Hello, all.
Hostname OpenWrt
Model Asus RT-N14U
Architecture MediaTek MT7620N ver:2 eco:6
Firmware Version OpenWrt 18.06.4 r7808-ef686b7292
LuCI openwrt-18.06 branch (git-19.170.32094-4d6d8bc)
Kernel Version 4.14.131
Now I see in logs REJECTED records only and some service messages,
but there are no ACCEPTED records at all.
What should I do to turn on logging ACCEPTED records too?
Thank you for possible sugesstions.
.
If you wanted to accept and log all inbound SSH connections on the wan port, for example, then something like this would work
SSHPORT=22
CHAIN=log_ssh
# IPv4 rules
# Setup table to log incoming connections
iptables -F ${CHAIN} 2> /dev/null
iptables -X ${CHAIN} 2> /dev/null
iptables -N ${CHAIN}
iptables -A ${CHAIN} -m conntrack --ctstate RELATED,ESTABLISHED -j RETURN
iptables -A ${CHAIN} -j LOG --log-level 1 --log-prefix "SSH ACCEPT(src wan)"
iptables -A ${CHAIN} -j ACCEPT
# log the SSH port on the WAN
iptables -D input_wan_rule -p tcp --dport ${SSHPORT} -j ${CHAIN} 2> /dev/null
iptables -A input_wan_rule -p tcp --dport ${SSHPORT} -j ${CHAIN}
# IPv6 rules
# Setup table to log incoming connections
ip6tables -F ${CHAIN} 2> /dev/null
ip6tables -X ${CHAIN} 2> /dev/null
ip6tables -N ${CHAIN}
ip6tables -A ${CHAIN} -m conntrack --ctstate RELATED,ESTABLISHED -j RETURN
ip6tables -A ${CHAIN} -j LOG --log-level 1 --log-prefix "SSH ACCEPT(src wan)"
ip6tables -A ${CHAIN} -j ACCEPT
# log the SSH port on the WAN
ip6tables -D input_wan_rule -p tcp --dport ${SSHPORT} -j ${CHAIN} 2> /dev/null
ip6tables -A input_wan_rule -p tcp --dport ${SSHPORT} -j ${CHAIN}
Then you need an entry in your /etc/config/firewall to load this on restart and reload
config include
option type 'script'
option path '/etc/firewall.d/firewall.logssh'
option family 'any'
option reload '1'
Dear @dl12345, thank you for reply.
Your example is very usefull, but it intended for a rather special case for incoming traffic from any from WAN to my WAN TCP:22.
Moreover (if I understood you right), it involves 'accept and log' action, while I'm not interesting to allow (ACCEPT) any additional specific connections, but only to log already accepted connections regardless of it's origin.
On original Asus firmware all records - ACCEPTED, REJECTED and others - was logged by default and successfully was sended to Syslog-server. And I hoped, that there are a simple hidden options in OpenWRT to turn on ACCEPTED records to log.
Unfortunately, my experience is limited by LUCI use only. And I can't clear understand how to adapt your example for my needs =(
.
Correct, so your firewall would have to be changed from "Accept" to "Accept and Log" - wouldn't you agree?
Wonderful! Can you show us the source code for that, please?
Perhaps there's an easier script.
Dear @lleachii, hello.
Yes-s, boss-s! Exactly!
This is the goal for which I'm here and that I describe in my first message:
"What should I do to turn on logging ACCEPTED records too?"
=))
I.e. "What should I do" to change firewall's behavior "from "Accept" to "Accept and Log""
Hmm... mission impossible.. =(
.. for the following reasons:
OK. About The Firewall:
It seems are just enough to get log records for ACCEPTED connections from any host from Lan, yeah?
But I see "REJECT wan in" only ...
.
No, that's not what I meant. I think you just want to skip the work needed - as @dl12345 suggested.
I mean the code in your router has to be changed. It's currently Accept/Reject/Drop...you have to add Accept-Log as i see no such thing; and you're the first person I've met 
that wants to logs accepted packets in this manner (I use Netflow to record traffic).
