4 
> >>DST=66.95.2.50 LEN=44 TOS=0x08 PREC=0x00 TTL=63 ID=17955 PROTO=TCP 
> >>SPT=1030 DPT=80 WINDOW=28672 RES=0x00 SYN URGP=0
> >>
> >>
> >>192.168.0.4 is the source host on the local private subnet
> >>66.95.2.50 is the IP of the remote host
> >>Sending port is 1030
> >>Dest port is 80
> >>
> >>And $Net_IP is IP the outside will see which is the IP of the firewall. 
> >>The SNATed ports will be the same as the original ones.
> >>
> >>Isn't this what you're looking for or did I misunderstand you?
> >>
> >>Jeff
> >>    
> >>
> >
> >No, i don't see all the information in your example above. Look at the 
> >following examples taken from the examples at
> >http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-6.html
> >
> >---- SNIP ----
> >## Change destination addresses to 5.6.7.8, 5.6.7.9 or 5.6.7.10.
> ># iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 5.6.7.8-5.6.7.10
> >
> >## Change source addresses to 1.2.3.4, 1.2.3.5 or 1.2.3.6
> ># iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4-1.2.3.6
> >---- SNIP ----
> >
> >Here you can se that you can do DNAT and SNAT to an range of ipadresse
> >so the question may be a bit clearer when i ask the question like this. 
> >How is it possible to log to wich ipadress the connection is translated
> >to?
> >  
> >
> 
> Ahh, I see what the issue is. You 'know' the translated IP because you 
> explicitly set it within the NAT rule, not because it's in the log. In 
> the case of a target range there is no way for a prior logging rule to 
> tell which of the range addresses will be assigned by the NAT rule. I 
> think you'll need to use a tool like snort to get that kind of detail. 
> Maybe someone else knows another way, sorry I couldn't help you.
> 
> Jeff

Re: DNAT/SNAT and logging anyone?

[T. Horsnell (tsh)]

I'm in the same boat. In fact not only do I want to log that
info when the NAT'ing takes place, I would also like to log
when the connection is broken.

The only thing I can think of at the moment, is some process
which continuously monitors /proc/net/ip_conntrack :(

Cheers,
Terry.




