Try   HackMD

Log all traffic in Ubuntu

tags: NTUToolmenLab

Add logger in iptable

about iptable
https://www.hostinger.com/tutorials/iptables-tutorial
https://help.ubuntu.com/community/IptablesHowTo

show it

sudo iptables --line-numbers -L
sudo iptables --line-numbers -L OUTPUT

Add logger

iptables -A OUTPUT -j LOG --log-prefix 'iptable log: ' --log-level 7

or more formally

iptables -N LOGGER
iptables -A LOGGER -j LOG --log-prefix 'iptable log: ' --log-level 7
iptables -A OUTPUT -j LOGGER

You should add at the top of the chain to avoid skip it by another chain before.
iptables -I OUTPUT -j LOGGER
iptables -I INPUT -j LOGGER

If you want to monitor in docker
iptables -I FORWARD -j LOGGER

delete it if needed
iptables -D OUTPUT 1

Reference

Separate from syslog

The concept of syslog
https://www.the-art-of-web.com/system/rsyslog-config/

For ubuntu 1804
cat /var/log/syslog or cat /var/log/kern.log to see the log

method 1

Filter the log of iptable logger to specific file

edit
/etc/rsyslog.d/iptable_logger.conf

:msg,contains,"iptable log: " /var/log/iptable.log

method 2(Recommanded)

Don't want to output in kern.log and syslog

Add below code in the begining of /etc/rsyslog.d/50-default.conf

:msg,startswith," iptable log: " /var/log/iptable.log
:msg,startswith," iptable log: " stop

Better format

/etc/rsyslog.conf

module(load="imklog" ParseKernelTimestamp="on" KeepKernelTimestamp="off")
# $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$template mycleanformat,"%TIMESTAMP:::date-rfc3339% %syslogtag% %syslogseverity-text% %msg%\n"
$ActionFileDefaultTemplate mycleanformat

reload

and finally restart
systemctl restart syslog

Reference

Make it smaller

Using logrotated
/etc/logrotate.d/rsyslog

/var/log/iptable.log
{
    rotate 99
    size 500M
    missingok
    notifempty
    delaycompress
    compress
    postrotate
        /usr/lib/rsyslog/rsyslog-rotate
    endscript
}

Because logrotate run everyday not every second by default,
create a crontab to run it.
/etc/cron.d/iptable-log-rotate

*/10  *  *  *  *   root /usr/sbin/logrotate /etc/logrotate.conf

sudo systemctl restart cron

In my mechine, the 100MB log file can be compressed into about 5MB

And same as systemd-journal

edit /etc/systemd/journald.conf to set
SystemMaxUse=1G

sudo systemctl restart systemd-journald

or stop all of journal
sudo systemctl stop systemd-journald*

Reference:

With calico(Brute force)

Force to write it because calico checks its iptable chain every 60 seconds

while true; do
    if ! iptables -L cali-FORWARD | grep -q LOGGER; then
        iptables -I  cali-FORWARD -j LOGGER;
        echo `date` "ADD"
    fi
    sleep 0.1;
done

And set calico checking seconds more longger in calico.yml

- name: FELIX_IPTABLESPOSTWRITECHECKINTERVALSECS
  value: "10"

Reference

CODE

Overall code

# backup
sudo cp /etc/rsyslog.d/50-default.conf /etc/rsyslog.d/50-default.conf.bak
sudo cp /etc/rsyslog.conf /etc/rsyslog.conf.bak
sudo cp /etc/logrotate.d/rsyslog /opt/rsyslog.bak
# iptable filter
sudo sed -i '/iptable log/d' /etc/rsyslog.d/50-default.conf
sudo sed -i '/Logging iptable/d' /etc/rsyslog.d/50-default.conf
cat << EOF | cat - /etc/rsyslog.d/50-default.conf > tmp && sudo mv tmp /etc/rsyslog.d/50-default.conf
# Logging iptable in other logfile
:msg,startswith," iptable log: " /var/log/iptable.log
:msg,startswith," iptable log: " stop
EOF
# syslog format
sudo sed -i '/template mycleanformat/d' /etc/rsyslog.conf
sudo sed -i 's/.*imklog.*/module(load="imklog" ParseKernelTimestamp="on" KeepKernelTimestamp="off")/g' /etc/rsyslog.conf
sudo sed -i '1 i\$template mycleanformat,"%TIMESTAMP:::date-rfc3339% %syslogtag% %syslogseverity-text% %msg%\\n"' /etc/rsyslog.conf
sudo sed -i 's/ActionFileDefaultTemplate.*/ActionFileDefaultTemplate mycleanformat/g' /etc/rsyslog.conf
# log
echo "*/10 * * * * root /usr/sbin/logrotate /etc/logrotate.conf" > tmp | sudo mv tmp /etc/cron.d/iptable-log-rotate
cat /etc/logrotate.d/rsyslog | tr '\n' '\r' | sed -e 's~/var/log/iptable.log.*{.*}~~g' | tr '\r' '\n' > tmp
cat << EOF >> tmp
/var/log/iptable.log
{
rotate 99
size 500M
missingok
notifempty
delaycompress
compress
postrotate
/usr/lib/rsyslog/rsyslog-rotate
endscript
}
EOF
sudo mv tmp /etc/logrotate.d/rsyslog
# set permission
sudo chmod 644 /etc/logrotate.d/rsyslog
sudo chown root:root /etc/logrotate.d/rsyslog
sudo chmod 644 /etc/cron.d/iptable-log-rotate
sudo chown root:root /etc/cron.d/iptable-log-rotate
sudo chmod 644 /etc/rsyslog.d/50-default.conf
sudo chown root:root /etc/rsyslog.d/50-default.conf
# restart
sudo systemctl stop systemd-journald*
sudo systemctl restart cron
sudo systemctl restart syslog
# Force to write iptable
cat << EOF > tmp
#! /bin/bash
# create chain
iptables -N LOGGER
iptables -F LOGGER
iptables -A LOGGER -j LOG --log-prefix 'iptable log: ' --log-level 7
# force create rule
while true; do
if ! iptables -L FORWARD --line-numbers | grep -q "1\\s*LOGGER"; then
iptables -D FORWARD \$(iptables -L FORWARD --line-numbers | grep LOGGER | awk '{ print \$1}')
iptables -I FORWARD -j LOGGER;
echo \`date\` "ADD FORWARD"
fi
if ! iptables -L INPUT --line-numbers | grep -q "1\\s*LOGGER"; then
iptables -D INPUT \$(iptables -L INPUT --line-numbers | grep LOGGER | awk '{ print \$1}')
iptables -I INPUT -j LOGGER;
echo \`date\` "ADD INPUT"
fi
if ! iptables -L OUTPUT --line-numbers | grep -q "1\\s*LOGGER"; then
iptables -D OUTPUT \$(iptables -L OUTPUT --line-numbers | grep LOGGER | awk '{ print \$1}')
iptables -I OUTPUT -j LOGGER;
echo \`date\` "ADD OUTPUT"
fi
sleep 0.1;
done
EOF
chmod +x tmp
sudo mv tmp /opt/change_iptable.sh
# start script when reboot
sudo crontab -l > tmp
sudo sed -i '/change_iptable.sh/d' tmp
echo "@reboot /opt/change_iptable.sh &" >> tmp
sudo crontab tmp
rm tmp

TODO

  • Monitor in kubernete with calico-cni in more formal way.