Linux – Outgoing IP Packet Capture and Logging with iptables

iptableslinuxnetworkingsniffing

My goal is to use ipset lists in iptables to log outbound traffic to certain IP addresses. I intend to monitor an entire network passively.

I have port mirroring enabled and the port mirrored traffic is broadcasting to a server with two network adapters. Eth0 is dedicated to system management and Eth1 operates in promiscuous mode and is dedicated to capturing the traffic passed to it. Is it possible to use iptables to log outgoing traffic on the network that is being monitored? Thank you.

Best Answer

Have you considered using tcpdump rather than iptables? Something like:

tcpdump -w /var/log/packets -i eth1

Would dump all packets visible on eth1 to the file /var/log/packets. You could later on analyze the file using tcpdump, wireshark, or a variety of other tools.

Using iptables, you typically log packets using the LOG target, like this:

iptables -A INPUT -i eth1 -j LOG

I'm not sure whether or not iptables is the right tool for this job, because (a) I don't know off the top of my head how it will operate with the interface in promiscuous mode, and (b) given high packet rates this form of logging can have a substantial i/o impact on your system.

I think you're better off with the tcpdump model. The -G flag to tcpdump will cause it to rotate the capture file periodically, which you'll want to do if you're capturing for an extended period. So something like:

tcpdump -G 3600 -w /var/log/packets-%Y-%m-%d-%H

This would get you files of the form:

/var/log/packets-2013-06-20-10

Related Solutions

Iptables rule to block incoming/outgoing traffic to a Xen container

This rule worked ion my installation:

iptables -I FORWARD 1 -d [client-ip] -p tcp -m tcp --dport 53 -j DROP
iptables -I FORWARD 1 -d [client-ip] -p udp -m udp --dport 53 -j DROP

Notice that netfilter reads rules top-to-bottom and if you have a rule permitting all traffic to this client above (iptables -A adds rule to the end of the table), this new rule won't be reached and won't have effect.

I didn't understand why you use "state" module if you a listing all valid states? It just uses CPU time and has no effect IMHO.

Next, I'm not sure, what is the goal of blocking traffic, going from port 25. If you client sends ab e-mail, he connects to remote server's port 25 but uses one of local ports (32k..64k by default) on his side. Couldn't you explain, what do you want to get as a result?

Iptables fails to redirect traffic to transparent proxy

For this to work you need a DNAT rule in the PREROUTING chain and a SNAT rule in the POSTROUTING chain.

Take another look at the previous serverfault answer that you linked:

iptables -t nat -I PREROUTING -d 192.168.250.3 -j DNAT --to-destination 192.168.250.4 
iptables -t nat -I POSTROUTING -s 192.168.250.4 -j SNAT --to-source 192.168.250.3

Additionally, you do not want to set the port on the --to-source for the SNAT rule.

You will want to read up on the differences between DNAT and SNAT, which you can do here.

This document on TLDP may be able to help with this specific scenario.

Best Answer

Related Solutions

Iptables rule to block incoming/outgoing traffic to a Xen container

Iptables fails to redirect traffic to transparent proxy

Related Topic