Trädvy Permalänk
Medlem
Registrerad
Aug 2002

iptables logga IP på port

Hej hej Sweclockare. Jag vill logga inkommande IP på en port men skulle vilja ha det lite mer begränsat, men den regeln jag har nu fylls loggen upp på nolltid. Den liksom loggar varje ny sorts paket men jag vill bara ha initial connect.

-A INPUT -i eth6 -p udp -m udp --dport 25699 -m state --state NEW -m limit --limit 2/min -j LOG --log-prefix "new Connection"

Förslag mottages tacksamt.

exempel på en liten bit logg

Dec 20 10:51:28hola kernel: new ConnectionIN=eth6 OUT= MAC=56:00:00:1a:7d:ac:fe:00:00:1a:7d:ac:08:00 SRC=sammaipnummer DST=annat_fast_sammaipnummerLEN=40 TOS=0x00 PREC=0x00 TTL=55 ID=1640 PROTO=UDP SPT=58134 DPT=25699 LEN=20
Dec 20 10:51:28hola kernel: new ConnectionIN=eth6 OUT= MAC=56:00:00:1a:7d:ac:fe:00:00:1a:7d:ac:08:00 SRC=sammaipnummer DST=annat_fast_sammaipnummerLEN=53 TOS=0x00 PREC=0x00 TTL=55 ID=1642 PROTO=UDP SPT=58134 DPT=25699 LEN=33
Dec 20 10:51:28hola kernel: new ConnectionIN=eth6 OUT= MAC=56:00:00:1a:7d:ac:fe:00:00:1a:7d:ac:08:00 SRC=sammaipnummer DST=annat_fast_sammaipnummerLEN=39 TOS=0x00 PREC=0x00 TTL=55 ID=1644 PROTO=UDP SPT=58134 DPT=25699 LEN=19
Dec 20 10:51:28hola kernel: new ConnectionIN=eth6 OUT= MAC=56:00:00:1a:7d:ac:fe:00:00:1a:7d:ac:08:00 SRC=sammaipnummer DST=annat_fast_sammaipnummerLEN=39 TOS=0x00 PREC=0x00 TTL=55 ID=1646 PROTO=UDP SPT=58134 DPT=25699 LEN=19
Dec 20 10:51:28hola kernel: new ConnectionIN=eth6 OUT= MAC=56:00:00:1a:7d:ac:fe:00:00:1a:7d:ac:08:00 SRC=sammaipnummer DST=annat_fast_sammaipnummerLEN=42 TOS=0x00 PREC=0x00 TTL=55 ID=1648 PROTO=UDP SPT=58134 DPT=25699 LEN=22
Dec 20 12:17:42hola kernel: new ConnectionIN=eth6 OUT= MAC=56:00:00:1a:7d:ac:fe:00:00:1a:7d:ac:08:00 SRC=sammaipnummer DST=annat_fast_sammaipnummerLEN=33 TOS=0x00 PREC=0x00 TTL=55 ID=30137 PROTO=UDP SPT=61254 DPT=25699 LEN=13
Dec 20 12:17:42hola kernel: new ConnectionIN=eth6 OUT= MAC=56:00:00:1a:7d:ac:fe:00:00:1a:7d:ac:08:00 SRC=sammaipnummer DST=annat_fast_sammaipnummerLEN=40 TOS=0x00 PREC=0x00 TTL=55 ID=30119 PROTO=UDP SPT=61254 DPT=25699 LEN=20
Dec 20 12:17:42hola kernel: new ConnectionIN=eth6 OUT= MAC=56:00:00:1a:7d:ac:fe:00:00:1a:7d:ac:08:00 SRC=sammaipnummer DST=annat_fast_sammaipnummerLEN=53 TOS=0x00 PREC=0x00 TTL=55 ID=30121 PROTO=UDP SPT=61254 DPT=25699 LEN=33
Dec 20 12:17:42hola kernel: new ConnectionIN=eth6 OUT= MAC=56:00:00:1a:7d:ac:fe:00:00:1a:7d:ac:08:00 SRC=sammaipnummer DST=annat_fast_sammaipnummerLEN=39 TOS=0x00 PREC=0x00 TTL=55 ID=30123 PROTO=UDP SPT=61254 DPT=25699 LEN=19
Dec 20 12:17:42hola kernel: new ConnectionIN=eth6 OUT= MAC=56:00:00:1a:7d:ac:fe:00:00:1a:7d:ac:08:00 SRC=sammaipnummer DST=annat_fast_sammaipnummerLEN=39 TOS=0x00 PREC=0x00 TTL=55 ID=30125 PROTO=UDP SPT=61254 DPT=25699 LEN=19
Dec 20 12:20:25hola kernel: new ConnectionIN=eth6 OUT= MAC=56:00:00:1a:7d:ac:fe:00:00:1a:7d:ac:08:00 SRC=sammaipnummer DST=annat_fast_sammaipnummerLEN=40 TOS=0x00 PREC=0x00 TTL=55 ID=31920 PROTO=UDP SPT=65384 DPT=25699 LEN=20