I hope this clears things up.
You may want to open a thread in the For Developers section if you're making a Feature Request.
I know, was kinda the point. I was hoping you were making the request easier for the "would be" developers.
Dear @lleachii, thank you for the prompt reply.
However, I'm confused now at all. Sorry,
Lets forget all wroted above and begin again from blank paper.
Would you please (or anybody else) explain me -
why the set of options, described above for ..:
.. is NOT ENOUGH to get log records for ACCEPTED connections from LAN?
.
I'm not sure why you think this is better idea than using what is already available in openwrt. The question is what do you gain from the added complexity of installing sth. that can actually export netflow on an openwrt device. That said I have been able to use ulogd for the purpouse but that again is additional software. I'm also trying to find an easy and non invasive way to add logging for all lan2wan packets but so far have not achieved the goal. So if someone wants to share a working config for that it would be very much appreciated. I will keep digging though...
I have to maintain the records; and the software doesn't log accepts. Further, the storage in OpenWrt is not persistent. Next, I monitor 3 border interfaces including WAN. In addition, for example, it would also be impossible to log a packet matching a RAW DROP rule.
What are you seeking a working config of (I'm guessing you didnt read the thread completely)?
EDIT: I also need to record REJECT/DROPped/RAW-DROP traffic at those borders.
Well then your use case doesn't work with the straight forward easy solution of using iptables - no need to propagate to others that netflow is the solution.
Yes I did and it ends with an open valid question. It is also not so clear from the documentation that the log option only works for REJECTS (at least to me).
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
option log_limit '10/second'
option log '1'
If you look at the output of fw3 and iptables for this configuration no log lines are added. So I think the open question is why that is the case.
Ummmm, recording logs to non-persistent storage makes no sense to me; but OK...you loose your logs. Maybe I'm missing your point and use case.
My apologies.
You can easily forward syslog to any host. What I actually do. So then I receive the logs with filebeat syslog input and then use the iptables module and get out of the box beautiful options.. so yes I guess you are kind of missing the point.
Correct, that's more software too. From your wording, I thought you sought a solution without a second device involved, my mistake.
A log server versus a collector/display server (like nfSen) - same difference to me; but I understand your point. For just as much setup, you have more fine-grained Layer 3 data for IPv4 and IPv6 with netflow.
But I do get understand your point now! 
I hope the best for your config.
I'm not sure you do. My point was more software on the openwrt device. Syslog forwarding and iptables are in the base installation, well tested and pretty solid. Netflow is hole different story..
I will have a look at the implementation logic if none of the gurus say there is a strong reason for not logging the accept packets. Of course sth. like that would fill the logs fast locally but then this could be the same for reject..
I got that...but I'm almost certain this thread was regarding a difficulty with using iptables to log accepted packets... 
But yep, I got your point originally, sorry to disturb.
You can always make a log rule identical to the accepts (placing it immediately above), it's double processing, though.
There is no easy way, but if you really want it you can make a firewall script to add some lines:
for xxx in every zone you have
-I zone_xxx_[scr|dest]_[ACCEPT|REJECT] -m limit --limit 10/sec -m comment --comment "!fw3" -j LOG --log-prefix "[ACCEPT|REJECT] xxx [in|out]: "
I was going to edit a post I made to @mdiehm - I missed the most important reason which is relevant to a normal use case (although, I don't see how multiple borders i.e. VPN, IPv6 doesn't equal 3) My desire to record is a simple personal use case...just like one recording the security camera footage at thier home's entrance.
Mainly: I can't record traffic based on RAW ACCEPT rules with iptables! 
The raw table is mainly only used for one thing, and that is to set a mark on packets that they should not be handled by the connection tracking system. This is done by using the NOTRACK target on the packet. If a connection is hit with the NOTRACK target, then conntrack will simply not track the connection.
I don't see why this is an issue.
How do you log a connection not tracked [in the Kernel by the ipt module(s)]? 
From the top of my head I would mark the packets not to be tracked to a new chain, log, and then not track.