Find the answer to your Linux question:
Results 1 to 10 of 10
can anyone please tell me how to track IP's of systems which try to access my system using iptables??...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Oct 2007
    Posts
    17

    How to track IP addresses using iptables


    can anyone please tell me how to track IP's of systems which try to access my system using iptables??

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Use the logging feature of iptables.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  3. #3
    Just Joined!
    Join Date
    Oct 2007
    Posts
    17
    i wonder if i can get a bit detailed answer!!

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  6. #5
    Just Joined!
    Join Date
    Oct 2007
    Posts
    17

    got it!! but small problem

    Hey thanx for that reply.
    I learnt the procedure how to track!! I did following:
    Open the /etc/syslog.conf file
    edit the "kern" line as following:

    kern.* /var/log/iptables.log

    Save and close the file

    Insert following chain rule in iptables list
    #iptables -A INPUT -d 130.70.73.35 -j LOG --log-level info
    Restart the syslog:
    #/etc/init.d/syslog restart

    This creates a log list of all IP addresses of packets incoming to 130.70.73.35 in
    /var/log/iptables.log

    But there is a problem!!
    The text file iptables.log records every packet from all Sources. I just need whether a particular machine has accessed to the date or not?? i.e just record the source IP once irrespective of number of attempts.
    is it like i need to write some sort of script?? ( i wish if i can avoid this!!)

  7. #6
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Start using Stateful rules,, NEW, ESTABLISHED,RELATED. Then you can log just the NEW packets and the rest do not get logged.

    Take a look at this Tutorial:

    http://iptables.rlworkman.net/chunkyhtml/index.html

    It has everything you need for Iptables.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  8. #7
    Just Joined!
    Join Date
    Oct 2007
    Posts
    17
    still there is problem!!

    I used following commands:

    iptables -R INPUT 1 -d 130.70.73.35 -m conntrack --ctstate NEW -j LOG --log-level info
    iptables -R INPUT 1 -d 130.70.73.35 -m state --state RELATED -j LOG --log-level info

    but the result is same as when i used

    #iptables -A INPUT -d 130.70.73.35 -j LOG --log-level info

    There are no changes!!! in log file

  9. #8
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Change
    Code:
     iptables -R INPUT 1 -d 130.70.73.35 -m state --state RELATED -j LOG --log-level info
    to

    Code:
     iptables -R INPUT 1 -d 130.70.73.35 -m state --state RELATED -j ACCEPT
    All you really need to log are NEW connections not everything.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  10. #9
    Just Joined!
    Join Date
    Oct 2007
    Posts
    17

    finally done !! but i guess can be improved

    Here is the documentation for the thread started!! Thnx lazy dog!! Unfortunately I couldn't find complete solution using logging features. Hope someone can extend the thread!!

    How to track IP addresses of users trying to access a system with particular IP ( here it is 130.70.73.35)

    It can be done in two ways:

    1)

    Patch ipt_recent to iptables. This is available at
    http://snowman.net/projects/ipt_rece...t-0.3.1.tar.gz

    After patching set the following chain rule in INPUT chain.

    #iptables -A INPUT -d 130.70.73.35 -m recent --name iptables.log --set
    or
    #iptables -A INPUT -d 130.70.73.35 -m recent --name iptables.log --update

    These rules copy the log information to file named iptables.log which is present in
    /proc/net/ipt_recent/iptables.log

    2)

    Use logging features available in iptables but IP addresses keeps repeating as long as packets are sent

    Open the /etc/syslog.conf file
    edit the "kern" line as following:

    kern.* /var/log/iptables.log

    Save and close the file

    Insert following chain rule in iptables list
    #iptables -A INPUT -d 130.70.73.35 -j LOG --log-level info
    Restart the syslog:
    #/etc/init.d/syslog restart

    This creates a log list of all IP addresses of packets incoming to 130.70.73.35 in
    /var/log/iptables.log

    Examples of different ways of specifying chain rules
    (Try states like - NEW, ESTABLISHED, RELATED, INVALID)
    #iptables -R INPUT 1 -d 130.70.73.35 -m conntrack --ctstate NEW -j LOG --log-level info
    #iptables -R INPUT 1 -d 130.70.73.35 -m state --state RELATED -j LOG --log-level info

    References:

    Snow-Man's Network - IPTables/Netfilter Recent Module
    http://www.linuxforums.org/forum/lin...-iptables.html
    http://iptables-tutorial.frozentux.n...html#LOGTARGET

  11. #10
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    OK, there is no reason to make any changes to syslog.conf.

    You have to understand how to log and STATEFUL packet filtering.

    You only need to log -m state --state NEW rules not everything, which is what you were/are doing.

    Examples follow:

    Loging new input packets:
    Code:
    iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACEPT
    iptables -A INPUT -p tcp -m state --state NEW -j LOG --log-tcp-options --log-ip-options
    iptables -A INPUT -p tcp -m state --state NEW -j ACCEPT
    As you can see you are only logging NEW connection and not everything. The same can be done with OUTPUT or FORWARD too.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •