SnapGear 2.0.1 User Manual

Appendix C – System Log

180

To log permitted inbound access requests to services hosted on the CyberGuard SG
appliance, the rule should look something like this:

iptables -I INPUT -j LOG -p tcp --syn -s <X.X.X.X/XX> -d
<Y.Y.Y.Y/YY> --dport <Z> --log-prefix <prefix>

This will log any TCP (-p tcp) session initiations (--syn) that arrive from the IP
address/netmask X.X.X.X/XX (-s ...) and are going to Y.Y.Y.Y/YY, destination port Z (--
dport).

For example, to log all inbound access requests from anywhere on the Internet
(0.0.0.0/0) to the PPTP service (port 1723) on the CyberGuard SG appliance (IP address
1.2.3.4):

iptables -I INPUT -j LOG -p tcp --syn -s 0.0.0.0/0 -d 1.2.3.4
--dport 1723 --log-prefix "Internet PPTP access: "

To find the resultant log entry in the logs, simply search for the prefix, in this instance
"Internet PPTP access: ".

If for example site 192.0.1.2 attempted to access the CyberGuard SG appliance’s PPTP
port, the resultant log message would look something like this:

<12> Jan 24 17:19:17 2000 klogd: Internet PPTP access: IN=eth0
OUT= MAC=00:d0:cf:00:07:03:00:50:bf:20:66:4d:08:00 SRC=
DST=1.2.3.4 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=43470 DF
PROTO=TCP SPT=4508 DPT=1723 WINDOW=64240 RES=0x00 SYN URGP=0

Note how OUT is set to nothing. This indicates that the packet was attempting to reach a
service on the CyberGuard SG appliance, rather than attempting to pass through it.

A very similar scenario occurs for logging access requests that are attempting to pass
through the CyberGuard SG appliance. It merely requires replacing the INPUT keyword
with FORWARD.

Thus, to log permitted inbound requests to services hosted on a server behind the
CyberGuard SG appliance, or outbound requests to services on a public network server,
use:

iptables -I FORWARD -j LOG -p tcp --syn -s <X.X.X.X/XX> -d

<Y.Y.Y.Y/YY> --dport <Z> --log-prefix <prefix>