Logging LAN clients using iptables

I placed a raspberry pi acting as a router, to sit between my DSL modem and my internal Netgear wireless router. My thinking was, that I would be able to use iptables to log the connections into and out of my LAN. It seems to work well for the addresses out on the internet, but the client addresses show up as the Netgear router that sits between my raspberry pi router and the clients on the LAN. The following shows the network and connection from a client on my LAN out to www.cnn.com. Is there no way to see the true Source IP address of incoming traffic, or will you always just see the last hop that proceeded the router running iptables?

LAN Client

10.0.100.17

Netgear Router

eth0 10.0.100.1 (LAN)
eth1 10.0.200.1 (WAN)

Raspberry Pi Router

eth0 10.0.200.10 (LAN)
eth1 192.168.0.3 (WAN)

DSL Gateway

eth0 192.168.0.1 (LAN)
eth1 13.10.1.39 (WAN)

www.cnn.com

151.101.189.67

And I am using the following iptables rules:

-A PREROUTING -m limit --limit 3/min -j LOG --log-prefix "PreRouting: "
-A POSTROUTING -m limit --limit 3/min -j LOG --log-prefix "PostRouting: "
-A POSTROUTING -o eth1 -j MASQUERADE
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "Input: "
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "Forward: "
-A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -j ACCEPT
-A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "Output: "

In the above example I will never see the IP Address of the client on the LAN. Instead I will only see the address of the router between the client and raspberry pi (10.0.200.1) and never the ip address for www.cnn.com (151.101.1.67).

Disco Trader

Posted 2018-06-19T14:07:51.593

Reputation: 23

Answers

The router uses Network Address Translation (NAT) to map the IP addresses of its clients to the IP address of itself (i.e., mapping 10.0.100.17 to 10.0.100.1). The Raspberry Pi does not have access to this information, so all traffic appears to originate from the router. It is not possible to see the IP addresses of clients in this configuration, see this question for more information.

However, if the Raspberry Pi and router are on the same subnet, the Pi would be able to see the LAN clients' IP addresses. To do this, you can install a DHCP server on the Raspberry Pi such as dnsmasq, and set your router to "bridge" mode (disabling NAT and DHCP). Here's a nice tutorial for setting up dnsmasq on Linux.

Breq16

Posted 2018-06-19T14:07:51.593

Reputation: 198

There is a netstat-like tool for Linux called netstat-nat that should do the trick for you. To install (on Raspberry Pi):

apt-get install netstat-nat

To read active NAT connections:

netstat-nat

I don't know how to intregrate it with some sort of logging system, maybe have a script that activates every couple minutes and writes the output of this command to a file?

Sadly, in your configuration, it will not work. You will have to swap the positions of the Netgear router and Raspberry Pi router for this to work. NAT specifically modifies the Source IP address on any incoming packets to leave the NAT router appearing as if they came from it. Unless you can identify the clients by using another field in a packet (maybe User-Agent?)

Shadowcoder

Posted 2018-06-19T14:07:51.593

Reputation: 186