LOGGING OPTIONS Logging options are set in /etc/netmasq/netmasq.conf. The default value for LOG_PREFIX is "netmasq". This option makes it easier to search the log file. If you have several hosts log to the same file, you may want to include the hostname as well. The default value for LOG_RATE is "6/hour". Iptables keeps track of how many events it can log for each rule. This rate determines how quickly this pool of available log entries is replenished. Each event that is logged uses one of these available entries. The default value for LOG_BURST is "12". This option determines what is the maximum size of the pool of available entries when they are becoming available mored quickly than they are being used. Note that 6/hour is enough to let you see what kind of traffic you have, but may not be enough to really do diagnostics. If you are testing and want to watch traffic more closely, you could change the rate to 20/minute or even greater. Restarting netmasq will set all counters back to 0. READING LOG ENTRIES Here is a sample log entry: Feb 10 10:23:53 hal kernel: netmasq: svc_eth0: accept: IN=eth0 OUT= MAC=00:c0:7d:76:c7:92:00:02:2c:30:d6:92:07:00 SRC=192.168.1.2 DST=192.168.1.1 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=24755 DF PROTO=TCP SPT=1038 DPT=22 WINDOW=16972 RES=0x00 ACK URGP=0 After the time, the hostname, and "kernel: " appears the LOG_PREFIX. This is followed by a keyword (see below) and the action taken. The remaining information includes SRC (the source address), DST (the destination address), PROTO (the protocol), SPT (the source port) and DPT (the destination port). In this example, 192.168.1.2 sent an ssh packet to 192.168.1.1. Various keywords will appear to indicate what determined the packet's fate. The keywords fwall, svc, rmt and portfw will include an underscore and the appropriate interface. Note that these are chain names and thus may be used for accounting. fwall_eth0: the firewall on eth0 allowed or dropped the packet svc_eth0: the firewall on eth0 allowed a connection to a service rmt_eth0: the firewall on eth0 allowed a connection to a remote host portfw_eth0: the firewall on eth0 allowed a connection to be port forwarded input: the firewall allowed a port forward connection in output: the firewall allowed a port forward connection out forward: the firewall allowed a port forward connection through masquerade: the firewall allowed a masquerade connection banned: the firewall allowed or dropped a request from a banned address unused: the firewall allowed or dropped a request from a unused address trusted: the firewall allowed a request from a trusted address blackhole: the firewall dropped a request from a blackholed address xmas: the firewall dropped an xmas packet null: the firewall dropped a null packet Here are some sample commands to view your logs: grep netmasq /var/log/messages This will print out all log entries. grep fwall.*drop /var/log/messages This will print out all attempts to make connections not allowed by the firewall rules. egrep blackhole|banned /var/log/messages This will print out all attempts to make connections from hosts which have been denied access. grep svc_ /var/log/messages This will print out all logged connections to services being provided on all firewalled interfaces. grep _eth1 /var/log/messages This will print out all firewall, port forward, or service connections on a single interface. grep svc_.*DPT=22 /var/log/messages This will print out all logged ssh connections on all firewalled interfaces.