Sorry for asking this probably simple question, but how do I enable firewall logging?
My vpn connection is established, but I get no traffic over it.
Thanks
Andreas
The content of this topic has been archived on 12 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.
Sorry for asking this probably simple question, but how do I enable firewall logging?
My vpn connection is established, but I get no traffic over it.
Thanks
Andreas
Sorry for asking this probably simple question, but how do I enable firewall logging?
Install the modules required for logging:
ipkg install iptables-mod-extra
At the top of your firewall script, add:
insmod ipt_LOG
and then to log traffic, just add these in the appropriate location in the firewall script:
iptables -A INPUT -i tun0 -J LOG --log-prefix "IN tun0: "
(adjust the rule name, interface, etc, as approriate)
Cheers,
Martin.
For the summary to get logging working with iptables do:
1) install the iptables-mod-extra package
2) create a file in /etc/modules.d/ directory to load ipt_LOG.o module
3) add a iptables rule to /etc/firewall.user to log traffic (adjust the rule name, interface, etc, as approriate). For example:
iptables -A input_rule -i ppp0 -j LOG --log-prefix "IN ppp0: "
4) load module and rerun /etc/firewall.user or just reboot
insmod ipt_LOG.o
/etc/firewall.user
5) use logread (-f) to show the logged traffic
Jan 9 16:07:15 (none) user.warn kernel: IN ppp0: IN=ppp0 OUT= MAC= SRC=aaa.bbb.ccc.ddd DST=aaa.bbb.ccc.ddd LEN=46 TOS=0x00 PREC=0x00 TTL=117 ID=51686 PROTO=UDP SPT=4672 DPT=6125 LEN=26
Jan 9 16:07:17 (none) user.warn kernel: IN ppp0: IN=ppp0 OUT= MAC= SRC=aaa.bbb.ccc.ddd DST=aaa.bbb.ccc.ddd LEN=46 TOS=0x00 PREC=0x00 TTL=119 ID=61022 PROTO=UDP SPT=4672 DPT=6125 LEN=26
Jan 9 16:07:24 (none) user.warn kernel: IN ppp0: IN=ppp0 OUT= MAC= SRC=aaa.bbb.ccc.ddd DST=aaa.bbb.ccc.ddd LEN=46 TOS=0x00 PREC=0x00 TTL=116 ID=46462 PROTO=UDP SPT=15549 DPT=6125 LEN=26
That's it. Have fun!
(Last edited by olli on 16 Jan 2006, 12:35)
Hi olli,
I managed it to log incoming traffic with your description. Now I would like to log OUTGOING traffic. I tried it with
iptables -A output_rule -i ppp0 -j LOG --log-prefix "OUT ppp0: "
but this is not working. Could you give me an example how to log outgoing traffic on ppp0?
Thanks
Andreas
Use the rule below to log outgoing traffic:
iptables -A forwarding_rule -o ppp0 -j LOG --log-prefix "OUT ppp0: "
Jan 11 01:23:53 (none) user.warn kernel: OUT ppp0: IN=br0 OUT=ppp0 SRC=192.168.1.3 DST=aaa.bbb.ccc.ddd LEN=53 TOS=0x00 PREC=0x00 TTL=63 ID=2457 DF PROTO=UDP SPT=6480 DPT=8368 LEN=33
Jan 11 01:23:53 (none) user.warn kernel: OUT ppp0: IN=br0 OUT=ppp0 SRC=192.168.1.3 DST=aaa.bbb.ccc.ddd LEN=53 TOS=0x00 PREC=0x00 TTL=63 ID=2458 DF PROTO=UDP SPT=6480 DPT=3665 LEN=33
Jan 11 01:23:53 (none) user.warn kernel: OUT ppp0: IN=br0 OUT=ppp0 SRC=192.168.1.3 DST=aaa.bbb.ccc.ddd LEN=53 TOS=0x00 PREC=0x00 TTL=63 ID=2459 DF PROTO=UDP SPT=6480 DPT=10247 LEN=33
Jan 11 01:23:54 (none) user.warn kernel: OUT ppp0: IN=br0 OUT=ppp0 SRC=192.168.1.3 DST=aaa.bbb.ccc.ddd LEN=53 TOS=0x00 PREC=0x00 TTL=63 ID=2460 DF PROTO=UDP SPT=6480 DPT=10247 LEN=33
(Last edited by olli on 11 Jan 2006, 03:14)
Hello,
I'm not exactly sure which interface name to use. I am interested in looking at the traffice coming into and leaving the router. Thus, I figured that I needed to monitor the WAN interface. With that in mind, I added this to firewall.user:
WAN=$(nvram get wan_ifname)
iptables -A INPUT -i $WAN -j LOG --log-prefix "IN $WAN: "
However, I get no output from logread -f.
