Using iptables to log http request to a file?

Discussion in 'Linux Networking' started by xiong.xu.cn@gmail.com, Aug 18, 2006.

  1. Guest

    Hi all,

    Can anyone give me pointer to how to log http requset to a file by
    iptables and ulogd?
    Is there any ulogd plugin can parse the traffic and just log the needed
    HTTP request information£¨eg. some http header field£©?
    Some sample source code will be great!

    Thanks in advance!

    Xiong
     
    , Aug 18, 2006
    #1
    1. Advertisements

  2. On Friday 18 August 2006 13:13 wrote:

    > Hi all,
    >
    > Can anyone give me pointer to how to log http requset to a file by
    > iptables and ulogd?
    > Is there any ulogd plugin can parse the traffic and just log the
    > needed HTTP request information£¨eg. some http header field£©?
    > Some sample source code will be great!
    >
    > Thanks in advance!
    >
    > Xiong
    >
    >


    Without ULOG:
    To match some string
    iptables -A INPUT -p tcp --dport 80 -m string --string "Some String"-j
    ACCEPT

    or better use l7-filter to match some regex:
    put in /etc/l7-protocols/extra/ httpmypatern.pat with content:
    httpmypatern
    some_rexexp.*

    and use
    iptables -A INPUT -p tcp --dport 80 -m layer7 --l7proto httpmypatern -j
    ACCEPT
     
    Viktar Sakovich2038490794, Aug 18, 2006
    #2
    1. Advertisements

  3. Guest

    Thank Viktar,

    By using '-j ACCEPT', all the packets matching the pattern will be
    accept? or just the packets matched will be accepted?
    For example, a http request composed of multiple lines, usually 'GET
    ....' followed by other HTTP header lines. In this case, will all the
    http connection traffic be accepted?
    And, which is the better way to parse the matched data and write to log
    in a user defined format?
    Should I use ulogd plugin? Is there any sample show me how to write a
    custom log?

    Thank again,
    Xiong

    Viktar Sakovich2038490794 写�:

    > On Friday 18 August 2006 13:13 wrote:
    >
    > > Hi all,
    > >
    > > Can anyone give me pointer to how to log http requset to a file by
    > > iptables and ulogd?
    > > Is there any ulogd plugin can parse the traffic and just log the
    > > needed HTTP request information(eg. some http header field)?
    > > Some sample source code will be great!
    > >
    > > Thanks in advance!
    > >
    > > Xiong
    > >
    > >

    >
    > Without ULOG:
    > To match some string
    > iptables -A INPUT -p tcp --dport 80 -m string --string "Some String"-j
    > ACCEPT
    >
    > or better use l7-filter to match some regex:
    > put in /etc/l7-protocols/extra/ httpmypatern.pat with content:
    > httpmypatern
    > some_rexexp.*
    >
    > and use
    > iptables -A INPUT -p tcp --dport 80 -m layer7 --l7proto httpmypatern -j
    > ACCEPT
     
    , Aug 19, 2006
    #3
  4. On Saturday 19 August 2006 06:12 wrote:

    > Thank Viktar,
    >
    > By using '-j ACCEPT', all the packets matching the pattern will be
    > accept? or just the packets matched will be accepted?
    > For example, a http request composed of multiple lines, usually 'GET
    > ...' followed by other HTTP header lines. In this case, will all the
    > http connection traffic be accepted?


    In case of -m string only matching packets accepted, but in case of
    l7-filter all packets for conection (l7-filter use conection tracking
    to match next packets of connection) accepted.

    If you want to match for a connection with -m string, do following:
    iptables -A INPUT -p tcp --dport 80 -m string --string "Some String"-j
    CONNMARK --set-mark 0x1
    iptables -A INPUT -m connmark --mark 0x1 -j ACCEPT


    > And, which is the better way to parse the matched data and write to
    > log in a user defined format?
    > Should I use ulogd plugin? Is there any sample show me how to write a
    > custom log?
    >
    > Thank again,
    > Xiong
    >
    > Viktar Sakovich2038490794 写�:
    >
    >> On Friday 18 August 2006 13:13 wrote:
    >>
    >> > Hi all,
    >> >
    >> > Can anyone give me pointer to how to log http requset to a file by
    >> > iptables and ulogd?
    >> > Is there any ulogd plugin can parse the traffic and just log the
    >> > needed HTTP request information(eg. some http header field)?
    >> > Some sample source code will be great!
    >> >
    >> > Thanks in advance!
    >> >
    >> > Xiong
    >> >
    >> >

    >>
    >> Without ULOG:
    >> To match some string
    >> iptables -A INPUT -p tcp --dport 80 -m string --string "Some
    >> String"-j ACCEPT
    >>
    >> or better use l7-filter to match some regex:
    >> put in /etc/l7-protocols/extra/ httpmypatern.pat with content:
    >> httpmypatern
    >> some_rexexp.*
    >>
    >> and use
    >> iptables -A INPUT -p tcp --dport 80 -m layer7 --l7proto httpmypatern
    >> -j ACCEPT

    >
    >
     
    Viktar Sakovich2038490794, Aug 19, 2006
    #4
  5. imx Guest

    So, how to log just the first few, say 100, packets?

    thx

    Viktar Sakovich2038490794 wrote:
    > On Saturday 19 August 2006 06:12 wrote:
    >
    > > Thank Viktar,
    > >
    > > By using '-j ACCEPT', all the packets matching the pattern will be
    > > accept? or just the packets matched will be accepted?
    > > For example, a http request composed of multiple lines, usually 'GET
    > > ...' followed by other HTTP header lines. In this case, will all the
    > > http connection traffic be accepted?

