NAT with Logging feature (Conntrack table events to syslog)

Hello Nethserver Team,
In the recent past we came accross a situation where the NAT connection logging was required. This feature is the least documented when we check the Linux community. There should be a separate NAT config tab with Static, Dnyamic, 1-1 mapping feature with logging.

The logging functionality can be achieve using conntrack-tools & ulogd2 which is a user space logging daemon. This feature is missing from almost all nethserver alternatives.

Thanks
Faisal

Welcome to NethServer Community Muhammad!

No one asked before for such feature, but it could be handy in some situations.
Would you like to do some tests and report here your findings?

You could start by following these steps:

  • Install and enable conntrackd:

      yum install conntrack-tools
      systemctl enable conntrackd
    
  • Edit /etc/conntrackd/conntrackd.conf to satisfy your needs

  • Sart the daemon: systemctl start conntrackd

Hi Giacomo,
Thanks for your response. I have raised a feature request that can be managed from the NS WEB UI and ability to parse logs to syslog-ng or rsyslog.

Thanks
Faisal.

Did you test @giacomo’s suggestions? Let us know what are your feelings and if it solves your request.
There’s always time for a specific web interface :slight_smile:

Hi Alessio,
Im experimenting with NATlogging feature on Centos with meaningful precise logging to syslog or file LogAnalyzer a native syslog web ui is a good choice but once setup will feedback on adding it to NethServer since NAT user tracking is missing from almost all major NethServer alternates.

Thanks
F.

1 Like

Update on NAT Logging Feature using CentOS:
The experiment remained successful using conntrack/Ulogd to bring logging in userspace and voiding load on kernel memory. The logs are parsed on text file or syslog facility.

Is it possible to view and maanage it via nethServer?

1 Like

I’d start with an howto, then eventually we will develop something.

Would you mind to write down the whole procedure you followed?

1 Like

Hi Giacomo,
Thanks for your response and sorry for a delayed response as my testing was in prgress which is completed now. Yes sure let me summarize my system setup (test bed) . The system initially deployed on CentOS6.8 using ulogd2, conntrack-tools, libnet libraries, rsyslog and its front end Log Analyzer.

I have some findings on my test setup. There were lost of unwanted logs (disk space as a cost) in the conntrack tables but our interest is only src-nat events to trace back a malicious user. Also the conntrack event does not contain year info (see below example Day and time is there but not the year). During my research I came across another package by Mr. F B Brokken called natlog and available as precompiled Debian packages as well as sources.

Well my limitation is I dont have programming background on compiling C++ sources on CentOS which requires C++14 or above compiler as per Mr. Brokken. So I used Debain OS instead to test what it offers and how it works. natlog uses conntrack -E output to extract session event to summarize it and send to either a log file or syslog facility. It gives src-nat event start time end time of each session in raw time (epoch time). The author of natlog is also reachable via email but he also does not have any experience on compiling sources on CenOS. Please see natlog ouput format:

natlog (clean output of src-nat only) with precise timestamp as unix time:

Jan 22 08:23:25 debian NATLOG: from 1485091279:235686 until 1485091405:832021: t
cp 192.168.2.4:45210 (via: 192.168.1.109:45210) to 93.184.220.29:80

Ulogd2 output (Missing Year information):

Mar 11 15:55:59 wc01 ulogd[14289]: [NEW] ORIG: SRC=5.55.22.172 DST=192.168.1.3 PROTO=TCP SPT=20283 DPT=5358 PKTS=0 BYTES=0 , REPLY: SRC=192.168.1.3 DST=5.55.22.172 PROTO=TCP SPT=5358 DPT=20283 PKTS=0 BYTES=0

This is what i have done so far. The object is to track src-nat events if this is achievable using some other way like piping conntrack -E output to syslog or a file can serve the purpose.

Please share your thoughts on it.

Cheers
Faisal

1 Like

Any update on this?

Hello, a very interesting subject. Here in Brazil there is an obligation for companies to keep the NATs of the network. I wish NethServer could have this functionality. I am willing to help this happen.

@faisalusuf @giacomo

Any update on this?

1 Like

I read the procedure, still this is not a working how to suitable for other users.

I like this approach, and I don’t see any major limitations.

You can write a parser to add the year and discard all unwanted messages, also you can write a specific logrotate configuration to quickly discard all already analyzed logs.

I can’t found any rpm for icmake, thus you need to compile also icmake itself before compiling natlog.
Sorry but I can’t help on this.

1 Like

I kept on working on issues/shortcomings I have faced with my setup and also able to fix it.

There were lost of unwanted logs (disk space as a cost) in the conntrack tables but our interest is only src-nat events to trace back a malicious user.

The ulogd config offers message filtering based on src or dst IP subnets so only src-nat of desired subnets can be logged without issues to optimize the disk space utilizaiton.

Also the conntrack event does not contain year info (see below example Day and time is there but not the year).

The year timestamp is also achieved by by setting conntrack timestamp and conntract acct setting to 1. I have upgraded the kernel to 3.10 as the older kernel 2.6.11 does not support conntrack_timestamp.

2017-03-18T00:31:19.204031-04:00 wc01 ulogd[10498]: [NEW] ORIG: SRC=172.16.50.22 DST=192.168.1.1 PROTO=UDP SPT=65362 DPT=53 PKTS=0 BYTES=0 , REPLY: SRC=192.168.1.1 DST=192.168.5.10 PROTO=UDP SPT=53 DPT=65362 PKTS=0 BYTES=0

So now im getting the precise results. So we can use the conntrack, netfilter, ulogd2, rsyslog for a complete nat loging solution.

Cheers
Faisal

2 Likes

We are discussing its implementation on NethServer. The test setup was optimized for precise logging.

Cheers,

Thank!

@faisalusuf