How to track IP addresses using iptables

[mythathchr]

can anyone please tell me how to track IP's of systems which try to access my system using iptables??

[Lazydog]

Use the logging feature of iptables.

[mythathchr]

i wonder if i can get a bit detailed answer!!

[Lazydog]

http://iptables-tutorial.frozentux.n...html#LOGTARGET

[mythathchr]

Hey thanx for that reply.
I learnt the procedure how to track!! I did following:
Open the /etc/syslog.conf file
edit the "kern" line as following:

kern.* /var/log/iptables.log

Save and close the file

Insert following chain rule in iptables list
#iptables -A INPUT -d 130.70.73.35 -j LOG --log-level info
Restart the syslog:
#/etc/init.d/syslog restart

This creates a log list of all IP addresses of packets incoming to 130.70.73.35 in
/var/log/iptables.log

But there is a problem!!
The text file iptables.log records every packet from all Sources. I just need whether a particular machine has accessed to the date or not?? i.e just record the source IP once irrespective of number of attempts.
is it like i need to write some sort of script?? ( i wish if i can avoid this!!)

[Lazydog]

Start using Stateful rules,, NEW, ESTABLISHED,RELATED. Then you can log just the NEW packets and the rest do not get logged.

Take a look at this Tutorial:

http://iptables.rlworkman.net/chunkyhtml/index.html

It has everything you need for Iptables.

[mythathchr]

still there is problem!!

I used following commands:

iptables -R INPUT 1 -d 130.70.73.35 -m conntrack --ctstate NEW -j LOG --log-level info
iptables -R INPUT 1 -d 130.70.73.35 -m state --state RELATED -j LOG --log-level info

but the result is same as when i used

#iptables -A INPUT -d 130.70.73.35 -j LOG --log-level info

There are no changes!!! in log file

[Lazydog]

Change

Code:

 iptables -R INPUT 1 -d 130.70.73.35 -m state --state RELATED -j LOG --log-level info

to

Code:

 iptables -R INPUT 1 -d 130.70.73.35 -m state --state RELATED -j ACCEPT

All you really need to log are NEW connections not everything.

[mythathchr]

Here is the documentation for the thread started!! Thnx lazy dog!! Unfortunately I couldn't find complete solution using logging features. Hope someone can extend the thread!!

How to track IP addresses of users trying to access a system with particular IP ( here it is 130.70.73.35)

It can be done in two ways:

1)

Patch ipt_recent to iptables. This is available at
http://snowman.net/projects/ipt_rece...t-0.3.1.tar.gz

After patching set the following chain rule in INPUT chain.

#iptables -A INPUT -d 130.70.73.35 -m recent --name iptables.log --set
or
#iptables -A INPUT -d 130.70.73.35 -m recent --name iptables.log --update

These rules copy the log information to file named iptables.log which is present in
/proc/net/ipt_recent/iptables.log

2)

Use logging features available in iptables but IP addresses keeps repeating as long as packets are sent

Open the /etc/syslog.conf file
edit the "kern" line as following:

kern.* /var/log/iptables.log

Save and close the file

Insert following chain rule in iptables list
#iptables -A INPUT -d 130.70.73.35 -j LOG --log-level info
Restart the syslog:
#/etc/init.d/syslog restart

This creates a log list of all IP addresses of packets incoming to 130.70.73.35 in
/var/log/iptables.log

Examples of different ways of specifying chain rules
(Try states like - NEW, ESTABLISHED, RELATED, INVALID)
#iptables -R INPUT 1 -d 130.70.73.35 -m conntrack --ctstate NEW -j LOG --log-level info
#iptables -R INPUT 1 -d 130.70.73.35 -m state --state RELATED -j LOG --log-level info

References:

Snow-Man's Network - IPTables/Netfilter Recent Module
http://www.linuxforums.org/forum/lin...-iptables.html
http://iptables-tutorial.frozentux.n...html#LOGTARGET

[Lazydog]

OK, there is no reason to make any changes to syslog.conf.

You have to understand how to log and STATEFUL packet filtering.

You only need to log -m state --state NEW rules not everything, which is what you were/are doing.

Examples follow:

Loging new input packets:

Code:

iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACEPT
iptables -A INPUT -p tcp -m state --state NEW -j LOG --log-tcp-options --log-ip-options
iptables -A INPUT -p tcp -m state --state NEW -j ACCEPT

As you can see you are only logging NEW connection and not everything. The same can be done with OUTPUT or FORWARD too.