    >
    > In case of -m string only matching packets accepted, but in case of
    > l7-filter all packets for conection (l7-filter use conection tracking
    > to match next packets of connection) accepted.
    >
    > If you want to match for a connection with -m string, do following:
    > iptables -A INPUT -p tcp --dport 80 -m string --string "Some String"-j
    > CONNMARK --set-mark 0x1
    > iptables -A INPUT -m connmark --mark 0x1 -j ACCEPT
    >
    >
    > > And, which is the better way to parse the matched data and write to
    > > log in a user defined format?
    > > Should I use ulogd plugin? Is there any sample show me how to write a
    > > custom log?
    > >
    > > Thank again,
    > > Xiong
    > >
    > > Viktar Sakovich2038490794 写�:
    > >
    > >> On Friday 18 August 2006 13:13 wrote:
    > >>
    > >> > Hi all,
    > >> >
    > >> > Can anyone give me pointer to how to log http requset to a file by
    > >> > iptables and ulogd?
    > >> > Is there any ulogd plugin can parse the traffic and just log the
    > >> > needed HTTP request information(eg. some http header field)?
    > >> > Some sample source code will be great!
    > >> >
    > >> > Thanks in advance!
    > >> >
    > >> > Xiong
    > >> >
    > >> >
    > >>
    > >> Without ULOG:
    > >> To match some string
    > >> iptables -A INPUT -p tcp --dport 80 -m string --string "Some
    > >> String"-j ACCEPT
    > >>
    > >> or better use l7-filter to match some regex:
    > >> put in /etc/l7-protocols/extra/ httpmypatern.pat with content:
    > >> httpmypatern
    > >> some_rexexp.*
    > >>
    > >> and use
    > >> iptables -A INPUT -p tcp --dport 80 -m layer7 --l7proto httpmypatern
    > >> -j ACCEPT

    > >
    > >
     
    imx, Aug 20, 2006
    #5
  6. On Sunday 20 August 2006 16:46 imx wrote:

    > So, how to log just the first few, say 100, packets?
    >
    > thx


    Use connbytes, i. e. something like this:

    iptables -A INPUT -p tcp --dport 80 -m connbytes --connbytes 0:100
    --connbytes-dir both --connbytes-mode packets -j ACCEPT

    >
    > Viktar Sakovich2038490794 wrote:
    >> On Saturday 19 August 2006 06:12 wrote:
    >>
    >> > Thank Viktar,
    >> >
    >> > By using '-j ACCEPT', all the packets matching the pattern will be
    >> > accept? or just the packets matched will be accepted?
    >> > For example, a http request composed of multiple lines, usually
    >> > 'GET ...' followed by other HTTP header lines. In this case, will
    >> > all the http connection traffic be accepted?

    >>
    >> In case of -m string only matching packets accepted, but in case of
    >> l7-filter all packets for conection (l7-filter use conection tracking
    >> to match next packets of connection) accepted.
    >>
    >> If you want to match for a connection with -m string, do following:
    >> iptables -A INPUT -p tcp --dport 80 -m string --string "Some
    >> String"-j CONNMARK --set-mark 0x1
    >> iptables -A INPUT -m connmark --mark 0x1 -j ACCEPT
    >>
    >>
    >> > And, which is the better way to parse the matched data and write to
    >> > log in a user defined format?
    >> > Should I use ulogd plugin? Is there any sample show me how to write
    >> > a custom log?
    >> >
    >> > Thank again,
    >> > Xiong
    >> >
    >> > Viktar Sakovich2038490794 写�:
    >> >
    >> >> On Friday 18 August 2006 13:13 wrote:
    >> >>
    >> >> > Hi all,
    >> >> >
    >> >> > Can anyone give me pointer to how to log http requset to a file
    >> >> > by iptables and ulogd?
    >> >> > Is there any ulogd plugin can parse the traffic and just log the
    >> >> > needed HTTP request information(eg. some http header field)?
    >> >> > Some sample source code will be great!
    >> >> >
    >> >> > Thanks in advance!
    >> >> >
    >> >> > Xiong
    >> >> >
    >> >> >
    >> >>
    >> >> Without ULOG:
    >> >> To match some string
    >> >> iptables -A INPUT -p tcp --dport 80 -m string --string "Some
    >> >> String"-j ACCEPT
    >> >>
    >> >> or better use l7-filter to match some regex:
    >> >> put in /etc/l7-protocols/extra/ httpmypatern.pat with content:
    >> >> httpmypatern
    >> >> some_rexexp.*
    >> >>
    >> >> and use
    >> >> iptables -A INPUT -p tcp --dport 80 -m layer7 --l7proto
    >> >> httpmypatern -j ACCEPT
    >> >
    >> >

    >
    >
     
    Viktar Sakovich2038490794, Aug 20, 2006
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.