Iptables NAT logging

linux iptables nat

I have a box setup as a router using Iptables (masquerade), logging all network traffic.

The problem:

Connections from LAN IPs to WAN show fine, i.e. SRC=192.168.32.10 -> DST=60.242.67.190

but for traffic coming from WAN to LAN it will show the WAN IP as the source, but the routers IP as the destination, then the router -> LAN IP.

I.e. SRC=60.242.67.190 -> DST=192.168.32.199 SRC=192.168.32.199(router) -> DST=192.168.32.10

How do I configure it so that it logs the conversations correctly?

SRC=192.168.32.10 -> DST=60.242.67.190 SRC=60.242.67.190 > DST=192.168.32.10

Any help appreciated, cheers


the info you need is only in the connection tracking table. Have a look at conntrack(8) how to get it. Logging it in real time might be tricky though, maybe something using -j ULOG and ulogd.


To log all of the information you want, you would need two log rules. One to log the data from the wan interface to router, and a second to log the packet from router to LAN host.

In other words, As the packet passes through your routing tables, the destination will be re-written. If I understand correctly, you want to see that packet's information before it's rewritten, and after (so you can see which host its going to).

The rules may look something like this: Existing rule which shows wan to router: 

iptables -I INPUT -m state --state NEW -j LOG --log-prefix " New Incoming Packet"

New Additional Rule: 

iptables -I FORWARD -d LAN_HOST_IPADDR -m state --state NEW -j LOG --log-prefix " [>] NEW FORWARD"

Or for extra credit, and to keep things a little cleaner, create a new chain for traffic forwarded to the LAN HOST, something like this: 

iptables -t nat -N forward_to_mypc
iptables -t nat -A forward_to_mypc -m state --state NEW -j LOG --log-prefix " [>] New Forward"
iptables -t nat -A forward_to_mypc -j DNAT --to <address_of_mypc>

Then use the new chain like this: 

iptables -t nat -I PREROUTING -i <WANADAPTER> -p tcp --dport 3389 -j forward_to_mypc

That would forward any port 3389 tcp packets coming in the wan adapter, to your LAN pc, and if the packet is new, it would get logged.

Related

Any opensource equivalent of virtual center?
Mercurial browser on Windows 2003 takes several refreshes before displaying repositories
Apache, Trac and LDAP - how to glue them all together?
Rss feed of Active Directory Changes?
set tap0 using virt-manager for bridged wireless
Can I use dmraid instead of md (mdadm) to make software RAID-1 and RAID-1+0 volumes?
Tuning Linux's IPv6 stack
Samba over OpenVPN - horribly slow
How to manage groups and users in Jenkins
How to disable updates for a host in Munin but keep the historical graphs?
KVM to Xen migration
Is there a way to show an RDP session's encryption level from the commandline/Powershell?