I'm in the same boat. In fact not only do I want to log that info when the NAT'ing takes place, I would also like to log when the connection is broken. The only thing I can think of at the moment, is some process which continuously monitors /proc/net/ip_conntrack :( Cheers, Terry. >Hi all. This is a repost. Thanks to Jeffrey for trying to help me. > >I need a way to log SNAT/DNAT packets. In the log i need all the >information about what have happend to the packet. Since the log target >is above the actually mangle line, the log target won't know how the >packet will be mangle. What i need in the log files are: > >Original Source >Original SourcePort >Original Destination >Original DestinationPort >Translated Source >Translated SourcePort >Translated Destination >Translated DestinationPort > >As an example, take a look at the documentaion about nat and look at the >examples below taken from >http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-6.html > >---- SNIP ---- >## Change destination addresses to 5.6.7.8, 5.6.7.9 or 5.6.7.10. ># iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 5.6.7.8-5.6.7.10 >## Change source addresses to 1.2.3.4, 1.2.3.5 or 1.2.3.6 ># iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4-1.2.3.6 >---- SNIP ---- > >Here you can se that you can do DNAT and SNAT to an range of ipadresse >so the question may be a bit clearer when i ask the question like this. >How is it possible to log to wich ipadress the connection is translated >to? > >Regards > >Johan > >On Mon, 2004-01-19 at 20:17, Jeffrey Laramie wrote: >> Johan Ankarloo wrote: >> >> >On Mon, 2004-01-19 at 17:24, Jeffrey Laramie wrote: >> > >> > >> >>Johan Ankarloo wrote: >> >> >> >> >> >> >> >>>On Mon, 2004-01-19 at 16:21, Jeffrey Laramie wrote: >> >>> >> >>> >> >>> >> >>> >> >>>>Johan Ankarloo wrote: >> >>>> >> >>>> >> >>>> >> >>>> >> >>>> >> >>>>>Hi >> >>>>> >> >>>>>Does anyone know how to log a DNAT/SNAT connection? When logging a NAT >> >>>>>connection you also want to know the origin source/destination/port of >> >>>>>that packet. Is that possible? >> >>>>> >> >>>>> >> >>>>> >> >>>>> >> >>>>> >> >>>>> >> >>>>> >> >>>>Sure. The easiest way to do it is to add a matching log rule just before >> >>>>the nat rule: >> >>>> >> >>>>iptables -t nat -A POSTROUTING -o $Net_Interface -j LOG --log-prefix >> >>>>"SNAT: " >> >>>>iptables -t nat -A POSTROUTING -o $Net_Interface -j SNAT --to $Net_IP >> >>>> >> >>>>Jeff >> >>>> >> >>>> >> >>>> >> >>>> >> >>>The problem is when doing this is that you doesn't get the original >> >>>source/destination or the translating adress. If you look at the logs >> >>>you can't see all the information that you need to be able to debug any >> >>>problem or to be able to track that connection back to the user. >> >>> >> >>> >> >>> >> >>> >> >>I don't use DNAT so I can't tell you how it logs connections, but >> >>logging a SNAT connection works fine. Here's the rules I used: >> >> >> >># Masquerade everything leaving the lan as the firewall IP. >> >>$iptables -t nat -A POSTROUTING -o $Net_Interface -j LOG --log-level >> >>debug --log-prefix "SNAT: " >> >>$iptables -t nat -A POSTROUTING -o $Net_Interface -j SNAT --to $Net_IP >> >> >> >>And here's the log entry I got: >> >> >> >>Jan 19 11:14:21 NS1 kernel: SNAT: IN= OUT=eth1 SRC=192.168.0.4 >> >>DST=66.95.2.50 LEN=44 TOS=0x08 PREC=0x00 TTL=63 ID=17955 PROTO=TCP >> >>SPT=1030 DPT=80 WINDOW=28672 RES=0x00 SYN URGP=0 >> >> >> >> >> >>192.168.0.4 is the source host on the local private subnet >> >>66.95.2.50 is the IP of the remote host >> >>Sending port is 1030 >> >>Dest port is 80 >> >> >> >>And $Net_IP is IP the outside will see which is the IP of the firewall. >> >>The SNATed ports will be the same as the original ones. >> >> >> >>Isn't this what you're looking for or did I misunderstand you? >> >> >> >>Jeff >> >> >> >> >> > >> >No, i don't see all the information in your example above. Look at the >> >following examples taken from the examples at >> >http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-6.html >> > >> >---- SNIP ---- >> >## Change destination addresses to 5.6.7.8, 5.6.7.9 or 5.6.7.10. >> ># iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 5.6.7.8-5.6.7.10 >> > >> >## Change source addresses to 1.2.3.4, 1.2.3.5 or 1.2.3.6 >> ># iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4-1.2.3.6 >> >---- SNIP ---- >> > >> >Here you can se that you can do DNAT and SNAT to an range of ipadresse >> >so the question may be a bit clearer when i ask the question like this. >> >How is it possible to log to wich ipadress the connection is translated >> >to? >> > >> > >> >> Ahh, I see what the issue is. You 'know' the translated IP because you >> explicitly set it within the NAT rule, not because it's in the log. In >> the case of a target range there is no way for a prior logging rule to >> tell which of the range addresses will be assigned by the NAT rule. I >> think you'll need to use a tool like snort to get that kind of detail. >> Maybe someone else knows another way, sorry I couldn't help you. >> >> Jeff > > > >