>Hi all. This is a repost. Thanks to Jeffrey for trying to help me.
>
>I need a way to log SNAT/DNAT packets. In the log i need all the
>information about what have happend to the packet. Since the log target
>is above the actually mangle line, the log target won't know how the
>packet will be mangle. What i need in the log files are:
>
>Original Source 
>Original SourcePort 
>Original Destination 
>Original DestinationPort
>Translated Source 
>Translated SourcePort 
>Translated Destination 
>Translated DestinationPort
>
>As an example, take a look at the documentaion about nat and look at the
>examples below taken from
>http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-6.html
>
>---- SNIP ----
>## Change destination addresses to 5.6.7.8, 5.6.7.9 or 5.6.7.10.
># iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 5.6.7.8-5.6.7.10
>## Change source addresses to 1.2.3.4, 1.2.3.5 or 1.2.3.6
># iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4-1.2.3.6
>---- SNIP ----
>
>Here you can se that you can do DNAT and SNAT to an range of ipadresse
>so the question may be a bit clearer when i ask the question like this. 
>How is it possible to log to wich ipadress the connection is translated
>to?
>
>Regards
>
>Johan
>
>On Mon, 2004-01-19 at 20:17, Jeffrey Laramie wrote:
>> Johan Ankarloo wrote:
>> 
>> >On Mon, 2004-01-19 at 17:24, Jeffrey Laramie wrote:
>> >  
>> >
>> >>Johan Ankarloo wrote:
>> >>
>> >>    
>> >>
>> >>>On Mon, 2004-01-19 at 16:21, Jeffrey Laramie wrote:
>> >>> 
>> >>>
>> >>>      
>> >>>
>> >>>>Johan Ankarloo wrote:
>> >>>>
>> >>>>   
>> >>>>
>> >>>>        
>> >>>>
>> >>>>>Hi
>> >>>>>
>> >>>>>Does anyone know how to log a DNAT/SNAT connection? When logging a NAT
>> >>>>>connection you also want to know the origin source/destination/port of
>> >>>>>that packet. Is that possible?
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>     
>> >>>>>
>> >>>>>          
>> >>>>>
>> >>>>Sure. The easiest way to do it is to add a matching log rule just before 
>> >>>>the nat rule:
>> >>>>
>> >>>>iptables -t nat -A POSTROUTING -o $Net_Interface -j LOG --log-prefix 
>> >>>>"SNAT: "
>> >>>>iptables -t nat -A POSTROUTING -o $Net_Interface -j SNAT --to $Net_IP
>> >>>>
>> >>>>Jeff
>> >>>>   
>> >>>>
>> >>>>        
>> >>>>
>> >>>The problem is when doing this is that you doesn't get the original 
>> >>>source/destination or the translating adress. If you look at the logs
>> >>>you can't see all the information that you need to be able to debug any
>> >>>problem or to be able to track that connection back to the user.
>> >>> 
>> >>>
>> >>>      
>> >>>
>> >>I don't use DNAT so I can't tell you how it logs connections, but 
>> >>logging a SNAT connection works fine. Here's the rules I used:
>> >>
>> >># Masquerade everything leaving the lan as the firewall IP.
>> >>$iptables -t nat -A POSTROUTING -o $Net_Interface -j LOG --log-level 
>> >>debug --log-prefix "SNAT: "
>> >>$iptables -t nat -A POSTROUTING -o $Net_Interface -j SNAT --to $Net_IP
>> >>
>> >>And here's the log entry I got:
>> >>
>> >>Jan 19 11:14:21 NS1 kernel: SNAT: IN= OUT=eth1 SRC=192.168.0.4 
>> >>DST=66.95.2.50 LEN=44 TOS=0x08 PREC=0x00 TTL=63 ID=17955 PROTO=TCP 
>> >>SPT=1030 DPT=80 WINDOW=28672 RES=0x00 SYN URGP=0
>> >>
>> >>
>> >>192.168.0.4 is the source host on the local private subnet
>> >>66.95.2.50 is the IP of the remote host
>> >>Sending port is 1030
>> >>Dest port is 80
>> >>
>> >>And $Net_IP is IP the outside will see which is the IP of the firewall. 
>> >>The SNATed ports will be the same as the original ones.
>> >>
>> >>Isn't this what you're looking for or did I misunderstand you?
>> >>
>> >>Jeff
>> >>    
>> >>
>> >
>> >No, i don't see all the information in your example above. Look at the 
>> >following examples taken from the examples at
>> >http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-6.html
>> >
>> >---- SNIP ----
>> >## Change destination addresses to 5.6.7.8, 5.6.7.9 or 5.6.7.10.
>> ># iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 5.6.7.8-5.6.7.10
>> >
>> >## Change source addresses to 1.2.3.4, 1.2.3.5 or 1.2.3.6
>> ># iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4-1.2.3.6
>> >---- SNIP ----
>> >
>> >Here you can se that you can do DNAT and SNAT to an range of ipadresse
>> >so the question may be a bit clearer when i ask the question like this. 
>> >How is it possible to log to wich ipadress the connection is translated
>> >to?
>> >  
>> >
>> 
>> Ahh, I see what the issue is. You 'know' the translated IP because you 
>> explicitly set it within the NAT rule, not because it's in the log. In 
>> the case of a target range there is no way for a prior logging rule to 
>> tell which of the range addresses will be assigned by the NAT rule. I 
>> think you'll need to use a tool like snort to get that kind of detail. 
>> Maybe someone else knows another way, sorry I couldn't help you.
>> 
>> Jeff
>
>
>
>

Re: DNAT/SNAT and logging anyone?

[Johan Ankarloo]

The question then is if this is something that is missing in iptables or
that we just haven't found a way to do this kind of logging. Mayby i
should send this to the development list instead.

Is there anyone else who knows if this is possible to do?

