loadet
asked on
log traffic
i need to log all traffic that is being created by a specific uid
the box have multiple nic's if it matters.
the uid dosent belong to a real system user with shell but will show up like #405 in ps where 405 is a uid in a chrooted /ftpd/etc/passwd
where do i start?
i need a full explenation since i dont really have time to read everything on the subject.
the box have multiple nic's if it matters.
the uid dosent belong to a real system user with shell but will show up like #405 in ps where 405 is a uid in a chrooted /ftpd/etc/passwd
where do i start?
i need a full explenation since i dont really have time to read everything on the subject.
ASKER
does it matter?
i need to log all traffic from that uid
but its a ftpd .. not the standard ftpd service.
and i did try something like iptables -A OUTPUT -m owner --uid-owner 405
but it just gets me a iptables: Invalid argument
i need to log all traffic from that uid
but its a ftpd .. not the standard ftpd service.
and i did try something like iptables -A OUTPUT -m owner --uid-owner 405
but it just gets me a iptables: Invalid argument
check if you have the owner module for ip tables. It should be in the modules subtree on your system ( /lib/modules/`uname -r`/kernel/net/ipv4/netfil
You are probably missing the module.
You are probably missing the module.
ASKER
i have ipt_owner.ko
would that be it?
would that be it?
That is the module your need. load it using:
modprobe ipt_owner
after that try your command again:
iptables -A OUTPUT -m owner --uid-owner 405 -j LOG
Should do the trick (just checked on my own machine)
Good Luck
modprobe ipt_owner
after that try your command again:
iptables -A OUTPUT -m owner --uid-owner 405 -j LOG
Should do the trick (just checked on my own machine)
Good Luck
ASKER
yeah i thought that was the problem too but it was already loaded
FATAL: Module ipt_owner already in kernel.
FATAL: Module ipt_owner already in kernel.
That fatal is not fatal :-)
Does it accept the iptables command without complaining?
Does it accept the iptables command without complaining?
ASKER
no it gives me a
iptables: Invalid argument
im running
iptables v1.2.6a
kernel 2.6.4
lsmod gives me
ipt_owner 4480 0
iptable_filter 3840 1
ip_tables 17168 2 ipt_owner,iptable_filter
so i dont really understand it
iptables: Invalid argument
im running
iptables v1.2.6a
kernel 2.6.4
lsmod gives me
ipt_owner 4480 0
iptable_filter 3840 1
ip_tables 17168 2 ipt_owner,iptable_filter
so i dont really understand it
I did 2 things:
checked my version of iptables and kernel: iptables 1.2.9 and kernel 2.6.7
searched the sources of iptables and the kernel ipfilter modules for the "Invalid argument": it's not there. So whatever is giving this error, it is not in iptables or the kernel modules.
Could you please check what iptables you are executing? (try: which iptables)
checked my version of iptables and kernel: iptables 1.2.9 and kernel 2.6.7
searched the sources of iptables and the kernel ipfilter modules for the "Invalid argument": it's not there. So whatever is giving this error, it is not in iptables or the kernel modules.
Could you please check what iptables you are executing? (try: which iptables)
ASKER
start:/home/loadet# which iptables
/sbin/iptables
/sbin/iptables
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ok i will try that, thanks for trying.
ftp ?
httpd?