[solved] iptables filtering

Questions about Wi-Fi and other network devices, file sharing, firewalls, connection sharing etc
Forum rules
Before you post please read how to get help
Post Reply
1000
Level 4
Level 4
Posts: 426
Joined: Wed Jul 29, 2020 2:14 am

[solved] iptables filtering

Post by 1000 »

I'm curious if it is possible create rule with iptables

Code: Select all

If from OUTPUT is [b]new[/b] internet connection ; then 
	if " destination IP " was not in last 5 minutes ago ; then
		save connection to log file
If I have always new connections from web browser,
I want see in log only 1 new internet connection for each destination IP.
Every destination IP cannot be repeated more than every 5 minutes.

I tried check https://ipset.netfilter.org/iptables-ex ... s.man.html
but I did not find a solution.

connlimit - not have time
hashlimit - I don't understand it how working

I tried test

Code: Select all

iptables -I OUTPUT -m conntrack --ctstate NEW  -m hashlimit --hashlimit-upto 60/sec --hashlimit-mode dstip --hashlimit-name hosts  -j LOG --log-prefix "IPTABLES: "
and open few websites in firefox then check log file.
But I see the same internet connections more often.

Code: Select all

# cat  /var/log/iptables.log | grep 172.217.16.xx | awk '{print $1, $2, $3, $11}'


May 19 11:50:11 DST=172.217.16.xx
May 19 11:50:12 DST=172.217.16.xx
May 19 11:50:35 DST=172.217.16.xx
May 19 11:51:19 DST=172.217.16.xx
Last edited by 1000 on Sat May 22, 2021 8:29 pm, edited 2 times in total.
t42
Level 6
Level 6
Posts: 1019
Joined: Mon Jan 20, 2014 6:48 pm

Re: iptables filtering

Post by t42 »

.

Code: Select all

: "
Last edited by t42 on Thu May 20, 2021 12:01 am, edited 1 time in total.
-=t42=-
1000
Level 4
Level 4
Posts: 426
Joined: Wed Jul 29, 2020 2:14 am

Re: iptables filtering

Post by 1000 »

Excuse me. Let's say / suppose that this topic was not there and never existed.
Because I spent too much time on this topic, and there are no results.
Surely you have more interesting and important classes than my problems. I have.
I apologize for the problem.

In this topic I stated that it does not make sense. viewtopic.php?p=2016062#p2016062
But I had a very strong desire to try.
Only I will write why.
Maybe this knowledge will be useful to someone.


1. Create a separate file /var/log/iptables.log for only iptables is impossible

Maybe it's possible for a programmer, I don't know.
Because iptables events are located in kern.warning
So it collects messages from iptables and other stuff in one place.

I tried kern.warning redirect to /var/log/iptables.log file in /etc/rsyslog.d/50-default.conf
Guides:
A. https://www.networkinghowtos.com/howto/ ... -log-file/
B. https://www.the-art-of-web.com/system/rsyslog-config/

And it works, but it is nonsense to have kernel messages in two separate files: syslog and iptables.log
And this name " iptables.log " is misleading, where it includes also other messages.


2. What came to my mind?
Sometimes I only listen to music over the internet.
If the script did not detect a new connection for a long time,
it could track the opening of a file /var/log/iptables.log. This is a way to use less resources.
My idea is probably stupid or underdeveloped. Because creating a timer for each destination IP connection can use up my computer's resources even more .
Why not to log all connections without complications and filter log file itself afterwards.
The contents of the iptables log are of no value to me. Especially in the past tense.
The only important thing is whether there is a new connection at a certain moment.
- I can do this with inotify to detect changes in iptables.log
- Or with comm to compare old and new output of lsof command.

When the connection is still on,
You can check more, for example:
- Application name ( lsof -Pi )
- PID number of this app ( lsof -Pi )
- From where this app running ( you can search this in pstree -pt )
- What files it opens. ( ps aux | grep name_of_proccess )

You don't need to collect all your apps' data now.
For example, you can collect only time, application name and number of connections.
( You can collect more information. )
If you notice too frequent internet connections, unnecessary connection,
then you can build a trap for the given name of the application
( I mean then the script will collect more information when it detect a new connection with the specified name )
and the script will save to logs for you what it found.
Later, in your free time you can read the event logs.
donalduck
Level 4
Level 4
Posts: 201
Joined: Mon Oct 07, 2013 1:43 pm
Location: there

Re: iptables filtering [Nevermind]

Post by donalduck »

Hello,

Maybe what you want for this logging task is nftables, the expected (sic) debian replacement for iptables.

from https://wiki.debian.org/nftables#What_a ... erences.3F
In iptables there are several tables (filter, nat) and chains (FORWARD, INPUT...) by default.
In nftables, there are no default tables/chains.