Johan

On Tue, 2004-01-20 at 12:47, T. Horsnell (tsh) wrote:
> I'm in the same boat. In fact not only do I want to log that
> info when the NAT'ing takes place, I would also like to log
> when the connection is broken.
> 
> The only thing I can think of at the moment, is some process
> which continuously monitors /proc/net/ip_conntrack :(
> 
> Cheers,
> Terry.
> 
> 
> 
> 
> >Hi all. This is a repost. Thanks to Jeffrey for trying to help me.
> >
> >I need a way to log SNAT/DNAT packets. In the log i need all the
> >information about what have happend to the packet. Since the log target
> >is above the actually mangle line, the log target won't know how the
> >packet will be mangle. What i need in the log files are:
> >
> >Original Source 
> >Original SourcePort 
> >Original Destination 
> >Original DestinationPort
> >Translated Source 
> >Translated SourcePort 
> >Translated Destination 
> >Translated DestinationPort
> >
> >As an example, take a look at the documentaion about nat and look at the
> >examples below taken from
> >http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-6.html
> >
> >---- SNIP ----
> >## Change destination addresses to 5.6.7.8, 5.6.7.9 or 5.6.7.10.
> ># iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 5.6.7.8-5.6.7.10
> >## Change source addresses to 1.2.3.4, 1.2.3.5 or 1.2.3.6
> ># iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4-1.2.3.6
> >---- SNIP ----
> >
> >Here you can se that you can do DNAT and SNAT to an range of ipadresse
> >so the question may be a bit clearer when i ask the question like this. 
> >How is it possible to log to wich ipadress the connection is translated
> >to?
> >
> >Regards
> >
> >Johan
> >
> >On Mon, 2004-01-19 at 20:17, Jeffrey Laramie wrote:
> >> Johan Ankarloo wrote:
> >> 
> >> >On Mon, 2004-01-19 at 17:24, Jeffrey Laramie wrote:
> >> >  
> >> >
> >> >>Johan Ankarloo wrote:
> >> >>
> >> >>    
> >> >>
> >> >>>On Mon, 2004-01-19 at 16:21, Jeffrey Laramie wrote:
> >> >>> 
> >> >>>
> >> >>>      
> >> >>>
> >> >>>>Johan Ankarloo wrote:
> >> >>>>
> >> >>>>   
> >> >>>>
> >> >>>>        
> >> >>>>
> >> >>>>>Hi
> >> >>>>>
> >> >>>>>Does anyone know how to log a DNAT/SNAT connection? When logging a NAT
> >> >>>>>connection you also want to know the origin source/destination/port of
> >> >>>>>that packet. Is that possible?
> >> >>>>>
> >> >>>>>
> >> >>>>>
> >> >>>>>     
> >> >>>>>
> >> >>>>>          
> >> >>>>>
> >> >>>>Sure. The easiest way to do it is to add a matching log rule just before 
> >> >>>>the nat rule:
> >> >>>>
> >> >>>>iptables -t nat -A POSTROUTING -o $Net_Interface -j LOG --log-prefix 
> >> >>>>"SNAT: "
> >> >>>>iptables -t nat -A POSTROUTING -o $Net_Interface -j SNAT --to $Net_IP
> >> >>>>
> >> >>>>Jeff
> >> >>>>   
> >> >>>>
> >> >>>>        
> >> >>>>
> >> >>>The problem is when doing this is that you doesn't get the original 
> >> >>>source/destination or the translating adress. If you look at the logs
> >> >>>you can't see all the information that you need to be able to debug any
> >> >>>problem or to be able to track that connection back to the user.
> >> >>> 
> >> >>>
> >> >>>      
> >> >>>
> >> >>I don't use DNAT so I can't tell you how it logs connections, but 
> >> >>logging a SNAT connection works fine. Here's the rules I used:
> >> >>
> >> >># Masquerade everything leaving the lan as the firewall IP.
> >> >>$iptables -t nat -A POSTROUTING -o $Net_Interface -j LOG --log-level 
> >> >>debug --log-prefix "SNAT: "
> >> >>$iptables -t nat -A POSTROUTING -o $Net_Interface -j SNAT --to $Net_IP
> >> >>
> >> >>And here's the log entry I got:
> >> >>
> >> >>Jan 19 11:14:21 NS1 kernel: SNAT: IN= OUT=eth1 SRC=192.168.0.4 
> >> >>DST=66.95.2.50 LEN=44 TOS=0x08 PREC=0x00 TTL=63 ID=17955 PROTO=TCP 
> >> >>SPT=1030 DPT=80 WINDOW=28672 RES=0x00 SYN URGP=0
> >> >>
> >> >>
> >> >>192.168.0.4 is the source host on the local private subnet
> >> >>66.95.2.50 is the IP of the remote host
> >> >>Sending port is 1030
> >> >>Dest port is 80
> >> >>
> >> >>And $Net_IP is IP the outside will see which is the IP of the firewall. 
> >> >>The SNATed ports will be the same as the original ones.
> >> >>
> >> >>Isn't this what you're looking for or did I misunderstand you?
> >> >>
> >> >>Jeff
> >> >>    
> >> >>
> >> >
> >> >No, i don't see all the information in your example above. Look at the 
> >> >following examples taken from the examples at
> >> >http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-6.html
> >> >
> >> >---- SNIP ----
> >> >## Change destination addresses to 5.6.7.8, 5.6.7.9 or 5.6.7.10.
> >> ># iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 5.6.7.8-5.6.7.10
> >> >
> >> >## Change source addresses to 1.2.3.4, 1.2.3.5 or 1.2.3.6
> >> ># iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4-1.2.3.6
> >> >---- SNIP ----
> >> >
> >> >Here you can se that you can do DNAT and SNAT to an range of ipadresse
> >> >so the question may be a bit clearer when i ask the question like this. 
> >> >How is it possible to log to wich ipadress the connection is translated
> >> >to?
> >> >  
> >> >
> >> 
> >> Ahh, I see what the issue is. You 'know' the translated IP because you 
> >> explicitly set it within the NAT rule, not because it's in the log. In 
> >> the case of a target range there is no way for a prior logging rule to 
> >> tell which of the range addresses will be assigned by the NAT rule. I 
> >> think you'll need to use a tool like snort to get that kind of detail. 
> >> Maybe someone else knows another way, sorry I couldn't help you.
> >> 
> >> Jeff
> >
> >
> >
> >
-- 
Mvh
 
