How to log firewall rules

I run my own DNS servers locally (two PiHole's ) and use firewall rules that I have added using Luci Firewall, They work as expected but I would like to log any device that decides not to respect my DHCP settings that point to my local DNS server.

Here are the rules that I am currently using that work:

#keep network on pi-hole
iptables -t nat -I PREROUTING -i br-lan -p tcp --dport 53 -j DNAT --to 192.168.200.10:53
iptables -t nat -I PREROUTING -i br-lan -p udp --dport 53 -j DNAT --to 192.168.200.10:53
iptables -t nat -I PREROUTING -i br-lan -p tcp --dport 53 -j DNAT --to 192.168.200.11:53
iptables -t nat -I PREROUTING -i br-lan -p udp --dport 53 -j DNAT --to 192.168.200.11:53
#punch DNS hole for pi-hole
iptables -t nat -I PREROUTING -i br-lan -p tcp -s 192.168.200.10 --dport 53 -j ACCEPT
iptables -t nat -I PREROUTING -i br-lan -p udp -s 192.168.200.10 --dport 53 -j ACCEPT
iptables -t nat -I PREROUTING -i br-lan -p tcp -s 192.168.200.11 --dport 53 -j ACCEPT
iptables -t nat -I PREROUTING -i br-lan -p udp -s 192.168.200.11 --dport 53 -j ACCEPT

And also if it is possible where do I look to find the log

Thank you

You can use the LOG target.

   LOG
       Turn on kernel logging of matching packets.  When this option 
       is set for a rule, the Linux kernel will print some 
       information  on  all  matching  packets
       (like most IP header fields) via the kernel log (where it can 
       be read with dmesg or syslogd(8)).  This is a "non-terminating 
       target", i.e. rule traversal
       continues at the next rule.  So if you want to LOG the packets 
       you refuse, use two separate rules with the same matching 
       criteria, first using target LOG
       then DROP (or REJECT).

       --log-level level
              Level of logging (numeric or see syslog.conf(5)).

       --log-prefix prefix
              Prefix log messages with the specified prefix; up to 29 
              letters long, and useful for distinguishing messages in 
              the logs.

       --log-tcp-sequence
              Log TCP sequence numbers. This is a security risk if the 
              log is readable by users.

       --log-tcp-options
              Log options from the TCP packet header.

       --log-ip-options
              Log options from the IP packet header.

       --log-uid
              Log the userid of the process which generated the packet.

For example

iptables -A forwarding_rule -p udp --dport 53 -j LOG
iptables -A forwarding_rule -p tcp --dport 53 -j LOG
2 Likes