I would also like to inquire about this -- especially logging IP addresses. My DNS server already logs all DNS requests and all traffic on port 53 is redirected to the intranet.
Also, I'm not in the EU or EEA, so GDPR doesn't apply to me, and I'm processing data of myself only, and my devices (which do not consent to the data processing but aren't considered people, so I don't need their consent 
)
I'm using 19.07rc2 on ramips/mt76x8 with an external syslog server.
So, in summary: I want to be able to log complete HTTP traffic metadata (URL, from LAN IP, to remote IP, via WAN IP, device location (wlan0, wlan1, eth0.1, eth0.2, eth0.3, eth0.4) to syslog and sync it remotely to an external server (which the build-in syslog server does, and I have successfully set it up).
Right now I have achieved this by adding iptables rules to log all traffic, but the results are not detailed at all. I would like to log HTTP URL and hostname, HTTPS hostname, TCP data in general (from ip & port, to ip & port).
Not possible, by design of HTTP-S
(Nor is anything else in the encrypted channel, such as URLs, other metadata, or content sent/received)
Of course it's possible, I explicitly said hostname, not URL or any other metadata (well, other than IPs and ports of dest and src, time info).
Unless the browser implements Encrypted SNI, it will send the hostname as cleartext in the initial TLS handshake. And since the "browser" is not actually a browser but instead an embedded device with a really bad TLS implementation, it will never have Encrypted SNI enabled.
So why don't you edit the iptables rules - in order to get more of the details you desire?
...or are you seeking someone to assist you with those detailed rules?
iptables is not the answer to logging HTTP and HTTPs metadata, it's suited for logging TCP, mostly. It's too low level.
Also, can you stop with the agressively-attacking attitude. I have been polite with you, it's only fair that you be polite to me, given that I have not posted anything that could be interpreted as being abusive, spam-like in nature, unwanted, etc.
Asking what you're seeking is aggressive and attacking!?!?
LMFAO!
Don't worry, I won't try to help you any further.
In the context of usual forum ruleset of "ask for guidance only, don't request the whole solution", "are you seeking someone to assist you with those detailed rules?" comes off more as agressive than a genuine offer of help. Especially in the context of "So why don't you" and "or are you".
In any case, I apologize if I have misinterpreted it, English is not my mother tongue.
Well since it's clear now that you don't want to use iptables, I'm not sure what you're seeking.
Rewriting your iptables rules actually seems easy to me.
If I were trying to accomplish the goal, I'd run suricata or a similar packet-inspection tool on a suitable host. It would surprise me if a consumer all-in-one has enough compute power to do packet inspection at more than a trickle. MIPS-based SoCs have trouble with something as computationally simple as SQM at around 100-200 Mbps, for example.
Even diverting all the packets to an external host for analysis may well be beyond what an all-in-one can accomplish. Many/most achieve high throughput by offloading the flows from the CPU to the ASIC switch framework.
Seems like you'd need a topology that separates your network into VLANs (or physical LANs) so that you can accomplish your objective of identification of where the associated host is connected.
I care about this issue, because I want to control ads and what is dangerous if any.
@jasonbourne, welcome to the community!
For just ad blocking, see:
Also, seeing traffic does not permit you to stop the dangerous thing. You need an IPS for that.
Instead of making a complete different thread, I'll just bump this one.
As topic says "knowing what websites are visited. I have not been able to figure out how to do this with simplicity (a neat GUI), usually when I wanted more knowledge of this, I had to type several commands and so on when using OpenWRT. I then got tiered of this and decided the bridge my raspberry pi 3B (PiHole) to my WRT3200acm (OpenWRT), this worked flawlessly. But as of today, my raspberry is my cars new Brain and I can there for no longer use PiHole in a simple way. So my question is:
Could OpenWRT in anyways take over PiHole tasks in terms of providing a good and simple GUI to log IPs, Hostnames, data used, by whom and when (time) and so on...
What I'm trying to do here will not break any laws. I feel like this should be said so noone needs to remind me of GDPR and alike. Thank you.
Short answer: Yes, it could. Needs quite some work, though. In case, you are interested in a commercial solution, PM me.
Thank you for your reply, I'll be sure to remember your offer.
Guys. Even in https you can see urls, only body is encrypted.
No, you can't; requests travel inside an encrypted connection. The proxy can only see the server name.
Yet... SNI is in the progress of being superseded by ESNI, once that is widely established not even the requested host name can be inferred anymore from the outside.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.