How log foward packet lan to wan

Hi. I would like to thank the community that makes this project possible

I have the following configuration:

in-out-forward

lan accept-accept-drop
wan drop-accept-drop

The rule:

config rule
option target 'ACCEPT'
option proto 'tcp'
option name 'basico'
option dest_port '21 80 443 '
option src '*'
option dest 'wan'

In firewall.user
iptables -N LOGGING
iptables -A FORWARD -j LOGGING
iptables -A LOGGING -m limit --limit 1/min -j LOG --log-level 7

From lan-wan got this:
SRC=192.168.0.101 DST=139.59.210.197 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=25345 DF PROTO=TCP SPT=27899 DPT=443 WINDOW=65340 RES=0x00 SYN URGP=0

what am I doing wrong?
Best regards.

What do you want to accomplish? (expected behavior)
What is really happening?

This is traffic to/from this OpenWrt site. You copied the wrong traffic from the command line.

  • Also, you opened FTP, HTTP and HTTPS on your router...is this what you meant to do?

That's very insecure...and there's no FTP or HTTPS running on a default OpenWrt instance.

  • Can you explain your actual problem?

I expected to show the denied forward packages in system.log.

uci show firewall | grep -E "@defaults|@forwarding"
iptables-save -t filter | grep FORWARD

I believe that I have found the error
--log-level 7 show all, but I put --log-level 4 show only drop

it is right?

How are you trying to show us denied forwards, when you showed us an ACCEPT firewall rule?

  • Can you actually explain your problem (not what you were trying to show)?
  • Are you having issue getting to some websites?

It doesn't work that way.
LOG-action doesn't drop packets.
Zone forwarding policy doesn't apply to traffic forwarded between different zones.
You should utilize forwarding and defaults settings.

Ok. Precisely the destination from lan to wan 443 is accepted. However, the rest of the traffic does not.

SRC=192.168.0.101 DST=139.59.210.197 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=25345 DF PROTO=TCP SPT=27899 DPT=443 WINDOW=65340 RES=0x00 SYN URGP=0

I think this happens due to the log level 7 that I had

How could it be done from the GUI interface or permanently from console?

I try this into firewall.user
iptables -N LOGGING
iptables -A FORWARD -j LOGGING
iptables -A LOGGING -m limit --limit 1/min -j LOG --log-level 4
iptables -A LOGGING -j DROP

But when reset no web traffic

I'm still confused.

Are you under some impression that the firewall rule you posted in Post #1 is somehow related to (or a possible fix to) your issue?

It's not, and actually a security risk opening the world to your OpenWrt router!

Also, why are you under an impression that packets are being dropped?

Also, can you fully describe the issue, not what you're trying to post?

LAN to WAN traffic works by default.

I thought the log was doing drop

:man_facepalming:

You haven't explained why you made a log rule...so we can't help.

I was referring to the option dest_port '21 80 443 '. This rules is wrong and dangerous!!!

Please CLEARLY explain the issue that made you create a this thread. DO NOT attempt to post logs at this time

EDIT: I see you significantly changed the title of this thread - to not mention an issue with traffic to a tcp/443 server from LAN, so disregard.

If you only desired to record a packet from LAN to WAN at any tcp/443, what you posted was successful.

So sorry.:pensive:

cat << "EOF" > /etc/firewall.user
iptables -A FORWARD -m limit --limit 1/min -j LOG --log-level 7
iptables -A FORWARD -j REJECT
EOF
uci set firewall.@include[0].reload="1"
uci set firewall.@defaults[0].forward="ACCEPT"
uci commit firewall
service firewall restart

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.