OpenWrt Forum Archive

Topic: firewall logging?

The content of this topic has been archived on 12 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Sorry for asking this probably simple question, but how do I enable firewall logging?

My vpn connection is established, but I get no traffic over it.

Thanks

Andreas

ALuedtke wrote:

Sorry for asking this probably simple question, but how do I enable firewall logging?

Install the modules required for logging:
ipkg install iptables-mod-extra

At the top of your firewall script, add:
insmod ipt_LOG

and then to log traffic, just add these in the appropriate location in the firewall script:
iptables -A INPUT -i tun0 -J LOG --log-prefix "IN tun0: "

(adjust the rule name, interface, etc, as approriate)

Cheers,
Martin.

For the summary to get logging working with iptables do:

1) install the iptables-mod-extra package

2) create a file in /etc/modules.d/ directory to load ipt_LOG.o module

3) add a iptables rule to /etc/firewall.user to log traffic (adjust the rule name, interface, etc, as approriate). For example:

iptables -A input_rule -i ppp0 -j LOG --log-prefix "IN ppp0: "

4) load module and rerun /etc/firewall.user or just reboot

insmod ipt_LOG.o
/etc/firewall.user

5) use logread (-f) to show the logged traffic

Jan  9 16:07:15 (none) user.warn kernel: IN ppp0: IN=ppp0 OUT= MAC= SRC=aaa.bbb.ccc.ddd DST=aaa.bbb.ccc.ddd LEN=46 TOS=0x00 PREC=0x00 TTL=117 ID=51686 PROTO=UDP SPT=4672 DPT=6125 LEN=26
Jan  9 16:07:17 (none) user.warn kernel: IN ppp0: IN=ppp0 OUT= MAC= SRC=aaa.bbb.ccc.ddd DST=aaa.bbb.ccc.ddd LEN=46 TOS=0x00 PREC=0x00 TTL=119 ID=61022 PROTO=UDP SPT=4672 DPT=6125 LEN=26
Jan  9 16:07:24 (none) user.warn kernel: IN ppp0: IN=ppp0 OUT= MAC= SRC=aaa.bbb.ccc.ddd DST=aaa.bbb.ccc.ddd LEN=46 TOS=0x00 PREC=0x00 TTL=116 ID=46462 PROTO=UDP SPT=15549 DPT=6125 LEN=26

That's it. Have fun!

(Last edited by olli on 16 Jan 2006, 12:35)

Hi olli,

I managed it to log incoming traffic with your description. Now I would like to log OUTGOING traffic. I tried it with

iptables -A output_rule -i ppp0 -j LOG --log-prefix "OUT ppp0: "

but this is not working. Could you give me an example how to log outgoing traffic on ppp0?

Thanks

Andreas

Use the rule below to log outgoing traffic:

iptables -A forwarding_rule -o ppp0 -j LOG --log-prefix "OUT ppp0: "
Jan 11 01:23:53 (none) user.warn kernel: OUT ppp0: IN=br0 OUT=ppp0 SRC=192.168.1.3 DST=aaa.bbb.ccc.ddd LEN=53 TOS=0x00 PREC=0x00 TTL=63 ID=2457 DF PROTO=UDP SPT=6480 DPT=8368 LEN=33
Jan 11 01:23:53 (none) user.warn kernel: OUT ppp0: IN=br0 OUT=ppp0 SRC=192.168.1.3 DST=aaa.bbb.ccc.ddd LEN=53 TOS=0x00 PREC=0x00 TTL=63 ID=2458 DF PROTO=UDP SPT=6480 DPT=3665 LEN=33
Jan 11 01:23:53 (none) user.warn kernel: OUT ppp0: IN=br0 OUT=ppp0 SRC=192.168.1.3 DST=aaa.bbb.ccc.ddd LEN=53 TOS=0x00 PREC=0x00 TTL=63 ID=2459 DF PROTO=UDP SPT=6480 DPT=10247 LEN=33
Jan 11 01:23:54 (none) user.warn kernel: OUT ppp0: IN=br0 OUT=ppp0 SRC=192.168.1.3 DST=aaa.bbb.ccc.ddd LEN=53 TOS=0x00 PREC=0x00 TTL=63 ID=2460 DF PROTO=UDP SPT=6480 DPT=10247 LEN=33

(Last edited by olli on 11 Jan 2006, 03:14)

Hello,
I'm not exactly sure which interface name to use. I am interested in looking at the traffice coming into and leaving the router. Thus, I figured that I needed to monitor the WAN interface. With that in mind, I added this to firewall.user:

WAN=$(nvram get wan_ifname)
iptables -A INPUT -i $WAN -j LOG --log-prefix "IN $WAN: "

However, I get no output from logread -f.

