19216811.liveAppendix C – System Log
236
For example, to log all inbound requests from the IP address 5.6.7.8 to the mail server
(port 25) on the machine
flubber
on the LAN with address 192.168.1.1:
iptables -I FORWARD -j LOG -p tcp --syn -s 5.6.7.8/32 -d
192.168.1.1 --dport 25 --log-prefix "Mail for flubber: "
This will result in log output something like this:
<12> Jan 24 18:17:19 2000 klogd: Mail for flubber: IN=eth1
OUT=eth0 SRC=5.6.7.8 DST=192.168.1.1 LEN=48 TOS=0x00 PREC=0x00
TTL=126 ID=45507 DF PROTO=TCP SPT=4088 DPT=25 WINDOW=64240
RES=0x00 SYN URGP=0
Note how the
OUT
value has now changed to show which interface the access attempt
will use to reach the internal host.
As this request arrived on eth1 and was destined for
eth0, we can determine that it was an
inbound
request, since eth0 is the LAN port, and
eth1 is usually the WAN port.
An
outbound
request would have
IN=eth0
and
OUT=eth1
.
It is possible to use the
-i
and
-o
arguments to specify the interface that are to be
considered for
IN
and
OUT
respectively.
When the
!
argument is used before the
interface name, the sense is inverted.
If the name ends in a
+
, then any interface which
begins with this name will match.
e.g.
iptables -I FORWARD -j LOG -i eth0 -p tcp ...
This rule will log outbound from the LAN (eth0) only.
We could limit that further by
specifying which interface it is outbound to, by using the
-o
option.
iptables -I FORWARD -j LOG -i eth0 -o eth1 -p tcp ...
This will log LAN traffic destined for the WAN – but won't log LAN traffic destined for a
PPP or perhaps IPSec link.
Similarly, we could construct a rule that looks at all inbound/outbound traffic, but excludes
VPN traffic, thus:
iptables -I FORWARD -j LOG -i eth+ -o eth+ -p tcp ...