On Wednesday 15 January 2003 06:36 am, Simone Sestini wrote: > Hi folks.. > > I have made two NAT box for a special dialup server. > I have create an iptables stratup script like that.. > > /usr/local/sbin/iptables -t nat -A POSTROUTING -s 10.20.2.0/23 -o eth0 > -j SNAT --to PUBLIC-IP1 > /usr/local/sbin/iptables -t nat -A POSTROUTING -s 10.20.4.0/23 -o eth0 > -j SNAT --to PUBLIC-IP2 > and so on.. > > > Now.. i need to LOG all the traffic that transit over the rules.. > I need to log at least PUBLIC-IPX and DESTINATION-IP. > > A friend of that mailing list wrote me back and told.. > > change your string like that > > /usr/local/sbin/iptables -t nat -A POSTROUTING -s 10.20.0.0/23 -o eth0 > -j LOG --log-level debug --log-prefix "POSTRT: " > /usr/local/sbin/iptables -t nat -A POSTROUTING -s 10.20.0.0/23 -o eth0 > -j SNAT --to PUBLIC-IP1 > > I did that and added that over syslog.conf > # For NAT > *.* /var/log/nat.log > > but i don't see any datas logged over that file.. > > See that.. > > 75 3727 > LOG all -- * eth0 10.20.0.0/23 0.0.0.0/0 > LOG flags 0 level 7 prefix `POSTRT: ' > 75 3727 > SNAT all -- * eth0 10.20.0.0/23 0.0.0.0/0 > to:xxx.x.xx.x > > I generated the traffic over that rule but nothing appear over the log > file. > > Any idea ? The log by default goes to /var/log/messages with other kernel logging. You CAN redirect it, but with the LOG target all you can do is specify the log-level, and then redirect ALL kernel logs of that level with changes to syslog.conf. Usually 'debug' is tolerably empty of other logging, so his suggestion of rules is reasonable. (although you could improve it by having the log-prefix itself indicate which rule matched, rather than even having to read the log data itself) However, the syslog.conf change you made doesn't make sense to me. Try 'man syslog.conf' for info, but using the *.* will redirect ALL logging of EVERYTHING to the destination file. In order to redirect kernel debug logging ONLY, you need something like: kernel.=debug /var/log/natlog to specify that ONLY debug level of kernel logs go to the specified file. Also, I believe you will need to restart syslogd in order for the change to be effective. BTW, You might want to consider adding "-m state state NEW" to your logging rules. This will log ONLY new connections, rather than every single packet that goes out. As long as all you are interested in is the fact that a connection was initiated, and the source and destination, this will be MUCH easier on your system. If you really need to gather information on EVERYTHING, then I suggest you look into a ULOG accounting package, which will gather information directed to it through the ULOG target and compile whatever information you need without creating massive logfiles. j > > > > Simone Sestini [ SS971-RIPE ] > > Plug IT s.p.a. - Technical Office > Via Galileo Ferraris 216 > 52100 Arezzo > > Titles: > System and Network Administrator > Data Transmission Manager > > Fax +39 199 440088 > E-mail simone.sestini@plugit.net > Web http://www.plugit.it