Dec 20 12:20:25hola kernel: new ConnectionIN=eth6 OUT= MAC=56:00:00:1a:7d:ac:fe:00:00:1a:7d:ac:08:00 SRC=sammaipnummer DST=annat_fast_sammaipnummerLEN=53 TOS=0x00 PREC=0x00 TTL=55 ID=31922 PROTO=UDP SPT=65384 DPT=25699 LEN=33
Dec 20 12:20:25hola kernel: new ConnectionIN=eth6 OUT= MAC=56:00:00:1a:7d:ac:fe:00:00:1a:7d:ac:08:00 SRC=sammaipnummer DST=annat_fast_sammaipnummerLEN=39 TOS=0x00 PREC=0x00 TTL=55 ID=31924 PROTO=UDP SPT=65384 DPT=25699 LEN=19
Dec 20 12:20:25hola kernel: new ConnectionIN=eth6 OUT= MAC=56:00:00:1a:7d:ac:fe:00:00:1a:7d:ac:08:00 SRC=sammaipnummer DST=annat_fast_sammaipnummerLEN=39 TOS=0x00 PREC=0x00 TTL=55 ID=31926 PROTO=UDP SPT=65384 DPT=25699 LEN=19
Dec 20 12:20:25hola kernel: new ConnectionIN=eth6 OUT= MAC=56:00:00:1a:7d:ac:fe:00:00:1a:7d:ac:08:00 SRC=sammaipnummer DST=annat_fast_sammaipnummerLEN=42 TOS=0x00 PREC=0x00 TTL=55 ID=31928 PROTO=UDP SPT=65384 DPT=25699 LEN=22
Dec 20 14:02:45hola kernel: new ConnectionIN=eth6 OUT= MAC=56:00:00:1a:7d:ac:fe:00:00:1a:7d:ac:08:00 SRC=sammaipnummer DST=annat_fast_sammaipnummerLEN=40 TOS=0x00 PREC=0x00 TTL=55 ID=31916 PROTO=UDP SPT=59854 DPT=25699 LEN=20
Dec 20 14:02:45hola kernel: new ConnectionIN=eth6 OUT= MAC=56:00:00:1a:7d:ac:fe:00:00:1a:7d:ac:08:00 SRC=sammaipnummer DST=annat_fast_sammaipnummerLEN=53 TOS=0x00 PREC=0x00 TTL=55 ID=31918 PROTO=UDP SPT=59854 DPT=25699 LEN=33
Dec 20 14:02:45hola kernel: new ConnectionIN=eth6 OUT= MAC=56:00:00:1a:7d:ac:fe:00:00:1a:7d:ac:08:00 SRC=sammaipnummer DST=annat_fast_sammaipnummerLEN=39 TOS=0x00 PREC=0x00 TTL=55 ID=31920 PROTO=UDP SPT=59854 DPT=25699 LEN=19
Dec 20 14:02:45hola kernel: new ConnectionIN=eth6 OUT= MAC=56:00:00:1a:7d:ac:fe:00:00:1a:7d:ac:08:00 SRC=sammaipnummer DST=annat_fast_sammaipnummerLEN=39 TOS=0x00 PREC=0x00 TTL=55 ID=31922 PROTO=UDP SPT=59854 DPT=25699 LEN=19
Dec 20 14:02:45hola kernel: new ConnectionIN=eth6 OUT= MAC=56:00:00:1a:7d:ac:fe:00:00:1a:7d:ac:08:00 SRC=sammaipnummer DST=annat_fast_sammaipnummerLEN=42 TOS=0x00 PREC=0x00 TTL=55 ID=31924 PROTO=UDP SPT=59854 DPT=25699 LEN=22
Dec 20 15:06:24hola kernel: new ConnectionIN=eth6 OUT= MAC=56:00:00:1a:7d:ac:fe:00:00:1a:7d:ac:08:00 SRC=sammaipnummer DST=annat_fast_sammaipnummerLEN=52 TOS=0x00 PREC=0x00 TTL=55 ID=12207 PROTO=UDP SPT=53345 DPT=25699 LEN=32
Dec 20 15:06:24hola kernel: new ConnectionIN=eth6 OUT= MAC=56:00:00:1a:7d:ac:fe:00:00:1a:7d:ac:08:00 SRC=sammaipnummer DST=annat_fast_sammaipnummerLEN=40 TOS=0x00 PREC=0x00 TTL=55 ID=12175 PROTO=UDP SPT=53345 DPT=25699 LEN=20
Dec 20 15:06:24hola kernel: new ConnectionIN=eth6 OUT= MAC=56:00:00:1a:7d:ac:fe:00:00:1a:7d:ac:08:00 SRC=sammaipnummer DST=annat_fast_sammaipnummerLEN=53 TOS=0x00 PREC=0x00 TTL=55 ID=12177 PROTO=UDP SPT=53345 DPT=25699 LEN=33
Dec 20 15:06:24hola kernel: new ConnectionIN=eth6 OUT= MAC=56:00:00:1a:7d:ac:fe:00:00:1a:7d:ac:08:00 SRC=sammaipnummer DST=annat_fast_sammaipnummerLEN=39 TOS=0x00 PREC=0x00 TTL=55 ID=12179 PROTO=UDP SPT=53345 DPT=25699 LEN=19