Also, in iptables you only have one target per rule (-j ACCEPT, -j LOG ...).
In nftables, you can perform several actions in one single rule.

nftables includes built-in data sets capabilities. In iptables this is not possible, and there is a separated tool: ?ipset.

In the iptables framework there are tools per family: iptables, ip6tables, arptables, ebtables.
Now, nftables allows you to manage all families in one single CLI tool.

This new framework features a new linux kernel subsystem, known as nf_tables.
The new engine mechanism is inspired by BPF-like systems, with a set of basic expressions, which can be combined to build complex filtering rules.
other usefull links:
https://en.wikipedia.org/wiki/Nftables

https://wiki.nftables.org/wiki-nftables ... ng_traffic
1000
Level 4
Level 4
Posts: 426
Joined: Wed Jul 29, 2020 2:14 am

Re: iptables filtering [Nevermind]

Post by 1000 »

donalduck Do you use and know nftables ?

recent module is interesting.
https://liquidstate.net/stop-brute-forc ... -iptables/
rene
Level 17
Level 17
Posts: 7766
Joined: Sun Mar 27, 2016 6:58 pm

Re: iptables filtering [Nevermind]

Post by rene »

Sort of doubt it would be a good idea to self-install/configure nftables. Not tried myself due to having no use for it but specifically for the privatised logging see the first answer at

https://serverfault.com/questions/75271 ... c-log-file

That is, 1) tag the of interest iptables messages through iptables, its LOG target, 2) configure syslog to send so-tagged messages elsewhere. FWIW.
1000
Level 4
Level 4
Posts: 426
Joined: Wed Jul 29, 2020 2:14 am

Re: iptables filtering [Nevermind]

Post by 1000 »

Thank you to everyone, especially rene.


Log file.
The way in the link looks good and it looks like it working. :D
How to create a separate file /var/log/iptables.log
- Problem solved


Iptables filtering.
" Like --rcheck, except it will update the "last seen" timestamp if it matches. "
https://ipset.netfilter.org/iptables-ex ... s.man.html
I don't understand where the timestamp is, so i don't understand how it works.
So the method of trial and errors, I created rules:

Code: Select all

# iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N CHAINLOG
-A INPUT -i lo -m comment --comment Default_policy_desktop_v4 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -m comment --comment Default_policy_desktop_v4 -j ACCEPT
-A OUTPUT -m conntrack --ctstate NEW -j CHAINLOG
-A CHAINLOG -m recent --set --name NEWCONN --mask 255.255.255.255 --rdest
-A CHAINLOG -m recent ! --rcheck --seconds 60 --hitcount 2 --name NEWCONN --mask 255.255.255.255 --rdest -j LOG --log-prefix "[IPTables] " --log-level 6
Every new, first connection is saved to /var/log/iptables.log
and subsequent internet connections with the same destination IP address are ignored until 60 seconds.
It means that if the break between connections to the same destination address is greater than 60 seconds,
the IP address is removed from the memory.
And if after this time it tries to make a new connection, this event will be recorded in the event log ( /var/log/iptables.log ).

Example test

Code: Select all

$ for K in {1..240} ; do  date +%T ; nc -vz 127.0.0.1 58 ; sleep 2 ; done
02:07:25
nc: connect to 127.0.0.1 port 58 (tcp) failed: Connection refused
02:07:27
nc: connect to 127.0.0.1 port 58 (tcp) failed: Connection refused
02:07:29
nc: connect to 127.0.0.1 port 58 (tcp) failed: Connection refused
02:07:31
nc: connect to 127.0.0.1 port 58 (tcp) failed: Connection refused
02:07:33
nc: connect to 127.0.0.1 port 58 (tcp) failed: Connection refused
02:07:35
nc: connect to 127.0.0.1 port 58 (tcp) failed: Connection refused
Example log:

Code: Select all

May 23 02:07:25 user kernel: [40575.087912] [IPTables] IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=1338 DF PROTO=TCP SPT=41644 DPT=58 WINDOW=65495 RES=0x00 SYN URGP=0 
When I testing with a web browser, I noticed a double event once.
If this is error, it is acceptable to me.
Post Reply