Logging port forwarded usage

I'm trying to log any access to ports which are set up for port forwarding and I've been following the details in this article:

I've added this to the /etc/firewall.user file, and adjusted the port so it's the open forwarded port on my system (port 31985 forwarded to 443 on an internal device). However, when I connect to the port and use the service, nothing shows up in the logs regardless of the log level I select in the System -> System -> Logging tab in Luci.

I'm running: OpenWrt 21.02.3 r16554-1d4dea6d4f / LuCI openwrt-21.02 branch git-22.119.37126-a993714, on a Raspberry Pi 4

Also, something else quirky is that no matter what I set the log level to in the system tab, I continue to get "daemon.info" level messages from dnsmasq-dhcp. Is there any way to limit those in the standard logging system? Setting the system log level to Warning or higher doesn't seem to remove those info level messages.

Thanks!

iptables-save -c ?

iptables -t nat -A prerouting_wan_rule -p tcp --dport 31985 -m limit --limit 5/sec -j LOG --log-prefix "port_fwrd: "
logread -e port_fwrd
1 Like
# Generated by iptables-save v1.8.7 on Mon Jun  6 13:20:51 2022
*nat
:PREROUTING ACCEPT [656686:88329675]
:INPUT ACCEPT [68103:5564225]
:OUTPUT ACCEPT [30912:2276354]
:POSTROUTING ACCEPT [250:50844]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[656785:88335739] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[554138:81798989] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[102647:6536750] -A PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i eth2 -m comment --comment "!fw3" -j zone_wan_prerouting
[265293:28902830] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[230:48872] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[265011:28850194] -A POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o eth2 -m comment --comment "!fw3" -j zone_wan_postrouting
[230:48872] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[0:0] -A zone_lan_postrouting -s 192.168.10.0/24 -d 192.168.10.8/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: Server (reflection)" -j SNAT --to-source 192.168.10.1
[0:0] -A zone_lan_postrouting -s 192.168.10.0/24 -d 192.168.10.8/32 -p udp -m udp --dport 443 -m comment --comment "!fw3: Server (reflection)" -j SNAT --to-source 192.168.10.1
[16:960] -A zone_lan_postrouting -s 192.168.10.0/24 -d 192.168.10.10/32 -p tcp -m tcp --dport 32400 -m comment --comment "!fw3: Plex (reflection)" -j SNAT --to-source 192.168.10.1
[0:0] -A zone_lan_postrouting -s 192.168.10.0/24 -d 192.168.10.10/32 -p udp -m udp --dport 32400 -m comment --comment "!fw3: Plex (reflection)" -j SNAT --to-source 192.168.10.1
[16:832] -A zone_lan_postrouting -s 192.168.10.0/24 -d 192.168.10.18/32 -p tcp -m tcp --dport 32400 -m comment --comment "!fw3: Plex (reflection)" -j SNAT --to-source 192.168.10.1
[0:0] -A zone_lan_postrouting -s 192.168.10.0/24 -d 192.168.10.18/32 -p udp -m udp --dport 32400 -m comment --comment "!fw3: Plex (reflection)" -j SNAT --to-source 192.168.10.1
[554138:81798989] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_lan_prerouting -s 192.168.10.0/24 -d 68.10.10.10/32 -p tcp -m tcp --dport 31985 -m comment --comment "!fw3: Server (reflection)" -j DNAT --to-destination 192.168.10.8:443
[0:0] -A zone_lan_prerouting -s 192.168.10.0/24 -d 68.10.10.10/32 -p udp -m udp --dport 31985 -m comment --comment "!fw3: Server (reflection)" -j DNAT --to-destination 192.168.10.8:443
[16:960] -A zone_lan_prerouting -s 192.168.10.0/24 -d 68.10.10.10/32 -p tcp -m tcp --dport 32401 -m comment --comment "!fw3: Plex (reflection)" -j DNAT --to-destination 192.168.10.10:32400
[0:0] -A zone_lan_prerouting -s 192.168.10.0/24 -d 68.10.10.10/32 -p udp -m udp --dport 32401 -m comment --comment "!fw3: Plex (reflection)" -j DNAT --to-destination 192.168.10.10:32400
[16:832] -A zone_lan_prerouting -s 192.168.10.0/24 -d 68.10.10.10/32 -p tcp -m tcp --dport 32402 -m comment --comment "!fw3: Plex (reflection)" -j DNAT --to-destination 192.168.10.18:32400
[0:0] -A zone_lan_prerouting -s 192.168.10.0/24 -d 68.10.10.10/32 -p udp -m udp --dport 32402 -m comment --comment "!fw3: Plex (reflection)" -j DNAT --to-destination 192.168.10.18:32400
[265011:28850194] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[265011:28850194] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[102647:6536750] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[44:2816] -A zone_wan_prerouting -p tcp -m tcp --dport 31985 -m comment --comment "!fw3: Server" -j DNAT --to-destination 192.168.10.8:443
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 31985 -m comment --comment "!fw3: Server" -j DNAT --to-destination 192.168.10.8:443
[12:760] -A zone_wan_prerouting -p tcp -m tcp --dport 32401 -m comment --comment "!fw3: Plex" -j DNAT --to-destination 192.168.10.10:32400
