Home / server / Questions / 122040
Accepted
Alexandre Nizoux
Asked: 2010-03-13 13:48:24 +0800 CST

Log every IP connecting on a system with iptables

  • 772

Title says it all.

How can I, with iptables under Linux, log all IP connecting to a server? As a little detail, I'd like to have only ONE entry in the log PER DAY PER IP.

Thanks :)

EDIT:

I narrowed it down to 5 packets logged for every new session which is weird since I use --hashlimit 1 --haslimit-burst 1, I suspect that --m limit which defaults to 5 plays a role in there. Trouble is, if I set --m limit to 1, only 1 entry is logged for ALL IP instead one per EACH IP.

The reason I want to do this is also to avoid as much as possible logs growing too fast since this will be a rather unmanaged box.

EDIT2: Here is my current try, in a iptables-restore format: (on several lines for ease of reading)

-A FORWARD -d 10.x.x.x -p tcp --dport 443 -m state --state NEW 
-m hashlimit --hashlimit-upto 1/min --hashlimit-burst 1 
--hashlimit-mode srcip --hashlimit-name denied-client 
-j LOG --log-prefix "iptables (denied client): "
linux logging iptables filter accounting

4 Answers

  1. Best Answer

    I would try this:

    # IP address entry older than one day
iptables -A ... -m recent --name mydaily ! --rcheck ! --seconds 86400 -j logandset
# IP address never seen before
iptables -A ... -m recent --name mydaily ! --rcheck -j logandset

# Custom chain for logging and refreshing
iptables -N logandset
iptables -A logandset -j LOG
iptables -A logandset -m recent --name mydaily --set

    So your list mydaily will keep track of the last seen IP addresses, and if it was never seen before, or if the last seen is older than one day, the packet will be logged, and the list entry for that IP address be updated.

    You should probably set ip_list_tot to a higher value for mydaily, as explained in the iptables manpage (In your case for /proc/net/xt_recent/mydaily).

    • 3

  2. I'm taking a wild (untested) crack @ this, but something like:

    iptables -I INPUT -m conntrack --ctstate NEW -j LOG --log-prefix 'IPT/New Connection'

    iptables will emit a message to the kernel log for every new connection. You will then need to do something like

    grep 'IPT/New Connection' /var/log/kern.log | | wc -l

    Which will give you a count. Various dances w/ awk/perl/etc will let you split it up by IP.

    I don't see a way to convince IPtables to spit out just one count per IP address at the end of the day. If your syslog is capable of filteirng messages by regexp, you can capture the messages and funnel them into a seperate log file. @ the end of the day, all the counts are computed, and the message is reinserted into your main syslog entry.

    • 0

  3. Would it be much simpler to just log everything and then post process it to extract what you need? Use what's appropriate at each stage rather than try to shoehorn something to fit where it doesn't belong.

    • 0

  4. I'd use a patched version of ulogd with an SQL backend.

    The trick would be to patch the INSERT SQL query in a way that would let the database deal with redundancy in IP addresses and insert new records into the logs only for unique IPs.

    • 0