Home / server / Questions / 632944
In Process
Tom Ritter
Asked: 2014-10-02 18:33:30 +0800 CST

If a packet matches a shorewall policy, can I log the packets (e.g. using tcpdump)?

  • 772

Let's say I have a policy file, such as

fw         net    ACCEPT
net        fw     DROP

trusted    fw     ACCEPT
trusted    net    ACCEPT

untrusted  fw     DROP*
untrusted  net    ACCEPT

all        all    REJECT

What I'd like to do is send all the traffic from the untrusted network that is destined to the firewall (marked with a *) to a packet capture utility like tcpdump or tshark for analysis.

It seems like the QUEUE or NFQUEUE actions might do the trick, or I could use actions... But I've not played with either of those components of shorewall, so I'm not sure the way forward with them.

shorewall

2 Answers

  1. I don't know how to handle with shorewall but you can add rules manually to capture traffic originated from "untrusted" via NFLOG & wireshark. here is howto link.

    http://wiki.wireshark.org/CaptureSetup/NFLOG

    you need to change "-m owner --uid-owner 1000" part with your rule to point "untrusted" sources.

    • 1

  2. From risyasin's answer I was able to figure this out.

    First, put the log destination in shorewall as NFLOG(x) (instead of info, or warn). x is an integer between 1 and 32 for the netlink group.

    Now, capture the packets using tcpdump or dumpcap, and capture on the nflog:x interface. Write the packets to a pcap.

    The pcap will be malformed - I'm not sure why, but the packets will come in with some ASCII log info, and other fields I have not decoded. But it's relatively easy to parse and filter the pcap and correct it.

    import dpkt
r = dpkt.pcap.Reader(open(infile,'r'))
w = dpkt.pcap.Writer(open(outfile,'wb'))
for ts, pkt in r:
    e = dpkt.ethernet.Ethernet()
    e.data = dpkt.ip.IP(pkt[124:])
    w.writepkt(e, ts)
r.close()
w.close()
    • 0