iptables and netfilter

Discussion in 'OT Technology' started by bleak, Jul 30, 2004.

  1. bleak

    bleak Guest

    Couple of questions.

    1. I want to log all activity on a certain port, 8476, for example. So I used these iptables matches:

    Code:
      iptables -A INPUT -p tcp --dport 8476 -j LOG --log-level info
      iptables -A INPUT -p udp --dport 8476 -j LOG --log-level info
      
    However, it doesn't seem to be logging. Is there something obvious I'm missing? Can anybody provide some insight?

    2. I seem to have a slight problem with lingering connections. I logged into my server from work the other day at about 11am. I logged out before I left work at 12n (noon), and then logged back in again from home later in the evening (about 6pm). I checked /proc/net/ip_conntrack to see what kind of traffic I had going, and it showed that my SSH connection (port 22) from work earlier was still active. Anybody know what could be causing that?
     
  2. bleak

    bleak Guest

    1000's of people on OT and nobody else uses iptables?
     
  3. col_panic

    col_panic calm like a bomb Moderator

    Joined:
    Sep 19, 2003
    Messages:
    188,160
    Likes Received:
    0
    Location:
    winter haven, fl
    so you've looked in /var/log/syslog and there is nothing? what does /etc/syslog.conf have in it?

    i dunno about the ssh connection, but i'll try to find something on it later.
     
  4. col_panic

    col_panic calm like a bomb Moderator

    Joined:
    Sep 19, 2003
    Messages:
    188,160
    Likes Received:
    0
    Location:
    winter haven, fl
    on the ssh connections: there is a client side option and a server side option for keepalives, but it is off by default. if you didnt set them, i don't know why those connections would not be torn down when you disconnect.

    http://www.openssh.com/faq.html#2.12
     
  5. bleak

    bleak Guest

    /etc/syslog.conf has this for iptables:

    At one point, I was logging all activity from a certain IP address in almost the same way, and it worked. But when I switched to logging traffic on just that certain port, it quit.
     
    Last edited by a moderator: Aug 5, 2004
  6. col_panic

    col_panic calm like a bomb Moderator

    Joined:
    Sep 19, 2003
    Messages:
    188,160
    Likes Received:
    0
    Location:
    winter haven, fl
    bizarre. your syntax is all correct, as is the syslog.conf

    maybe try --log-level debug and see if you get anything

    edit - you were using the LOG target before when it was working, right? so that would mean your kernel was compiled with CONFIG_IP_NF_TARGET_LOG enabled. if not that would be something else to check.
     
    Last edited: Aug 5, 2004
  7. Joe_Cool

    Joe_Cool Never trust a woman or a government. Moderator

    Joined:
    Jun 30, 2003
    Messages:
    299,278
    Likes Received:
    555
    On your iptables rule, try changing it to --log-level 6 insted of --log-level info. I don't know why, but that was a problem on my system.

    Valid levels:
    7 - debug (Debug-level messages)
    6 - info (Informational)
    5 - notice (Normal but significant Condition)
    4 - warning (Warning Condition)
    3 - err (Error Condition)
    2 - crit (Critical Conditions)
    1 - alert (must be handled immediately)
    0 - emerg (System is unusable)
     

Share This Page