Using IPTables to Log Useful Network Data

This post is the second post related to the configuration of IPTables. Please see the first post for the initial configuration.

One of the most valuable tools at the disposal of any system or security administrator is the logging capability of the system under administration or investigation. The ability to configure the system to log important events and parse those logs for useful information is a valuable skill to have, which can result in decreased downtime and prevent or detect cyber crime. Any good system logger will have the capability to log specific events and output those events in an easy to parse format. A logging application is also considered a form of HIDS (host-based intrusion detection system). In the following post, I will describe how to setup IPTables to log useful network data.

The following instructions were created using IPTables v. 1.2.11 on a Fedora Core 3 system. I will use the same format that I have used previously in posting, which references the IPTables/Netfilter tutorial at Netfilter.org. I will assume that if you are using a system which allows you to compile your own kernel that you know how to make sure that the proper modules are compiled into the kernel. I will also assume that the only interfaces with network connectivity are ethernet devices. If you are using a modem or non-ethernet device for network traffic, adjust the instructions as needed.

The first step is to create a new table, which will house the rules to log network traffic:

iptables -N log_table

The next step is to create the rules used to log traffic. I use a format that was introduced to me by a co-worker, who I will refer to by first name only as Kaleb. I will log all traffic in one of two categories; internal traffic and external traffic. The following command will setup the IPTables logging of all internal traffic, which is traffic on the local network (assuming 192.168.1.0/24 local netework):

iptables -A log_table -s 192.168.1.0/24 -i eth+ -m limit --limit 3/minute -j LOG --log-prefix 'INTERNAL: ' --log-level 5

The next step is to setup logging on the external traffic:

iptables -A log_table -s ! 192.168.1.0/24 -i eth+ -m limit --limit 3/minute -j LOG --log-prefix 'EXTERNAL: ' --log-level 5

Finally, we add this table to the INPUT and FORWARD tables so that all traffic is logged before it moves on to the other tables:

iptables -A INPUT 1 -j log_table
iptables -A FORWARD 1 -j log_table

Remember to save the configuration:

/etc/init.d/iptables save active

Now, we can monitor the logs for traffic and test the logging by checking email, browsing the Internet, or using another network tool. I always use tail to monitor my logs, a good way to use this tool if you are not familiar with it is the following command:

tail -f -n 100 /var/log/messages

Watch the output while you check your mail or browse the web. The '-f' flag will update the output automatically as the file is updated, while the '-n 100' shows the last 100 lines of the file initially.

One downside to this configuration is that your logs will now grow constantly while you are accessing the network, or while any network traffic is coming to you. One benefit to this is that it will help give you a reason to build some good log-parsing scripts.