iptables: log connection after SNAT/MASQUERADE command

Discussion in 'Linux Networking' started by unlimited, Jul 18, 2012.

  1. unlimited

    unlimited New Member

    Messages:
    3
    Likes Received:
    1
    Trophy Points:
    0
    Hello!

    I have the following problem with iptables in Debian 6:

    My server works as a router and it needs to log server external IP+port for all outgoing connections.


    But after command SNAT or MASQUERADE traffic is "lost".
    I mean no following rules can catch those traffic.
    Everything looks like SNAT/MASQUERADE is the "end" rule and it pushes traffic to network immediately.

    Question:

    How can I log routed connection data with server external IP and port?
  2. devnull

    devnull New Member

    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    0
    Hello,

    Have you tried to sniff traffic with tcpdump over the outgoing interface to check if really traffic ends on that rules?

    Regards.
  3. unlimited

    unlimited New Member

    Messages:
    3
    Likes Received:
    1
    Trophy Points:
    0
    What should I see in TCP dump?
    Packets are not lost. They just don't applied to the rest of firewall rules.

    And I have found a solutions using conntrack.
    The following command shows all new tcp connections in real time:
    conntrack -E -o timestamp -p tcp -e NEW

    This command shows full information about routed connections: source IP+port, NAT IP+port, destination IP+port.

    I just execute it in background and redirect output to log:
    conntrack -E -o timestamp -p tcp -e NEW 2>&1 >> /var/log/tcp_connections &
    conntrack -E -o timestamp -p udp -e NEW 2>&1 >> /var/log/udp_connections &

    I also created a simple script to start/stop these processes and added it to run at startup.
    Akendo likes this.
  4. Akendo

    Akendo New Member

    Messages:
    136
    Likes Received:
    7
    Trophy Points:
    0
    Hey, great. I din't know that Tool. Thanks
  5. unlimited

    unlimited New Member

    Messages:
    3
    Likes Received:
    1
    Trophy Points:
    0
    I have an update for my solution.
    If you have a lot of connections - conntrack may stop logging.
    Usually it gets error about not enough network buffers (ENOBUFS).

    Using "-b 10485760" switch helped in my case.

    WARNING: We have hit ENOBUFS! We are losing events.
    This message means that the current netlink socket buffer size is too small.
    Please, check --buffer-size in conntrack(8) manpage.
    conntrack v0.9.14 (conntrack-tools): Operation failed: No buffer space available

Share This Page