Firewalls like iptables(1) may offer POSTROUTING (source network address translation, snat) facilities changing the source address of a host behind the firewall to the address of the host connected to the outer world. With snat the following combinations of IP addresses and port numbers are encountered:
Source natting usually uses sport for fwport, but fwport may already be in use, in which case the firewalling host must use another, available port to forward communication from IPsrc, sport to IPdst, dport.
The general scheme that applies to source natting, therefore, looks like this:
IPsrc:sport is translated by the firewall to IPfw:fwport; IPfw:fwport is used when communicating with IPdst:dport.From the perspective of the destination host the communication originates at IPfw::fwport and consequently all communication (e.g., incident reports) sent by the systems administrator maintaining IPdst to IPfw's systems administrator will refer to IPfw:fwport, rather than to IPsrc::sport.
Relating IPfw:fwport to IPsrc:sport is difficult when merely using the standard log facilities provided by iptables and natlog was developed to fill in that particular niche.
Natlog provides data about source natting in various forms. The standard logging mode consists of messages sent to the syslog daemon (cf., rsyslogd(1)) and/or to the standard output stream showing the essential characteristics of connections using source natting. Here is an example of a logged message (log-entries occupy single lines; the line-breaks below are to enhance readability):
NATLOG: from 1338990672:55588 thru 1338990747:807100 (UTC): tcp 192.168.19.72:4467 (via: 129.125.90.132:4467) to to 200.49.219.180:443; sent: 802, received: 7669The values 1338990672:55588 and 1338990747:807100 are time stamps showing the begin- and end-times in seconds:microseconds of a tcp connection since the beginning of the epoch (Jan 1, 1970, 0:00 UTC). Natlog offers the --time option for requesting human-readable time specifications like Nov 2 13:29:11 rather than time representations using seconds and micro seconds.
The next value (192.168.19.72:4467) represents IPsrc::sport. This is followed by 129.125.90.132:4467, representing IPfw:fwport. The third pair of values (200.49.219.180:443) represents IPdst:dport.
In this example, host 192.168.19.72, using port 4467, connected to host 200.49.219.180, port 443. To this latter host the connection appears to have originated from 129.125.90.132 port 4467. The log message allows us to associate this with the `real' host and port from which the connection originated: 192.168.19.72:4467.
The final entries show the number of bytes that were sent by the source-host (IPsrc) and received from the destination-host (IPdst).
When natlog is terminated it can no longer track connections that are still open. If natlog was terminated (by a SIGINT or SIGTERM signal), then it logs a `terminating' line, followed by an overview of all (potentially) still open connections. Those connections are flagged with a trailing '(EOP)' (end of program) log-element, and their end-times show natlog's termination time. Incomplete connections show (EXPIRED).
In addition to the standard logs the option --log-data is available. This option requires the path to a file where information is logged in tabular form, which can easily be processed by statistical software like R(1). When specifying this option information will be appended to an existing file. When the log file does not yet exist it is created. The first line of the thus written log files names the columns of the table. The column names are (all on one line):
type, srcNr, srcIP, srcPort, dstNr, dstIP, dstPort, sent, recvd, begin, end, beginTime, endTime, statusMost column labels will be self-explanatory. Type indicates the connection type, logged as icmp, tcp, or udp; srcNr and dstNr are the 32 bit numeric values of, respectively, the source host's IP address and the destination host's IP address (decimal representations); begin and end are the times in seconds since the beginning of the epoch, corresponding to the times displayed at, respectively, beginTime and endTime; status indicates the status of the logged connection information: ok indicates a connection that was normally completed; expired indicates that the connection was recognized, but was not normally completed; eop is used for connections that were still active by the time natlog terminates. When the status equals expired, the time entries show the times of receiving the first and last packets of that connection; when eop, then the end and endTime entries show natlog's termination time.
Log entries look like this (each entry occupies one line, header line and logged data lines are right-aligned):
tcp, 101820608, 192.168.17.6, 48886, 4012145084, 188.121.36.239, 80, 430, 2266, 1517387644, 1517387644, Jan 31 08:34:04:318340, Jan 31 08:34:04:383170, ok
By default conntrack does not report byte counts. To have conntrack report byte counts the command
$ echo 1 > /proc/sys/net/netfilter/nf_conntrack_acctmust have been issued before starting conntrack.
Conntrack includes the sizes of the IP headers (usually 20 bytes) in reported byte counts. Thus, icmp packets are usually reported as having size 84, even though ping(1) reports a payload of 64 bytes. Since the actual sizes of IP headers cannot be determined from conntrack's output, the sizes reported when using natlog's conntrack mode are as reported by conntrack, and are therefore not corrected for IP header lengths. The option --conntrack-ip-header-size can be used to correct for the (assumed) IP header sizes.
See also the conntrack-command option.
outdevice is the name of the device where source-natted packets are forwarded to, and from where replies for source-natted hosts living behind the indevice are received. With this command all, or any combination of the (by default) tcp, udp, and icmp layer four protocols can be monitored.
tcpdump -wi eth0 /tmp/eth0 & tcpdump -wi eth1 /tmp/eth1 &To have natlog process these files, terminate the tcpdump commands, and transfer the files /tmp/eth0 and /tmp/eth1 to the host where natlog has been installed. The required addresses and masks are shown by the ifconfig(1) command. E.g.,
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 129.125.1.123 netmask 255.255.0.0 broadcast 129.125.255.255 eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1255The relevant info is shown in the lines following the interface's name: the value following inet is the interface's IP address, and the value following netmask is the network's mask.
