2

I can easily log new tcp connections with iptables like this:

iptables -A INPUT -p tcp --dport XYZ -m state --state NEW -j LOG

Is there a way to log when a connection is closed?

Improve this question
2
  • The command didn't work for me until I changed -dport to --dport Commented May 7, 2019 at 15:38
  • Thx, updated answer. Commented May 7, 2019 at 17:08

1 Answer 1

Reset to default
2

There might be something better, but the tcp protocol ends connections with the FIN or RST packets. You could match on these. 

iptables -I INPUT -p tcp --dport XYZ --tcp-flags FIN FIN -j LOG
iptables -I INPUT -p tcp --dport XYZ --tcp-flags RST RST -j LOG

The FIN is repeated as --tcp-flags takes 2 arguments, a mask of what flags to look at, and what combination to accept.

Improve this answer
1
  • Seems to work. Thanks. conntrack is also useful for this. Commented Oct 19, 2016 at 17:07

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.