Iptables rule(s) to log incoming connections on a port-range

We run an OpenVPN proxy server on Ubuntu 8. All our users get the same public IP of the server and then browse the web. The problem: some of our users use peer-to-peer programs like bittorrent to share copyrighted materials, and we then get complaints from the movie-industry threatening to sue us if we don't turn off this user's account. The solution: We need logs on our server of all *incoming* connections (meaning coming from the public Internet to one of our users) on a certain port-range so that we can identify which user was responsible for the traffic that caused the complaint. (sharing content, which we assume means the traffic started with a connection from the outside TO our users) Specifically, the complaint will include: * datetime * port * IP of our server Using that information, we now want to use logs to identify which of the private IPs assigned to our users caused that traffic. Your deliverables: 1) iptables firewall rules to log this kind of traffic 2) configured on our test server, and confirmed to be working by you logging onto our VPN, using a bittorrent client, and your *sharing* traffic being identified in the logs. 3) a brief doc with the exact steps we need to perform to deploy your solution ourselves to another server 4) be on stand-by until we've deployed this to a live server and confirmed it's working. (we can deploy immediately, then we may need to wait a few days for the next movie-complaint to come in and confirm we can identify the user) In the detailed description for this project we've included the iptables rules we've already configured, what we've already tried and what hasn't worked so far. In your bid, please confirm: 1) your level of confidence in being able to achieve this... have you done anything similar before? how familiar are you with p2p protocols and OpenVPN? 2) estimated completion date ## Deliverables **Here's the existing firewall configuration on our server: ** sudo iptables -t nat -A POSTROUTING -s [login to view URL] -o eth0 -j MASQUERADE This is used for the VPN to work as a proxy. sudo iptables -A FORWARD -o eth0 -p tcp --dport 25 -j DROP (drop port 25) To drop port 25 traffic and prevent email spam **What we've tried so far to identify peer-to-peer content sharing, but this has failed to log any of the traffic we want:** #vars IPT=/sbin/iptables #the portrange that is logged #suspect ports SUSPECTPORTS=6881:6883,51413 WATCHPORTS=6884:59999 #script # the nat port is logged $IPT -A OUTPUT -t nat -d [login to view URL] -p tcp -m multiport --dports $WATCHPORTS -j LOG --log-prefix 'POSIBLE_NAT_TORRENT:' --log-level 4 #certain torrent traffic is logged as CERTAIN bittorent traffic /sbin/iptables -A INPUT -j LOG --log-prefix 'CERTAIN_TORRENT:' --log-level 4 -p tcp -m multiport --dports $SUSPECTPORTS -m string --algo bm --string info_hash #/sbin/iptables -A INPUT -j DROP -p tcp -m multiport --dports $SUSPECTPORTS -m string --algo bm --string info_hash /sbin/iptables -A INPUT -j LOG --log-prefix 'CERTAIN_TORRENT:' --log-level 4 -p tcp -m multiport --dports $SUSPECTPORTS -m string --algo bm --string [login to view URL] #/sbin/iptables -A INPUT -j DROP -p tcp -m multiport --dports $SUSPECTPORTS -m string --algo bm --string [login to view URL] #suspect torrent traffic is logged only as posible bittorrent /sbin/iptables -A INPUT -j LOG --log-prefix 'POSIBLE_TORRENT:' --log-level 4 -p tcp -m multiport --dports $WATCHPORTS -m string --algo bm --string info_hash /sbin/iptables -A INPUT -j LOG --log-prefix 'POSIBLE_TORRENT:' --log-level 4 -p tcp -m multiport --dports $WATCHPORTS -m string --algo bm --string [login to view URL]