Linux – Log every IP connecting on a system with iptables

accountingfilteriptableslinuxlogging

Title says it all.

How can I, with iptables under Linux, log all IP connecting to a server?
As a little detail, I'd like to have only ONE entry in the log PER DAY PER IP.

Thanks 🙂

EDIT:

I narrowed it down to 5 packets logged for every new session which is weird since I use –hashlimit 1 –haslimit-burst 1, I suspect that –m limit which defaults to 5 plays a role in there. Trouble is, if I set –m limit to 1, only 1 entry is logged for ALL IP instead one per EACH IP.

The reason I want to do this is also to avoid as much as possible logs growing too fast since this will be a rather unmanaged box.

EDIT2:
Here is my current try, in a iptables-restore format:
(on several lines for ease of reading)

-A FORWARD -d 10.x.x.x -p tcp --dport 443 -m state --state NEW 
-m hashlimit --hashlimit-upto 1/min --hashlimit-burst 1 
--hashlimit-mode srcip --hashlimit-name denied-client 
-j LOG --log-prefix "iptables (denied client): "

Best Answer

I would try this:

# IP address entry older than one day
iptables -A ... -m recent --name mydaily ! --rcheck ! --seconds 86400 -j logandset
# IP address never seen before
iptables -A ... -m recent --name mydaily ! --rcheck -j logandset

# Custom chain for logging and refreshing
iptables -N logandset
iptables -A logandset -j LOG
iptables -A logandset -m recent --name mydaily --set

So your list mydaily will keep track of the last seen IP addresses, and if it was never seen before, or if the last seen is older than one day, the packet will be logged, and the list entry for that IP address be updated.

You should probably set ip_list_tot to a higher value for mydaily, as explained in the iptables manpage (In your case for /proc/net/xt_recent/mydaily).

Related Topic