Dold text
Trädvy Permalänk
Medlem
Plats
Göteborg
Registrerad
Jul 2007
Skrivet av tjabo:

Hej hej Sweclockare. Jag vill logga inkommande IP på en port men skulle vilja ha det lite mer begränsat, men den regeln jag har nu fylls loggen upp på nolltid. Den liksom loggar varje ny sorts paket men jag vill bara ha initial connect.

-A INPUT -i eth6 -p udp -m udp --dport 25699 -m state --state NEW -m limit --limit 2/min -j LOG --log-prefix "new Connection"

Förslag mottages tacksamt.

exempel på en liten bit logg

Dec 20 10:51:28hola kernel: new ConnectionIN=eth6 OUT= MAC=56:00:00:1a:7d:ac:fe:00:00:1a:7d:ac:08:00 SRC=sammaipnummer DST=annat_fast_sammaipnummerLEN=40 TOS=0x00 PREC=0x00 TTL=55 ID=1640 PROTO=UDP SPT=58134 DPT=25699 LEN=20
Dec 20 10:51:28hola kernel: new ConnectionIN=eth6 OUT= MAC=56:00:00:1a:7d:ac:fe:00:00:1a:7d:ac:08:00 SRC=sammaipnummer DST=annat_fast_sammaipnummerLEN=53 TOS=0x00 PREC=0x00 TTL=55 ID=1642 PROTO=UDP SPT=58134 DPT=25699 LEN=33
Dec 20 10:51:28hola kernel: new ConnectionIN=eth6 OUT= MAC=56:00:00:1a:7d:ac:fe:00:00:1a:7d:ac:08:00 SRC=sammaipnummer DST=annat_fast_sammaipnummerLEN=39 TOS=0x00 PREC=0x00 TTL=55 ID=1644 PROTO=UDP SPT=58134 DPT=25699 LEN=19
Dec 20 10:51:28hola kernel: new ConnectionIN=eth6 OUT= MAC=56:00:00:1a:7d:ac:fe:00:00:1a:7d:ac:08:00 SRC=sammaipnummer DST=annat_fast_sammaipnummerLEN=39 TOS=0x00 PREC=0x00 TTL=55 ID=1646 PROTO=UDP SPT=58134 DPT=25699 LEN=19
Dec 20 10:51:28hola kernel: new ConnectionIN=eth6 OUT= MAC=56:00:00:1a:7d:ac:fe:00:00:1a:7d:ac:08:00 SRC=sammaipnummer DST=annat_fast_sammaipnummerLEN=42 TOS=0x00 PREC=0x00 TTL=55 ID=1648 PROTO=UDP SPT=58134 DPT=25699 LEN=22
Dec 20 12:17:42hola kernel: new ConnectionIN=eth6 OUT= MAC=56:00:00:1a:7d:ac:fe:00:00:1a:7d:ac:08:00 SRC=sammaipnummer DST=annat_fast_sammaipnummerLEN=33 TOS=0x00 PREC=0x00 TTL=55 ID=30137 PROTO=UDP SPT=61254 DPT=25699 LEN=13
Dec 20 12:17:42hola kernel: new ConnectionIN=eth6 OUT= MAC=56:00:00:1a:7d:ac:fe:00:00:1a:7d:ac:08:00 SRC=sammaipnummer DST=annat_fast_sammaipnummerLEN=40 TOS=0x00 PREC=0x00 TTL=55 ID=30119 PROTO=UDP SPT=61254 DPT=25699 LEN=20
Dec 20 12:17:42hola kernel: new ConnectionIN=eth6 OUT= MAC=56:00:00:1a:7d:ac:fe:00:00:1a:7d:ac:08:00 SRC=sammaipnummer DST=annat_fast_sammaipnummerLEN=53 TOS=0x00 PREC=0x00 TTL=55 ID=30121 PROTO=UDP SPT=61254 DPT=25699 LEN=33
Dec 20 12:17:42hola kernel: new ConnectionIN=eth6 OUT= MAC=56:00:00:1a:7d:ac:fe:00:00:1a:7d:ac:08:00 SRC=sammaipnummer DST=annat_fast_sammaipnummerLEN=39 TOS=0x00 PREC=0x00 TTL=55 ID=30123 PROTO=UDP SPT=61254 DPT=25699 LEN=19
Dec 20 12:17:42hola kernel: new ConnectionIN=eth6 OUT= MAC=56:00:00:1a:7d:ac:fe:00:00:1a:7d:ac:08:00 SRC=sammaipnummer DST=annat_fast_sammaipnummerLEN=39 TOS=0x00 PREC=0x00 TTL=55 ID=30125 PROTO=UDP SPT=61254 DPT=25699 LEN=19
Dec 20 12:20:25hola kernel: new ConnectionIN=eth6 OUT= MAC=56:00:00:1a:7d:ac:fe:00:00:1a:7d:ac:08:00 SRC=sammaipnummer DST=annat_fast_sammaipnummerLEN=40 TOS=0x00 PREC=0x00 TTL=55 ID=31920 PROTO=UDP SPT=65384 DPT=25699 LEN=20
