McAfee SG310 Administration Manual page 375

System Log
Creating custom log rules
For example, to log all inbound access requests from anywhere on the Internet (0.0.0.0/0) to the PPTP
service (port 1723) on the appliance (IP address 1.2.3.4):
iptables -I INPUT -j LOG -p tcp --syn -s 0.0.0.0/0 -d 1.2.3.4 --dport 1723 --log-prefix
"Internet PPTP access: "
To find the resultant log entry in the logs, simply search for the prefix, in this instance "Internet PPTP
access".
If, for example, site 192.0.1.2 attempted to access the PPTP port of the appliance, the resultant log
message would look something like this:
<12> Jan 24 17:19:17 2000 klogd: Internet PPTP access: IN=eth0 OUT=
MAC=00:d0:cf:00:07:03:00:50:bf:20:66:4d:08:00 SRC=
PREC=0x00 TTL=127 ID=43470 DF PROTO=TCP SPT=4508 DPT=1723 WINDOW=64240 RES=0x00 SYN
URGP=0
Notice how OUT is set to nothing. This indicates that the packet was attempting to reach a service on the
appliance rather than attempting to pass through it.
A very similar scenario occurs for logging access requests that are attempting to pass through the
appliance. It merely requires replacing the INPUT keyword with FORWARD. Thus, to log permitted inbound
requests to services hosted on a server behind the appliance, or outbound requests to services on a public
network server, use:
iptables -I FORWARD -j LOG -p tcp --syn -s <X.X.X.X/XX> -d <Y.Y.Y.Y/YY> --dport <Z>
--log-prefix <prefix>
For example, to log all inbound requests from the IP address 5.6.7.8 to the mail server (port 25) on the
machine flubber on the LAN with address 192.168.1.1:
iptables -I FORWARD -j LOG -p tcp --syn -s 5.6.7.8/32 -d 192.168.1.1 --dport 25
--log-prefix "Mail for flubber: "
This results in log output similar to:
<12> Jan 24 18:17:19 2000 klogd: Mail for flubber: IN=eth1 OUT=eth0 SRC=5.6.7.8
DST=192.168.1.1 LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=45507 DF PROTO=TCP SPT=4088 DPT=25
WINDOW=64240 RES=0x00 SYN URGP=0
Notice the OUT value has now changed to show which interface the access attempt used to reach the
internal host. As this request arrived on eth1 and was destined for eth0, it was an inbound request, since
eth0 is the LAN port, and eth1 is usually the WAN port.
An outbound request would have IN=eth0 and OUT=eth1.
It is possible to use the -i and -o arguments to specify the interface that are to be considered for IN and
OUT respectively. When the ! argument is used before the interface name, the sense is inverted. A name
ending in a + matches any interface that begins with the name.
iptables -I FORWARD -j LOG -i eth0 -p tcp ...
This rule logs outbound from the LAN (eth0) only. To further limit that, specify which interface it is
outbound to, by using the -o option:
iptables -I FORWARD -j LOG -i eth0 -o eth1 -p tcp ...
This logs LAN traffic destined for the WAN, but will not log LAN traffic destined for a PPP or perhaps an
IPSec link.
Similarly, you could construct a rule that looks at all inbound/outbound traffic, but excludes VPN traffic,
thus:
iptables -I FORWARD -j LOG -i eth+ -o eth+ -p tcp ...
If you just wanted to look at traffic that went out to the IPSec world, you could use:
iptables -I FORWARD -j LOG -o IPSec+
There are many more combinations possible. It is possible to write rules that log inbound and outbound
traffic, or to construct several rules that differentiate between the two.
McAfee UTM Firewall 4.0.4 Administration Guide
DST=1.2.3.4 LEN=48 TOS=0x00
375