General discussion

Locked

Tracking the IP behind NAT

By Srikrishna ·
Hi All,
Well its a rare case but still need you guru's help to solve..
Its a Small ISP scenario and we are doing nat at the end. Recently we've got a abuse/fraud complaint from Law Enforcement authorities citing a case from our IP address and requesting for the Log/Data.The thing is we are doing nat and all we have is a AAA server. How can I trace back to the actual offender with only AAA logs. We dont have a IDS inplace.
Any type of HELP will be appreciated. Plz respond as i need it ASAP..
Thx a Lot

This conversation is currently closed to new comments.

7 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by EarleZO In reply to Tracking the IP behind NA ...

Hi,
assuming you are using IPTABLES to do the NAT, then you need to also log all NAT rules allowing you to match the original IP address to the mangled NAT local address.

Once you do this, you then can use an IPtables anlysis package similar to the one at "http://www.gege.org/iptables/"

Also, make sure that your NAT box is connecting to a time server for time synchronisation purposes so for log requests, you can fix the time properly.

iptables keeps track of connections in a proc system file which is called
/proc/net/ip_conntrack.

You can print the output of this file using
cat /proc/net/ip_conntrack

Nyway, I hope this helps you

Cheers

Earle

Collapse -

by Srikrishna In reply to

Poster rated this answer.

Collapse -

by sgt_shultz In reply to Tracking the IP behind NA ...

anybody else smell something funny?

Collapse -

by Srikrishna In reply to

Poster rated this answer.

Collapse -

by aseem_kumar_2001 In reply to Tracking the IP behind NA ...

If the LAW agencies are requesting for logs give to them unless you have something to hide. You neednot trace the offender the Agency will do if deemed appropriate

Collapse -

by Srikrishna In reply to

Poster rated this answer.

Collapse -

by Srikrishna In reply to Tracking the IP behind NA ...

This question was closed by the author

Back to Security Forum
7 total posts (Page 1 of 1)  

Related Forums