Johan Ankarloo
Volvo IT
Network & Security Engineer
Tel: +46 31 32 70949
 
====================================================================
This message may contain confidential and/or proprietary information,
and is intended only for the person/entity to whom it was originally
addressed. The content of this message may contain private views and
opinions which do not constitute a formal disclosure or commitment
unless specifically stated.

Re: DNAT/SNAT and logging

[Johan Ankarloo]

So then you agree that this is a problem that has to be fixed one way or
another?

I don't want to be a pain in the butt here but this is a really big
problem for me. When i have problem with Nat or mangle ( either i
haven't understood iptables correctly or there could be a bug ) i can't
really tell what has happened with the packet. Or if i get a court order
to get the person accessing some specific machine at a specific time i
can't rely on the log since all the necessary information about that
connection isn't in the logs. 

Regards
Johan

On Thu, 2004-01-22 at 11:25, Henrik Nordstrom wrote:
> On Thu, 22 Jan 2004, Johan Ankarloo wrote:
> 
> > Do you understand why this is important?
> 
> Yes. The existing LOG target is a mess if NAT is used.
> 
> Regards
> Henrik

Re: DNAT/SNAT and logging

[Henrik Nordstrom]

On Thu, 22 Jan 2004, Johan Ankarloo wrote:

> Do you understand why this is important?

Yes. The existing LOG target is a mess if NAT is used.

Regards
Henrik

Re: DNAT/SNAT and logging

[Johan Ankarloo]

Ok, i will try to look into that and see what i can find. I still think
that the packet should be logged from the SNAT/DNAT module in some way
since that is the module that is doing that mangle ( with this i mean
that the module changes the packet in some way ) and already has all the
information about what has been done to the packet.

The next question then is: 

Do you understand why this is important?
 

On Wed, 2004-01-21 at 21:16, Henrik Nordstrom wrote:
> On Wed, 21 Jan 2004, Johan Ankarloo wrote:
> 
> > So you don't think that this is a lot of work just to get the logging to
> > work correctly? I mean that this is something that ( in my opinion )
> > should be done out of the box so to say. 
> 
> It is some work, but not very much.
> 
> > How should this be done through /dev/net/ip_conntrack?
> 
> When I say conntrack I mean in the kernel, not the proc files. By writing 
> another LOG target using the information from conntrack rather than the 
> packet you can log the information you requested.
> 
> See the LOG target and the conntrack match for details, also read the NAT 
> & Conntrack sections of the hacking howto.
> 
> The most tricky part is when to log the first packet of the session. This
> has to be done after all information has been entered into the session,
> i.e. after any SNAT targets have been applied.
> 
> Another approach is to look into using ctnetlink for detailed session
> logging. This is something we are currently implementing.
> 
> Regards
> Henrik

Re: DNAT/SNAT and logging

[Henrik Nordstrom]

On Wed, 21 Jan 2004, Johan Ankarloo wrote:

> So you don't think that this is a lot of work just to get the logging to
> work correctly? I mean that this is something that ( in my opinion )
> should be done out of the box so to say. 

It is some work, but not very much.

> How should this be done through /dev/net/ip_conntrack?

When I say conntrack I mean in the kernel, not the proc files. By writing 
another LOG target using the information from conntrack rather than the 
packet you can log the information you requested.

See the LOG target and the conntrack match for details, also read the NAT 
& Conntrack sections of the hacking howto.

The most tricky part is when to log the first packet of the session. This
has to be done after all information has been entered into the session,
i.e. after any SNAT targets have been applied.

Another approach is to look into using ctnetlink for detailed session
logging. This is something we are currently implementing.

Regards
Henrik

Re: DNAT/SNAT and logging

[Johan Ankarloo]

So you don't think that this is a lot of work just to get the logging to
work correctly? I mean that this is something that ( in my opinion )
should be done out of the box so to say. 

How should this be done through /dev/net/ip_conntrack? Do you have any
examples?

