I can see traffic that are denied but not the allowed port forward rules
is it not possible trough gui to log a specific rule that are allowed
tried put logging on the fw zones but that did´t help
ideas?
/t
I can see traffic that are denied but not the allowed port forward rules
is it not possible trough gui to log a specific rule that are allowed
tried put logging on the fw zones but that did´t help
ideas?
/t
You have to add custom firewall rules in /etc/firewall.user.
Example:
iptables -I INPUT -i eth0.2 -m limit --limit 5/sec -j LOG --log-prefix "ACCEPTED wan:"
This rule will log all the incoming traffic on the wan (eth0.2) interface of my router:
root@OpenWrt:~# logread -e wan
Thu Apr 1 18:09:43 2021 kern.warn kernel: [10940.910899] ACCEPTED wan : IN=eth0.2 OUT= MAC=90:9a:4a:96:XX.XX:00:19:99:91:f2:15:08:00:45:00:00:6c SRC=37.157.XXX.XXX DST=192.168.1.115 LEN=108 TOS=0x00 PREC=0x00 TTL=57 ID=14801 PROTO=UDP SPT=51820 DPT=51820 LEN=88
Thu Apr 1 18:09:43 2021 kern.warn kernel: [10940.931524] ACCEPTED wan : IN=eth0.2 OUT= MAC=90:9a:4a:96:XX.XX:00:19:99:91:f2:15:08:00:45:00:02:fc SRC=37.157.XXX.XXX DST=192.168.1.115 LEN=764 TOS=0x00 PREC=0x00 TTL=57 ID=14802 PROTO=UDP SPT=51820 DPT=51820 LEN=744
Thu Apr 1 18:09:45 2021 kern.warn kernel: [10943.526387] ACCEPTED wan : IN=eth0.2 OUT= MAC=ff:ff:ff:ff:ff:ff:40:16:3b:fa:37:15:08:00:45:00:00:3f SRC=192.168.1.246 DST=192.168.1.255 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=8324 DF PROTO=UDP SPT=50962 DPT=15600 LEN=43
Thu Apr 1 18:09:47 2021 kern.warn kernel: [10945.182984] ACCEPTED wan : IN=eth0.2 OUT= MAC=ff:ff:ff:ff:ff:ff:4c:5e:0c:4b:f2:58:08:00:45:00:00:95 SRC=192.168.1.114 DST=255.255.255.255 LEN=149 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=5678 DPT=5678 LEN=129
Depending on what traffic you want to log, you need to use the appropriate chains (INPUT, OUTPUT, FORWARD, PREROUTING, POSTROUTING).
thank you for the answer, but i feel soo out on deep water with this
i tried your example but i see no traffic, i want to log traffic from internet -> dmz port 25565
can you explain more what i need to change in order so get my scenario working?
regards /t
Please post the result of:
iptables-save | grep 25565
changed external ip
-A zone_Dmzzone_postrouting -s 192.168.60.0/24 -d 192.168.60.100/32 -p tcp -m tcp --dport 25565:25567 -m comment --comment "!fw3: minecraft (reflection)" -j SNAT --to-source 192.168.60.1
-A zone_Dmzzone_prerouting -s 192.168.60.0/24 -d x.x.x.x/32 -p tcp -m tcp --dport 25565:25567 -m comment --comment "!fw3: minecraft (reflection)" -j DNAT --to-destination 192.168.60.100:25565-25567
-A zone_wan_prerouting -p tcp -m tcp --dport 25565:25567 -m comment --comment "!fw3: minecraft" -j DNAT --to-destination 192.168.60.100:25565-25567
iptables -I zone_Dmzzone_prerouting -p tcp -m tcp --dport 25565:25567 -m limit --limit 5/sec -j LOG --log-prefix "DMZ : "
i tried that one, it just dont work
iptables -I zone_Dmzzone_prerouting -p tcp -m tcp --dport 25565:25567 -m limit --limit 5/sec -j LOG --log-prefix "DMZ : "
iptables: No chain/target/match by that name.
edit: i see this in status firewall tab Chain zone_Dmzzone_prerouting (1 References)
iptables -t nat -I zone_Dmzzone_prerouting -p tcp -m tcp --dport 25565:25567 -m limit --limit 5/sec -j LOG --log-prefix "DMZ : "
bare with me ;), it accepted that line but still no logs
-A zone_Dmzzone_postrouting -s 192.168.60.0/24 -d 192.168.60.100/32 -p tcp -m tcp --dport 25565:25567 -m comment --comment "!fw3: minecraft (reflection)" -j SNAT --to-source 192.168.60.1
-A zone_Dmzzone_prerouting -p tcp -m tcp --dport 25565:25567 -m limit --limit 5/sec -j LOG --log-prefix "DMZ : "
-A zone_Dmzzone_prerouting -s 192.168.60.0/24 -d x.x.x.x/32 -p tcp -m tcp --dport 25565:25567 -m comment --comment "!fw3: minecraft (reflection)" -j DNAT --to-destination 192.168.60.100:25565-25567
-A zone_wan_prerouting -p tcp -m tcp --dport 25565:25567 -m comment --comment "!fw3: minecraft" -j DNAT --to-destination 192.168.60.100:25565-25567
watch logread | grep 25565
gives only rejected
do need to enable something else to make this work?
EDIT: Got it working
changed it like this
iptables -t nat -I zone_wan_prerouting -p tcp -m tcp --dport 25565:25567 -m limit --limit 5/sec -j LOG --log-prefix "DMZ : "
thank you for the help
i´m unable to make this persistent between rule changes
this in firewall.user
iptables -t nat -I zone_wan_prerouting -p tcp -m tcp --dport 2464:2480 -m limit --limit 5/sec -j LOG --log-prefix "DMZ : "
iptables -t nat -I zone_wan_prerouting -p tcp -m tcp --dport 25565:25567 -m limit --limit 5/sec -j LOG --log-prefix "DMZ : "
if i run /etc/firewall.user it works
i also have it included in /etc/config/firewall
config include
option path '/etc/firewall.user'
any ideas what i´m missing?
EDIT: it runs on /etc/init.d/firewall restart but not when "save/apply" on firewall rules/portforward
EDIT2: this seems to solve that problem for me
uci set firewall.@include[0].reload="1"
uci commit firewall
service firewall restart
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.