I don't know if you read the hole conversation below? This doesn't work since all you get is the source/destination before you do the translation. I need to have the translated source/destination included as well. If you do a DNAT to a range of adresses, how do you know which adress was used? Regards Johan On Tue, 2004-01-20 at 07:47, hclfm@xxxxxxxxxxxx wrote: > > > Hi , > > Use --log-level debug option with your logging command. > > you will get the required IP and port information in logs. > > regards, > > U.SivaKumar. > > HCL Infosystems Limited. > > > > > > Johan Ankarloo <johan.ankarloo@xxxxxxxxx> > Sent by: netfilter-admin@xxxxxxxxxxxxxxxxxxx > 01/20/2004 07:41 AM CET > > To: netfilter@xxxxxxxxxxxxxxxxxxx > cc: > bcc: > Subject: Re: DNAT/SNAT and logging anyone? > > > Hi all. This is a repost. Thanks to Jeffrey for trying to help me. > > I need a way to log SNAT/DNAT packets. In the log i need all the > information about what have happend to the packet. Since the log > target > is above the actually mangle line, the log target won't know how the > packet will be mangle. What i need in the log files are: > > Original Source > Original SourcePort > Original Destination > Original DestinationPort > Translated Source > Translated SourcePort > Translated Destination > Translated DestinationPort > > As an example, take a look at the documentaion about nat and look at > the > examples below taken from > http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-6.html > > ---- SNIP ---- > ## Change destination addresses to 5.6.7.8, 5.6.7.9 or 5.6.7.10. > # iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 5.6.7.8-5.6.7.10 > ## Change source addresses to 1.2.3.4, 1.2.3.5 or 1.2.3.6 > # iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4-1.2.3.6 > ---- SNIP ---- > > Here you can se that you can do DNAT and SNAT to an range of ipadresse > so the question may be a bit clearer when i ask the question like > this. > How is it possible to log to wich ipadress the connection is > translated > to? > > Regards > > Johan > > On Mon, 2004-01-19 at 20:17, Jeffrey Laramie wrote: > > Johan Ankarloo wrote: > > > > >On Mon, 2004-01-19 at 17:24, Jeffrey Laramie wrote: > > > > > > > > >>Johan Ankarloo wrote: > > >> > > >> > > >> > > >>>On Mon, 2004-01-19 at 16:21, Jeffrey Laramie wrote: > > >>> > > >>> > > >>> > > >>> > > >>>>Johan Ankarloo wrote: > > >>>> > > >>>> > > >>>> > > >>>> > > >>>> > > >>>>>Hi > > >>>>> > > >>>>>Does anyone know how to log a DNAT/SNAT connection? When > logging a NAT > > >>>>>connection you also want to know the origin > source/destination/port of > > >>>>>that packet. Is that possible? > > >>>>> > > >>>>> > > >>>>> > > >>>>> > > >>>>> > > >>>>> > > >>>>> > > >>>>Sure. The easiest way to do it is to add a matching log rule > just before > > >>>>the nat rule: > > >>>> > > >>>>iptables -t nat -A POSTROUTING -o $Net_Interface -j LOG > --log-prefix > > >>>>"SNAT: " > > >>>>iptables -t nat -A POSTROUTING -o $Net_Interface -j SNAT --to > $Net_IP > > >>>> > > >>>>Jeff > > >>>> > > >>>> > > >>>> > > >>>> > > >>>The problem is when doing this is that you doesn't get the > original > > >>>source/destination or the translating adress. If you look at the > logs > > >>>you can't see all the information that you need to be able to > debug any > > >>>problem or to be able to track that connection back to the user. > > >>> > > >>> > > >>> > > >>> > > >>I don't use DNAT so I can't tell you how it logs connections, but > > >>logging a SNAT connection works fine. Here's the rules I used: > > >> > > >># Masquerade everything leaving the lan as the firewall IP. > > >>$iptables -t nat -A POSTROUTING -o $Net_Interface -j LOG > --log-level > > >>debug --log-prefix "SNAT: " > > >>$iptables -t nat -A POSTROUTING -o $Net_Interface -j SNAT --to > $Net_IP > > >> > > >>And here's the log entry I got: > > >> > > >>Jan 19 11:14:21 NS1 kernel: SNAT: IN= OUT=eth1 SRC=192.168.0.4 > > >>DST=66.95.2.50 LEN=44 TOS=0x08 PREC=0x00 TTL=63 ID=17955 PROTO=TCP > > >>SPT=1030 DPT=80 WINDOW=28672 RES=0x00 SYN URGP=0 > > >> > > >> > > >>192.168.0.4 is the source host on the local private subnet > > >>66.95.2.50 is the IP of the remote host > > >>Sending port is 1030 > > >>Dest port is 80 > > >> > > >>And $Net_IP is IP the outside will see which is the IP of the > firewall. > > >>The SNATed ports will be the same as the original ones. > > >> > > >>Isn't this what you're looking for or did I misunderstand you? > > >> > > >>Jeff > > >> > > >> > > > > > >No, i don't see all the information in your example above. Look at > the > > >following examples taken from the examples at > > >http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-6.html > > > > > >---- SNIP ---- > > >## Change destination addresses to 5.6.7.8, 5.6.7.9 or 5.6.7.10. > > ># iptables -t nat -A PREROUTING -i eth0 -j DNAT --to > 5.6.7.8-5.6.7.10 > > > > > >## Change source addresses to 1.2.3.4, 1.2.3.5 or 1.2.3.6 > > ># iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to > 1.2.3.4-1.2.3.6 > > >---- SNIP ---- > > > > > >Here you can se that you can do DNAT and SNAT to an range of > ipadresse > > >so the question may be a bit clearer when i ask the question like > this. > > >How is it possible to log to wich ipadress the connection is > translated > > >to? > > > > > > > > > > Ahh, I see what the issue is. You 'know' the translated IP because > you > > explicitly set it within the NAT rule, not because it's in the log. > In > > the case of a target range there is no way for a prior logging rule > to > > tell which of the range addresses will be assigned by the NAT rule. > I > > think you'll need to use a tool like snort to get that kind of > detail. > > Maybe someone else knows another way, sorry I couldn't help you. > > > > Jeff
