Log incoming allowed traffic - how?

anon43989622 · April 1, 2021, 2:25pm

I can see traffic that are denied but not the allowed port forward rules

is it not possible trough gui to log a specific rule that are allowed

tried put logging on the fw zones but that did´t help
ideas?

/t

pavelgl · April 1, 2021, 3:23pm

You have to add custom firewall rules in /etc/firewall.user.

Example:

iptables -I INPUT -i eth0.2 -m limit --limit 5/sec -j LOG --log-prefix "ACCEPTED wan:"

This rule will log all the incoming traffic on the wan (eth0.2) interface of my router:

root@OpenWrt:~# logread -e wan
Thu Apr  1 18:09:43 2021 kern.warn kernel: [10940.910899] ACCEPTED wan : IN=eth0.2 OUT= MAC=90:9a:4a:96:XX.XX:00:19:99:91:f2:15:08:00:45:00:00:6c SRC=37.157.XXX.XXX DST=192.168.1.115 LEN=108 TOS=0x00 PREC=0x00 TTL=57 ID=14801 PROTO=UDP SPT=51820 DPT=51820 LEN=88
Thu Apr  1 18:09:43 2021 kern.warn kernel: [10940.931524] ACCEPTED wan : IN=eth0.2 OUT= MAC=90:9a:4a:96:XX.XX:00:19:99:91:f2:15:08:00:45:00:02:fc SRC=37.157.XXX.XXX DST=192.168.1.115 LEN=764 TOS=0x00 PREC=0x00 TTL=57 ID=14802 PROTO=UDP SPT=51820 DPT=51820 LEN=744
Thu Apr  1 18:09:45 2021 kern.warn kernel: [10943.526387] ACCEPTED wan : IN=eth0.2 OUT= MAC=ff:ff:ff:ff:ff:ff:40:16:3b:fa:37:15:08:00:45:00:00:3f SRC=192.168.1.246 DST=192.168.1.255 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=8324 DF PROTO=UDP SPT=50962 DPT=15600 LEN=43
Thu Apr  1 18:09:47 2021 kern.warn kernel: [10945.182984] ACCEPTED wan : IN=eth0.2 OUT= MAC=ff:ff:ff:ff:ff:ff:4c:5e:0c:4b:f2:58:08:00:45:00:00:95 SRC=192.168.1.114 DST=255.255.255.255 LEN=149 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=5678 DPT=5678 LEN=129

Depending on what traffic you want to log, you need to use the appropriate chains (INPUT, OUTPUT, FORWARD, PREROUTING, POSTROUTING).

anon43989622 · April 1, 2021, 4:04pm

thank you for the answer, but i feel soo out on deep water with this

i tried your example but i see no traffic, i want to log traffic from internet -> dmz port 25565

can you explain more what i need to change in order so get my scenario working?

regards /t

pavelgl · April 1, 2021, 4:08pm

Please post the result of:

iptables-save | grep 25565

anon43989622 · April 1, 2021, 4:11pm

changed external ip
-A zone_Dmzzone_postrouting -s 192.168.60.0/24 -d 192.168.60.100/32 -p tcp -m tcp --dport 25565:25567 -m comment --comment "!fw3: minecraft (reflection)" -j SNAT --to-source 192.168.60.1
-A zone_Dmzzone_prerouting -s 192.168.60.0/24 -d x.x.x.x/32 -p tcp -m tcp --dport 25565:25567 -m comment --comment "!fw3: minecraft (reflection)" -j DNAT --to-destination 192.168.60.100:25565-25567
-A zone_wan_prerouting -p tcp -m tcp --dport 25565:25567 -m comment --comment "!fw3: minecraft" -j DNAT --to-destination 192.168.60.100:25565-25567

pavelgl · April 1, 2021, 4:15pm

iptables -I zone_Dmzzone_prerouting -p tcp -m tcp --dport 25565:25567 -m limit --limit 5/sec -j LOG --log-prefix "DMZ : "

anon43989622 · April 1, 2021, 4:17pm

i tried that one, it just dont work

iptables -I zone_Dmzzone_prerouting -p tcp -m tcp --dport 25565:25567 -m limit --limit 5/sec -j LOG --log-prefix "DMZ : "
iptables: No chain/target/match by that name.

edit: i see this in status firewall tab Chain zone_Dmzzone_prerouting (1 References)

pavelgl · April 1, 2021, 4:21pm

iptables -t nat -I zone_Dmzzone_prerouting -p tcp -m tcp --dport 25565:25567 -m limit --limit 5/sec -j LOG --log-prefix "DMZ : "

anon43989622 · April 1, 2021, 4:32pm

bare with me ;), it accepted that line but still no logs

-A zone_Dmzzone_postrouting -s 192.168.60.0/24 -d 192.168.60.100/32 -p tcp -m tcp --dport 25565:25567 -m comment --comment "!fw3: minecraft (reflection)" -j SNAT --to-source 192.168.60.1
-A zone_Dmzzone_prerouting -p tcp -m tcp --dport 25565:25567 -m limit --limit 5/sec -j LOG --log-prefix "DMZ : "
-A zone_Dmzzone_prerouting -s 192.168.60.0/24 -d x.x.x.x/32 -p tcp -m tcp --dport 25565:25567 -m comment --comment "!fw3: minecraft (reflection)" -j DNAT --to-destination 192.168.60.100:25565-25567
-A zone_wan_prerouting -p tcp -m tcp --dport 25565:25567 -m comment --comment "!fw3: minecraft" -j DNAT --to-destination 192.168.60.100:25565-25567

watch logread | grep 25565
gives only rejected

do need to enable something else to make this work?

EDIT: Got it working
changed it like this
iptables -t nat -I zone_wan_prerouting -p tcp -m tcp --dport 25565:25567 -m limit --limit 5/sec -j LOG --log-prefix "DMZ : "

thank you for the help

anon43989622 · April 3, 2021, 8:23am

i´m unable to make this persistent between rule changes

this in firewall.user
iptables -t nat -I zone_wan_prerouting -p tcp -m tcp --dport 2464:2480 -m limit --limit 5/sec -j LOG --log-prefix "DMZ : "
iptables -t nat -I zone_wan_prerouting -p tcp -m tcp --dport 25565:25567 -m limit --limit 5/sec -j LOG --log-prefix "DMZ : "

if i run /etc/firewall.user it works
i also have it included in /etc/config/firewall
config include
option path '/etc/firewall.user'

any ideas what i´m missing?

EDIT: it runs on /etc/init.d/firewall restart but not when "save/apply" on firewall rules/portforward
EDIT2: this seems to solve that problem for me
uci set firewall.@include[0].reload="1"
uci commit firewall
service firewall restart

system · April 13, 2021, 8:23am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.