{"id":1178,"date":"2015-10-22T15:15:02","date_gmt":"2015-10-22T13:15:02","guid":{"rendered":"https:\/\/elkano.org\/blog\/?p=1178"},"modified":"2015-10-27T09:04:12","modified_gmt":"2015-10-27T08:04:12","slug":"log-traffic-user-iptables","status":"publish","type":"post","link":"https:\/\/elkano.org\/blog\/log-traffic-user-iptables\/","title":{"rendered":"Log traffic by user with iptables"},"content":{"rendered":"<p>This is a little post explaining how to log the uid and guid of the user who is making a connection in a server:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-linenumbers=\"false\" data-enlighter-theme=\"enlighter\" data-enlighter-language=\"xml\">iptables -N log_traffic\r\niptables -I OUTPUT 1 -p tcp -m multiport --dports 80,443 -m state --state NEW -j log_traffic\r\niptables -A log_traffic -j LOG --log-uid --log-prefix  &quot;iptables: &quot;\r\n<\/pre>\n<p>Explanation:<\/p>\n<ol>\n<li>\u00a0Create a new iptables chain log_traffic<\/li>\n<li>\u00a0Redirect all traffic from OUTPUT to log_traffic chain if the connection destination port is http or https.<\/li>\n<li>\u00a0Log all traffic in log_traffic chain including the user uid\/gid.<\/li>\n<\/ol>\n<p>with rsyslog identify the iptables traffic and put it in a separate log file. Edit \/etc\/rsyslog.conf and add the following line:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-linenumbers=\"false\" data-enlighter-theme=\"enlighter\" data-enlighter-language=\"xml\">:msg, contains, &quot;iptables: &quot;  -\/var\/log\/iptables.log\r\n<\/pre>\n<p>You will see traces like this with the uid and gid of the user making the connection:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-linenumbers=\"false\" data-enlighter-theme=\"enlighter\" data-enlighter-language=\"xml\">Oct 22 14:44:54 host4sx56 kernel: [6828668.226415] iptables: IN= OUT=eth355 SRC=192.168.1.2 DST=172.17.16.52 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=11754 DF PROTO=TCP SPT=35734 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 UID=3106 GID=3106\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>This is a little post explaining how to log the uid and guid of the user who is making a connection in a server: iptables -N log_traffic iptables -I OUTPUT 1 -p tcp -m multiport &#8211;dports 80,443 -m state &#8211;state NEW -j log_traffic iptables -A log_traffic -j LOG &#8211;log-uid &#8211;log-prefix &quot;iptables: &quot; Explanation: \u00a0Create a [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3,27],"tags":[71],"_links":{"self":[{"href":"https:\/\/elkano.org\/blog\/wp-json\/wp\/v2\/posts\/1178"}],"collection":[{"href":"https:\/\/elkano.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/elkano.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/elkano.org\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/elkano.org\/blog\/wp-json\/wp\/v2\/comments?post=1178"}],"version-history":[{"count":8,"href":"https:\/\/elkano.org\/blog\/wp-json\/wp\/v2\/posts\/1178\/revisions"}],"predecessor-version":[{"id":1187,"href":"https:\/\/elkano.org\/blog\/wp-json\/wp\/v2\/posts\/1178\/revisions\/1187"}],"wp:attachment":[{"href":"https:\/\/elkano.org\/blog\/wp-json\/wp\/v2\/media?parent=1178"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/elkano.org\/blog\/wp-json\/wp\/v2\/categories?post=1178"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/elkano.org\/blog\/wp-json\/wp\/v2\/tags?post=1178"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}