Dec 20 12:20:25hola kernel: new ConnectionIN=eth6 OUT= MAC=56:00:00:1a:7d:ac:fe:00:00:1a:7d:ac:08:00 SRC=sammaipnummer DST=annat_fast_sammaipnummerLEN=53 TOS=0x00 PREC=0x00 TTL=55 ID=31922 PROTO=UDP SPT=65384 DPT=25699 LEN=33
Dec 20 12:20:25hola kernel: new ConnectionIN=eth6 OUT= MAC=56:00:00:1a:7d:ac:fe:00:00:1a:7d:ac:08:00 SRC=sammaipnummer DST=annat_fast_sammaipnummerLEN=39 TOS=0x00 PREC=0x00 TTL=55 ID=31924 PROTO=UDP SPT=65384 DPT=25699 LEN=19
Dec 20 12:20:25hola kernel: new ConnectionIN=eth6 OUT= MAC=56:00:00:1a:7d:ac:fe:00:00:1a:7d:ac:08:00 SRC=sammaipnummer DST=annat_fast_sammaipnummerLEN=39 TOS=0x00 PREC=0x00 TTL=55 ID=31926 PROTO=UDP SPT=65384 DPT=25699 LEN=19
Dec 20 12:20:25hola kernel: new ConnectionIN=eth6 OUT= MAC=56:00:00:1a:7d:ac:fe:00:00:1a:7d:ac:08:00 SRC=sammaipnummer DST=annat_fast_sammaipnummerLEN=42 TOS=0x00 PREC=0x00 TTL=55 ID=31928 PROTO=UDP SPT=65384 DPT=25699 LEN=22
Dec 20 14:02:45hola kernel: new ConnectionIN=eth6 OUT= MAC=56:00:00:1a:7d:ac:fe:00:00:1a:7d:ac:08:00 SRC=sammaipnummer DST=annat_fast_sammaipnummerLEN=40 TOS=0x00 PREC=0x00 TTL=55 ID=31916 PROTO=UDP SPT=59854 DPT=25699 LEN=20
Dec 20 14:02:45hola kernel: new ConnectionIN=eth6 OUT= MAC=56:00:00:1a:7d:ac:fe:00:00:1a:7d:ac:08:00 SRC=sammaipnummer DST=annat_fast_sammaipnummerLEN=53 TOS=0x00 PREC=0x00 TTL=55 ID=31918 PROTO=UDP SPT=59854 DPT=25699 LEN=33
Dec 20 14:02:45hola kernel: new ConnectionIN=eth6 OUT= MAC=56:00:00:1a:7d:ac:fe:00:00:1a:7d:ac:08:00 SRC=sammaipnummer DST=annat_fast_sammaipnummerLEN=39 TOS=0x00 PREC=0x00 TTL=55 ID=31920 PROTO=UDP SPT=59854 DPT=25699 LEN=19
Dec 20 14:02:45hola kernel: new ConnectionIN=eth6 OUT= MAC=56:00:00:1a:7d:ac:fe:00:00:1a:7d:ac:08:00 SRC=sammaipnummer DST=annat_fast_sammaipnummerLEN=39 TOS=0x00 PREC=0x00 TTL=55 ID=31922 PROTO=UDP SPT=59854 DPT=25699 LEN=19
Dec 20 14:02:45hola kernel: new ConnectionIN=eth6 OUT= MAC=56:00:00:1a:7d:ac:fe:00:00:1a:7d:ac:08:00 SRC=sammaipnummer DST=annat_fast_sammaipnummerLEN=42 TOS=0x00 PREC=0x00 TTL=55 ID=31924 PROTO=UDP SPT=59854 DPT=25699 LEN=22
Dec 20 15:06:24hola kernel: new ConnectionIN=eth6 OUT= MAC=56:00:00:1a:7d:ac:fe:00:00:1a:7d:ac:08:00 SRC=sammaipnummer DST=annat_fast_sammaipnummerLEN=52 TOS=0x00 PREC=0x00 TTL=55 ID=12207 PROTO=UDP SPT=53345 DPT=25699 LEN=32
Dec 20 15:06:24hola kernel: new ConnectionIN=eth6 OUT= MAC=56:00:00:1a:7d:ac:fe:00:00:1a:7d:ac:08:00 SRC=sammaipnummer DST=annat_fast_sammaipnummerLEN=40 TOS=0x00 PREC=0x00 TTL=55 ID=12175 PROTO=UDP SPT=53345 DPT=25699 LEN=20
Dec 20 15:06:24hola kernel: new ConnectionIN=eth6 OUT= MAC=56:00:00:1a:7d:ac:fe:00:00:1a:7d:ac:08:00 SRC=sammaipnummer DST=annat_fast_sammaipnummerLEN=53 TOS=0x00 PREC=0x00 TTL=55 ID=12177 PROTO=UDP SPT=53345 DPT=25699 LEN=33
Dec 20 15:06:24hola kernel: new ConnectionIN=eth6 OUT= MAC=56:00:00:1a:7d:ac:fe:00:00:1a:7d:ac:08:00 SRC=sammaipnummer DST=annat_fast_sammaipnummerLEN=39 TOS=0x00 PREC=0x00 TTL=55 ID=12179 PROTO=UDP SPT=53345 DPT=25699 LEN=19

