On Mon, July 3, 2006 12:42, Wennie V. Lagmay wrote: > Hi Robee, > > > Thank you very much for your reply, just want to confirn something. > > > 1. Based on the script you've sent to me does it mean that I have to input > all my private subnets example > iptables -I FORWARD -s 192.168.1.0/24 -m state --state NEW -j LOG > --log-level info > iptables -I FORWARD -s 192.168.2.0/24 -m state --state NEW -j LOG > --log-level info > iptables -I FORWARD -s 192.168.3.0/24 -m state --state NEW -j LOG > --log-level info > iptables -I FORWARD -s 192.168.4.0/24 -m state --state NEW -j LOG > --log-level info > and so on Yes. But you can script that to save yourself some work if you have a lot or these. You do know that when you are using "-I" that you are inserting the rules on top of each other, instead of appending them..? In this case it doesn't matter but you may get unexpected results if you are not aware of it. > 2. With this script I can identify a certain Private IP, which public IP > address it use and which remote IP it is connected? example > > Private IP = 192.168.2.56 > Public IP = 203.174.11.8 > Remote IP = 65.67.87.9 (www.yahoo.com) No. Only the source (private) IP and the remote (destination) IP (and more, like [s|d]port, etc). A logging line would look something like this: Jul 3 12:55:35 fw INPUT: IN=eth0 OUT= MAC=00:a0:27:a0:6b:00:00:b0:d0:db:aa:3a:08:00 SRC=60.11.125.36 DST=1.2.3.4 LEN=485 TOS=00 PREC=0x00 TTL=40 ID=0 DF PROTO=UDP SPT=40867 DPT=1026 LEN=465 Jul 3 12:55:35 fw INPUT: IN=eth0 OUT= MAC=00:a0:27:a0:6b:00:00:b0:d0:db:aa:3a:08:00 SRC=60.11.125.36 DST=1.2.3.4 LEN=485 TOS=00 PREC=0x00 TTL=40 ID=0 DF PROTO=UDP SPT=40867 DPT=1027 LEN=465 (This is a DROP rule in the INPUT chain so there's no private source IP.) > 3. Are all the log are stored in /var/log/messages? That depends on your syslog config. Normally, I think: yes. If you want to log more specific, you can setup ulogd and use the ULOG target. Gr, Rob
