IPTABLES – Log network traffic

Intend: Workaround when tcpdump tool not available.

Issue: Tool tcpdump not available on the system troubleshooting.

Notes:

Log everything (depending on target chain):

• # iptables -I INPUT 1 -j LOG –log-prefix “#### Tmp logging ####”
• # iptalbes -I FORWARD 1 -j LOG –log-prefix “#### Tmp logging ####”
• # # iptables -I OUTPUT 1 -j LOG –log-prefix “#### Tmp logging ####”

Log network activity in the NAT table

• # iptalbes -t nat -I PERROUTING 1 -j LOG
• # iptalbes -t nat -I POSTROUTING 1 -j LOG
• # iptalbes -t nat -I OUTPUT 1 -j LOG

Insert log rule

• # iptables -I INPUT -s x.x.192.136/32 -j LOG –log-prefix ‘DCSTest’

Insert log rule to the top of the chain for a specific host
# iptables -I INPUT -s x.x.38.68/32 -p udp –dport 1514 -j LOG –log-prefix ‘EXI6_Log’

Insert log rule at the top of the chain for a specific host
# iptables -I INPUT -s x.x.192.1/32 -j LOG –log-prefix ‘ISRTEST’

Insert log rule at position 5 to match host, udp, and port number
# iptables -I INPUT 5 -s x.x.192.136/32 -p udp –dport 1514 -j LOG –log-prefix ‘DCTEST’

——————————————————————————
These rules sets can be used to insert a log rule, then delete when finished

Insert log rules to log udp 1514 and udp 514 traffic
# iptables -I INPUT -p udp –dport 1514 -j LOG –log-prefix ‘Log_1514’
# iptables -I INPUT -p udp –dport 514 -j LOG –log-prefix ‘Log_514’

Delete a rule from the chain:
# iptables -D INPUT -p udp –dport 1514 -j LOG –log-prefix ‘Log_1514’
# iptables -D INPUT -p udp –dport 514 -j LOG –log-prefix ‘Log_514’
——————————————————————————