Dold text

Du loggar UDP, vilket är stateless. Du får alltså en "ny" anslutning vid varje paket, därför blir det så. Frågan är om du kan få iptables att logga vid varje ny kombination av src-spt-dst-dpt?

/zyber

WS: Bärbar workstation, 2 * Dell U2412M
HTPC: Intel NUC, Canton GLE 496, Yamaha RV-A830, Sanyo PLV-Z700
Server: Intel Xeon E3-1240@3.4 GHz, ESXi, 32GB RAM, 8*2TB RAID-Z2 + SSD-cache
Slösurf: MacBook Air 11,6", Samsung S8
Kamera: Canon EOS 5DII + 1DIII, Canon 100/2.8 Macro, Canon 70-200/2.8L, Canon 24-70/2.8L

Trädvy Permalänk
Medlem
Registrerad
Aug 2002

jag är amatör på området, kan man lägga in paket längd i regeln kanske?

nånting -m length --length 112 -m recent --name 112bytes1 --set

edit:

-A INPUT -i eth6 -p udp -m udp --dport 25699 -m length --length 112 -m state --state NEW -j LOG --log-prefix "new Connection"

gav en rad, kolla på "LEN=112" tror det kan funka, får testa ett tag och se.

Dec 21 21:27:45 kernel: new ConnectionIN=eth6 OUT= MAC=00:e6:c7:520:08:00 SRC=mitt_ip DST=mål_ip LEN=112 TOS=0x00 PREC=0x00 TTL=52 ID=13666 PROTO=UDP SPT=51838 DPT=25699 LEN=92

edit igen, rättade till vilken code jag använt, tog bort limit 2/min delen, behövs inte längre.