Jon

INPUT is packets sent specifically to the router, not machines connected via the router; you want FORWARD for packets that travel through the router to other machines.

When dealing with firewall.user use "forwarding_rule" instead of "FORWARD" otherwise you'll put your new rule in the wrong place.

for some reason, I can't get logging to work.

I use this command

root@testasus1:/etc# iptables -A forwarding_rule -i br0 -j LOG
iptables v1.3.3: Couldn't load target `LOG':File not found

Here are the modules I have loaded:

root@testasus1:/etc# lsmod
Module                  Size  Used by    Tainted: P
ip_conntrack_tftp       1728   0 (unused)
ip_nat_snmp_basic       8928   0 (unused)
ip_nat_pptp             2428   0 (unused)
ip_conntrack_pptp       2956   1
ip_nat_proto_gre        1536   0 (unused)
ip_conntrack_proto_gre    2440   0 [ip_nat_pptp ip_conntrack_pptp]
ip_conntrack_amanda     1232   0 (unused)
wlcompat               14896   0 (unused)
ipt_LOG                 3888   0 (unused)
wl                    423640   0 (unused)
et                     32064   0 (unused)
diag                    2560   0 (unused)

I'm using RC4 on an Asus wl500g.  I installed kmod-iptables-extra from http://downloads.openwrt.org/whiterussian/packages

danversj: If you're seeing that message you only loaded kmod-ipt-extra which provides the kernel ipt_LOG.o and not iptables-mod-extra which provides libipt_LOG.so. The library is required to allow iptables to access the kernel module, without it iptables will give you an error attempting to use a log command.

(You can do "ipkg install iptables-mod-extra" and it will automatically load kmod-ipt-extra, the reverse is not true)

Thanks for the help mbm. I have never really worked with iptables (I'm trying to find a good article on it so I can study up on it), so I am still a little confused. The only objective I have, so far, with firewall.user is to port forward all port 80 traffic to my web server. Thus, I used your suggestion, and changed my firewall.user file to look like this:

#!/bin/sh
. /etc/functions.sh

WAN=$(nvram get wan_ifname)
LAN=$(nvram get lan_ifname)

iptables -F input_rule
iptables -F output_rule
iptables -F forwarding_rule
iptables -t nat -F prerouting_rule
iptables -t nat -F postrouting_rule

iptables -A forwarding_rule -i $WAN -j LOG --log-prefix "IN $WAN: "

iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 80 -j DNAT --to 192.168.1.100
iptables        -A forwarding_rule -i $WAN -p tcp --dport 80 -d 192.168.1.100 -j ACCEPT

However, I am still not seeing anything, and I am getting "Bad argument `LOG'", so obviously I still don't have it right. What statement do I need to enter to montitor all traffic to and from the router, and where should I place it?  I was also wondering if there is way to send this data to one of my PC's instead of reading it via logread. I have syslog setup to log to a PC so I was hoping I could send this traffic there as well.

I would really appreciate any guidance anyone gould give me about an "iptables for dummies" document that anyone could suggest.

TIA,
Jon

At first i haven't found LOG module at just-installed RC4. So i've downloaded  ALL iptables-* packages, unpacked and found it in iptables-mod-extra.

But why the package descrioption doesn't contain list of modules provided by this package ? It will eliminate this and similar questions forever. I.e. i've also looked for tcpmss for pptp connection and found it in iptables-mod-ipopt. Well, it's right when you know it, but it incomprehensible when you first trying to setup.

(Last edited by sandworm on 4 Mar 2006, 09:25)

The discussion might have continued from here.