//Johan

On Wed, 2004-01-21 at 13:05, Henrik Nordstrom wrote:
> On Wed, 21 Jan 2004, Johan Ankarloo wrote:
> 
> > I'm not shure i agree. The problem here is that the logging is done
> > seperate from the modules that mangle the packets.
> 
> Yes, and so is the NAT rules.
> 
> > The right way ( for me ) would be to have the mangle modules send the
> > logging information to the logging module. In this way the mangle
> > modules could say what has been altered in the packet.
> 
> If you log the addressing information from conntrack then this is exacly
> what is done.
> 
> Regards
> Henrik
-- 
Mvh
 
Johan Ankarloo
Volvo IT
Network & Security Engineer
Tel: +46 31 32 70949
 
====================================================================
This message may contain confidential and/or proprietary information,
and is intended only for the person/entity to whom it was originally
addressed. The content of this message may contain private views and
opinions which do not constitute a formal disclosure or commitment
unless specifically stated.

Re: DNAT/SNAT and logging

[Henrik Nordstrom]

On Wed, 21 Jan 2004, Johan Ankarloo wrote:

> I'm not shure i agree. The problem here is that the logging is done
> seperate from the modules that mangle the packets.

Yes, and so is the NAT rules.

> The right way ( for me ) would be to have the mangle modules send the
> logging information to the logging module. In this way the mangle
> modules could say what has been altered in the packet.

If you log the addressing information from conntrack then this is exacly
what is done.

Regards
Henrik

Re: DNAT/SNAT and logging

[Johan Ankarloo]

I'm not shure i agree. The problem here is that the logging is done
seperate from the modules that mangle the packets. The right way ( for
me ) would be to have the mangle modules send the logging information to
the logging module. In this way the mangle modules could say what has
been altered in the packet. 

This information has to be included so that it is possible to trace the
packet back. Think of a large company that do a lot of nat for big
networks. How is it possible for the IT-staff to see what have happend?
In other brands ( read checkpoint, cisco .... ) they include this
information.

Regards

Johan

On Wed, 2004-01-21 at 10:21, Henrik Nordstrom wrote:
> On Tue, 20 Jan 2004, Johan Ankarloo wrote:
> 
> > is above the actually mangle line, the log target won't know how the
> > packet will be mangle. What i need in the log files are something like:
> > 
> > Original Source 
> > Original SourcePort 
> > Original Destination 
> > Original DestinationPort
> > Translated Source 
> > Translated SourcePort 
> > Translated Destination 
> > Translated DestinationPort
> 
> Then you need another LOG type target which logs the conntrack information 
> rather than the packet information, and on NEW packets you need to have 
> this logged after the SNAT rule have been applied.
> 
> Maybe ctnetlink can help.
> 
> Regards
> Henrik

Re: DNAT/SNAT and logging

[Henrik Nordstrom]

On Tue, 20 Jan 2004, Johan Ankarloo wrote:

> is above the actually mangle line, the log target won't know how the
> packet will be mangle. What i need in the log files are something like:
> 
> Original Source 
> Original SourcePort 
> Original Destination 
> Original DestinationPort
> Translated Source 
> Translated SourcePort 
> Translated Destination 
> Translated DestinationPort

Then you need another LOG type target which logs the conntrack information 
rather than the packet information, and on NEW packets you need to have 
this logged after the SNAT rule have been applied.

Maybe ctnetlink can help.

Regards
Henrik

DNAT/SNAT and logging

[Johan Ankarloo]

Hi all. This is a repost. I first tried the
netfilter@lists.netfilter.org list with no luck. Mayby someone here can
help me with an answer to this question?

I need a way to log SNAT/DNAT packets. In the log i need all the
information about what have happend to the packet. Since the log target
is above the actually mangle line, the log target won't know how the
packet will be mangle. What i need in the log files are something like:

Original Source 
Original SourcePort 
Original Destination 
Original DestinationPort
Translated Source 
Translated SourcePort 
Translated Destination 
Translated DestinationPort

As an example, take a look at the documentaion about nat and look at the
examples below taken from
http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-6.html

---- SNIP ----
## Change destination addresses to 5.6.7.8, 5.6.7.9 or 5.6.7.10.
# iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 5.6.7.8-5.6.7.10
## Change source addresses to 1.2.3.4, 1.2.3.5 or 1.2.3.6
# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4-1.2.3.6
---- SNIP ----

Here you can se that you can do DNAT and SNAT to an range of ipadresse
so the question may be a bit clearer when i ask the question like this. 
How is it possible to log to wich ipadress the connection is translated
to? The logs should contain all that the information that is needed to
tell what have happend to a packet.

Regards

Johan