0

My goal is to use ipset lists in iptables to log outbound traffic to certain IP addresses. I intend to monitor an entire network passively.

I have port mirroring enabled and the port mirrored traffic is broadcasting to a server with two network adapters. Eth0 is dedicated to system management and Eth1 operates in promiscuous mode and is dedicated to capturing the traffic passed to it. Is it possible to use iptables to log outgoing traffic on the network that is being monitored? Thank you.

Trevor
  • 1
  • 1
  • 1

1 Answers1

3

Have you considered using tcpdump rather than iptables? Something like:

tcpdump -w /var/log/packets -i eth1

Would dump all packets visible on eth1 to the file /var/log/packets. You could later on analyze the file using tcpdump, wireshark, or a variety of other tools.

Using iptables, you typically log packets using the LOG target, like this:

iptables -A INPUT -i eth1 -j LOG

I'm not sure whether or not iptables is the right tool for this job, because (a) I don't know off the top of my head how it will operate with the interface in promiscuous mode, and (b) given high packet rates this form of logging can have a substantial i/o impact on your system.

I think you're better off with the tcpdump model. The -G flag to tcpdump will cause it to rotate the capture file periodically, which you'll want to do if you're capturing for an extended period. So something like:

tcpdump -G 3600 -w /var/log/packets-%Y-%m-%d-%H

This would get you files of the form:

/var/log/packets-2013-06-20-10
ldx.a.ldy.c
  • 253
  • 1
  • 3
  • Great suggestions, thanks for them. Do you think it would be possible to truncate `tcpdump` output by means of something similar to `ipset` where I could only log IPs from X lists or do I have to depend on software such as a `wireshark`? Thanks again. – Trevor Jun 20 '13 at 15:04
  • You can use the host designation to limit your capture to specific IP(s). eg: `tcpdump host 1.2.3.4 or host 5.6.7.8`. You'd need to do a bit of scripting to pull in your list of IPs to monitor, but that shouldn't be too hard. You'd also have to restart the dump whenever you modified the list. – Christopher Karel Jun 20 '13 at 15:40
  • @ChristopherKarel So it is possible that I can at least dump big lists into `tcpdump`? For example would some like the following be possible: `tcpdump -i eth1 host $IMPORTEDHOSTS or /file/path/hosts`? I'm assuming this could be one value per line and just IPs and nothing like CIDR blocks would work? – Trevor Jun 20 '13 at 16:13
  • Actually, you want the `-F` flag. That designates a filter file. eg: `tcpdump -G 3600 -w /var/log/packets-%Y-%m-%d-%H -F /file/path/to/filter.file` The file would need to be proper tcpdump expressions similar to `host 1.2.3.4`. However, CIDR networks are supported, as `net 1.2.3.0/24`. `man tcpdump` will cover all the available expressions. – Christopher Karel Jun 20 '13 at 18:27