Jon
INPUT is packets sent specifically to the router, not machines connected via the router; you want FORWARD for packets that travel through the router to other machines.
When dealing with firewall.user use "forwarding_rule" instead of "FORWARD" otherwise you'll put your new rule in the wrong place.
for some reason, I can't get logging to work.
I use this command
root@testasus1:/etc# iptables -A forwarding_rule -i br0 -j LOG
iptables v1.3.3: Couldn't load target `LOG':File not found
Here are the modules I have loaded:
root@testasus1:/etc# lsmod
Module Size Used by Tainted: P
ip_conntrack_tftp 1728 0 (unused)
ip_nat_snmp_basic 8928 0 (unused)
ip_nat_pptp 2428 0 (unused)
ip_conntrack_pptp 2956 1
ip_nat_proto_gre 1536 0 (unused)
ip_conntrack_proto_gre 2440 0 [ip_nat_pptp ip_conntrack_pptp]
ip_conntrack_amanda 1232 0 (unused)
wlcompat 14896 0 (unused)
ipt_LOG 3888 0 (unused)
wl 423640 0 (unused)
et 32064 0 (unused)
diag 2560 0 (unused)
I'm using RC4 on an Asus wl500g. I installed kmod-iptables-extra from http://downloads.openwrt.org/whiterussian/packages
danversj: If you're seeing that message you only loaded kmod-ipt-extra which provides the kernel ipt_LOG.o and not iptables-mod-extra which provides libipt_LOG.so. The library is required to allow iptables to access the kernel module, without it iptables will give you an error attempting to use a log command.
(You can do "ipkg install iptables-mod-extra" and it will automatically load kmod-ipt-extra, the reverse is not true)
Thanks for the help mbm. I have never really worked with iptables (I'm trying to find a good article on it so I can study up on it), so I am still a little confused. The only objective I have, so far, with firewall.user is to port forward all port 80 traffic to my web server. Thus, I used your suggestion, and changed my firewall.user file to look like this:
#!/bin/sh
. /etc/functions.sh
WAN=$(nvram get wan_ifname)
LAN=$(nvram get lan_ifname)
iptables -F input_rule
iptables -F output_rule
iptables -F forwarding_rule
iptables -t nat -F prerouting_rule
iptables -t nat -F postrouting_rule
iptables -A forwarding_rule -i $WAN -j LOG --log-prefix "IN $WAN: "
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 80 -j DNAT --to 192.168.1.100
iptables -A forwarding_rule -i $WAN -p tcp --dport 80 -d 192.168.1.100 -j ACCEPT
However, I am still not seeing anything, and I am getting "Bad argument `LOG'", so obviously I still don't have it right. What statement do I need to enter to montitor all traffic to and from the router, and where should I place it? I was also wondering if there is way to send this data to one of my PC's instead of reading it via logread. I have syslog setup to log to a PC so I was hoping I could send this traffic there as well.
I would really appreciate any guidance anyone gould give me about an "iptables for dummies" document that anyone could suggest.
TIA,
Jon
At first i haven't found LOG module at just-installed RC4. So i've downloaded ALL iptables-* packages, unpacked and found it in iptables-mod-extra.
But why the package descrioption doesn't contain list of modules provided by this package ? It will eliminate this and similar questions forever. I.e. i've also looked for tcpmss for pptp connection and found it in iptables-mod-ipopt. Well, it's right when you know it, but it incomprehensible when you first trying to setup.
(Last edited by sandworm on 4 Mar 2006, 09:25)
The discussion might have continued from here.