Le lun 11/08/2003 à 09:34, Simone Sestini a écrit : > right now i'm able to log the connection using > iptables -t nat -A POSTROUTING -s 10.50.72.0/23 -o eth0 -j LOG > --log-level debug --log-prefix "POSTRT: " > iptables -t nat -A POSTROUTING -s 10.50.72.0/23 -o eth0 -j SNAT --to > 111.111.111.111 When you log in nat table, you have to be aware that, for a given connection, only the first packet (i.e. the one with state NEW) will cross the table. Further ones will be handled by conntrack directly and won't go through nat table. This mean you'll only be able to log very first packet. If you want more packets, then you'll have to log in filter or mangle table. > but on my nat.log file i can get only > Aug 11 11:20:53 gw2-709nat kernel: POSTRT: IN= OUT=eth0 SRC=10.50.72.6 > DST=213.199.150.90 LEN=78 TOS=0x00 PREC=0x00 TTL=126 ID=4530 PROTO=UDP > SPT=137 DPT=137 LEN=58 > Anyone know if it's possible to see what kind of files the client has > requested too ? i need a debug similar to squid.. Netfilter's LOG target logs packet headers. So you can't determine the payload contents from reading them. If you want to access packet payload, then you have to use ULOG target that will send the whole packet to a userspace tool that will perform the kind of analysis you need. -- http://www.netexit.com/~sid/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
