iptables: log connection after SNAT/MASQUERADE command




I have the following problem with iptables in Debian 6:

My server works as a router and it needs to log server external IP+port for all outgoing connections.

But after command SNAT or MASQUERADE traffic is "lost".
I mean no following rules can catch those traffic.
Everything looks like SNAT/MASQUERADE is the "end" rule and it pushes traffic to network immediately.


How can I log routed connection data with server external IP and port?


Have you tried to sniff traffic with tcpdump over the outgoing interface to check if really traffic ends on that rules?

What should I see in TCP dump?
Packets are not lost. They just don't applied to the rest of firewall rules.

And I have found a solutions using conntrack.
The following command shows all new tcp connections in real time:
conntrack -E -o timestamp -p tcp -e NEW

This command shows full information about routed connections: source IP+port, NAT IP+port, destination IP+port.

I just execute it in background and redirect output to log:
conntrack -E -o timestamp -p tcp -e NEW 2>&1 >> /var/log/tcp_connections &
conntrack -E -o timestamp -p udp -e NEW 2>&1 >> /var/log/udp_connections &

I also created a simple script to start/stop these processes and added it to run at startup.
I have an update for my solution.
If you have a lot of connections - conntrack may stop logging.
Usually it gets error about not enough network buffers (ENOBUFS).

Using "-b 10485760" switch helped in my case.

WARNING: We have hit ENOBUFS! We are losing events.
This message means that the current netlink socket buffer size is too small.
Please, check --buffer-size in conntrack(8) manpage.
conntrack v0.9.14 (conntrack-tools): Operation failed: No buffer space available