iptables: log connection after SNAT/MASQUERADE command

[unlimited]

Hello!

I have the following problem with iptables in Debian 6:

My server works as a router and it needs to log server external IP+port for all outgoing connections.

But after command SNAT or MASQUERADE traffic is "lost".
I mean no following rules can catch those traffic.
Everything looks like SNAT/MASQUERADE is the "end" rule and it pushes traffic to network immediately.

Question:

How can I log routed connection data with server external IP and port?

 

[devnull]

Hello,

Have you tried to sniff traffic with tcpdump over the outgoing interface to check if really traffic ends on that rules?

Regards.

 

[unlimited]

What should I see in TCP dump?
Packets are not lost. They just don't applied to the rest of firewall rules.

And I have found a solutions using conntrack.
The following command shows all new tcp connections in real time:
conntrack -E -o timestamp -p tcp -e NEW

This command shows full information about routed connections: source IP+port, NAT IP+port, destination IP+port.

I just execute it in background and redirect output to log:
conntrack -E -o timestamp -p tcp -e NEW 2>&1 >> /var/log/tcp_connections &
conntrack -E -o timestamp -p udp -e NEW 2>&1 >> /var/log/udp_connections &

I also created a simple script to start/stop these processes and added it to run at startup.

 

[Akendo]

Hey, great. I din't know that Tool. Thanks

 

[unlimited]

I have an update for my solution.
If you have a lot of connections - conntrack may stop logging.
Usually it gets error about not enough network buffers (ENOBUFS).

Using "-b 10485760" switch helped in my case.

WARNING: We have hit ENOBUFS! We are losing events.
This message means that the current netlink socket buffer size is too small.
Please, check --buffer-size in conntrack(8) manpage.
conntrack v0.9.14 (conntrack-tools): Operation failed: No buffer space available