Combining files and addresses, natlog is run as follows (all on one line):
natlog /tmp/eth0 129.125.1.123 255.255.0.0 /tmp/eth1 192.168.1.1 255.255.255.0Instead of fully specifying the netmask, netmaks specifications like /24 are also accepted. In that case the number following the slash indicates the number of non-zero bits of the netmask. In practice, each value of the netmask is either 255 (8 bits are set) or 0 (0 bits are set), and so 255.255.0.0 can also be specified as /16, while 255.255.255.0 can be specified like /24.
See also section SYSTEMD.
All options, except for config, help, verbose and version can also be specified in the configuration file. The configuration file ignores empty lines and all information on lines beginning with a hash-mark (#). In the configuration file initial hyphens should be omitted, and option names may immediately be followed by a colon. Multi-word arguments should not be surrounded by quotes. Examples:
stdout syslog-facility: LOCAL0Command-line options override configuration file options.
/usr/sbin/conntrack -p tcp -E -n -o timestamp -e NEW,DESTROYresulting in:
- Monitoring the tcp layer four protocol;
- Displaying real-time event logs (-E);
- Displaying time stamps (-o timestamp);
- Logging all new and destroyed (ended) events (-e
NEW,DESTROY);
By default tcp is monitored. Other protocols can be configured using the --protocol option.
The conntrack program must be available when requesting natlog's conntrack command. Layer four protocols other than tcp, udp and icmp are currently not supported. A subset of the supported protocols may be requested using conntrack's -p tcp, -p udp or -p icmp options.
NATLOG: From 1338990672:55588 thru 1338990747:807100These time stamps indicate times in seconds:microseconds since the beginning of the epoch, January 1, 1970, 0:00 UTC. This option can be used to change the seconds part of the time stamps to more conventional representations.
When --verbose is specified twice then all actual configuration parameters are shown just before natlog starts.
When --verbose is specified more often then natlog ends after reporting the configuration parameters.
An annoying characteristic of systemd(1) is that environment variables containing blanks are passed as single arguments to the program being called by their .service files. As a consequence, it is very hard to provide an environment variable in, e.g., /etc/default/natlog specifying natlog's arguments: in practice the number of arguments varies, and so even constructions like ARG1=value1, ARG2=value2, etc. are awkward at best.
As a stopgap for this unwelcome characteristic of systemd the option -S is provided. When used it must be specified as natlog's first argument. Natlog will then inspect all remaining arguments, splitting arguments containing blanks into separate arguments, which are then processed by natlog as intended. Be aware that, to limit the complexity of the splitting-procedure, it is not full-proof: double- or single-quote delimited string-arguments will also be split into separate arguments. Unless filenames themselves containing blanks are passed as arguments to natlog this limitation is probably not very serious.
As an example, here is an example of systemd's ExecStart specification:
ExecStart=/usr/bin/natlog -S -p ${PIDFILE} ${DAEMON_ARGS}where DAEMON_ARGS might have been specified in /etc/default/natlog as
DAEMON_ARGS=--log /tmp/natlog.log --log-data /dev/null conntrack
When using rsyslogd(1) property based filters may be used to filter syslog messages and write them to a file of your choice. E.g., to filter messages starting with the syslog message tag (e.g., NATLOG) use
:syslogtag, isequal, "NATLOG:" /var/log/natlog.log :syslogtag, isequal, "NATLOG:" stopNote that the colon is part of the tag, but is not specified with the syslog-tag option.
This causes all messages having the NATLOG: tag to be written on /var/log/natlog.log after which they are discarded. More extensive filtering is also supported, see, e.g., http://www.rsyslog.com/doc/rsyslog_conf_filter.html and http://www.rsyslog.com/doc/property_replacer.html
Examples of natlog activations:
Here is natlog's default configuration file. Empty lines and lines starting with hash-marks (#) are ignored. Options adhere to the following syntax:
option valueOption and value are separated by white space, a colon may be appended to option names:
# This configuration file shows the default option values. # all options and values are case sensitive # see `man natlog' for further details # the path and options of the conntrack program: # when no filtering options are specified, the tcp # protocol is monitored # the default command is shown: #conntrack-command: /usr/sbin/conntrack -p tcp -E -n -o timestamp \ -e NEW,DESTROY" # the device used by conntrack #conntrack-device: /proc/net/nf_conntrack # correction for the IP header size # (standard IP header size is 20 bytes) #conntrack-ip-header-size: 0 # max. number of conntrack restarts #conntrack-restart: 10 # data file for tabular logs (specify path, default: # data file is not used) #log-data: # flush the log-data file after writing log-data-flush lines #log-data-flush: 32 # do not run as a daemon (by default: natlog runs as a daemon) #no-daemon # do not write messages handled by syslog #no-syslog # the path to the pid-file of natlog's daemon process #pid-file: /run/natlog.pid # the protocols that are scanned with the 'conntrack' command: # protocol: all - monitors tcp, udp, icmp # protocol: udp:tcp - monitors upd and tcp (any non-empty subset, # possibly including icmp is OK) # ignored when conntrack-command is specified #protocol: tcp # write messages to stdout (ignored by daemons) #stdout # the default syslog facility: #syslog-facility: DAEMON # the default syslog priority: #syslog-priority: NOTICE # the default syslog tag: #syslog-tag: NATLOG # the time specification: #time: raw # ttl: time to live (seconds) for udp/icmp connections #ttl: 60 # end of the configuration file
conntrack(1), ifconfig(1), iptables(1), pcap-filter(7), ping(1), R(1), rsyslogd(1), syslog(3), systemd(1), tcpdump(1)
Natlog currently may process tcp, udp and icmp layer four protocols.
Frank B. Brokken (f.b.brokken@rug.nl).