On Saturday 01 February 2003 07:21 pm, Khanh Tran wrote: > OK, so I tried to do: > > iptables -A POSTROUTING -j LOG --log-tcp-options --log-ip-options > > but all that gives me is an iptables error about that not being a > valid chain. I do get the MAC address info if I log the INPUT chain, > but all that gives me is the info about the originating IP with a > destination of the internal interface of my firewall. That's not much > help for keeping track of the activity of all my internals. This is > essentially all I am trying to do. If anyone has a better solution, > I'm up for suggestions. The nat and mangle tables each have a POSTROUTING chain, but the filter table does not. If you don't specify a table, iptables uses "-t filter" as the default. In any case, you won't see MAC information in the POSTROUTING logs. (If you want to try my dirty fix, you should be able to get it in POSTROUTING, with "-t nat" before "-A" in your rule above) In your situation you will only find it in logs from a PREROUTING chain. Try: iptables -t nat -I PREROUTING 1 -j LOG --log-tcp-options --log-ip-options And you should see the "MAC=" field in each log entry. You will likely want to add some matches, however, like "-s 10.10.0.0/16" or "-p tcp --dport 80" or such to keep it from logging unneeded info. I'd also suggest you consider "-m state --state NEW" in the log rule, if this is compatible with your needs, so that you only log the first packet of each connection. You'll accurately log the activity but not the volume that way. BTW, If you are going to use this for everyday purposes, you will want to redirect the logs to their own logfile, if you aren't already (IE with 'kern.=debug /var/log/firewall" in /etc/syslog.conf, and append "--log-level 7" to logging rules). Also, you really might want to look into some of the ULOG-based accounting packages available, that will track a variety of packet information and store it - often without consuming the immense storage required to log ALL traffic through a gateway system using the LOG target. You will probably also gain the ability to easily create a report listing any machines conducting unusual communications, exceeding given parameters, etc. j > Khanh Tran > Network Operations > Sarah Lawrence College