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 32401 -m comment --comment "!fw3: Plex" -j DNAT --to-destination 192.168.10.10:32400
[11:696] -A zone_wan_prerouting -p tcp -m tcp --dport 32402 -m comment --comment "!fw3: Plex" -j DNAT --to-destination 192.168.10.18:32400
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 32402 -m comment --comment "!fw3: Plex" -j DNAT --to-destination 192.168.10.18:32400
COMMIT
# Completed on Mon Jun  6 13:20:51 2022
# Generated by iptables-save v1.8.7 on Mon Jun  6 13:20:51 2022
*mangle
:PREROUTING ACCEPT [20496595:21408200409]
:INPUT ACCEPT [548727:62112287]
:FORWARD ACCEPT [19689181:21296117196]
:OUTPUT ACCEPT [309222:40958312]
:POSTROUTING ACCEPT [19995371:21336913540]
[39450:2296960] -A FORWARD -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[37168:2119312] -A FORWARD -i eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -o eth2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -i eth2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Mon Jun  6 13:20:51 2022
# Generated by iptables-save v1.8.7 on Mon Jun  6 13:20:51 2022
*filter
:INPUT ACCEPT [72:16009]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_log_chain - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[4873:407454] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[543854:61704833] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[142769:19078476] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[3139:131954] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[295850:35980150] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[105235:6646207] -A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i eth2 -m comment --comment "!fw3" -j zone_wan_input
[19689181:21296117196] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[19414689:21264546699] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[274420:31565905] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[72:4592] -A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i eth2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[4873:407454] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[304220:40536678] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[273072:38219506] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[240:78567] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[30908:2238605] -A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o eth2 -m comment --comment "!fw3" -j zone_wan_output
[19783629:21417676662] -A forwarding_rule -j forwarding_log_chain
[5808:251041] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[95640:6165750] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[3139:131954] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[240:78567] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[274420:31565905] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[274420:31565905] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[32:1792] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[295850:35980150] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[295850:35980150] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[240:78567] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[240:78567] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[295778:35964141] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[2903:147788] -A zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[302393:33654930] -A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o eth2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_dest_REJECT -o eth2 -m comment --comment "!fw3" -j reject
[72:4592] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[72:4592] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[105235:6646207] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[3787:229416] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[101448:6416791] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[30908:2238605] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[30908:2238605] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[101448:6416791] -A zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_src_REJECT -i eth2 -m comment --comment "!fw3" -j reject
COMMIT
#

That worked beautifully @pavelgl Thank you!

1 Like

There is no rule for logging there.
uci export firewall; cat /etc/firewall.user; service firewall restart

Not sure if it matters, but all of this is located in firewall.user. Should it still show in the iptables-save -c dump?

/etc/firewall.user should be called from /etc/config/firewall
And iptables-save -c should show it, if it has been configured properly.

Just be aware that firewall.user will no longer wirk from 22.03~ onwards.

1 Like

Do we know how install-specific iptables rules would be handled as of 22.03?

There must've been an issue with the tutorial I was following noted above. When I put the rule that Pavel suggested, it's working and it shows in the iptables-save dump as well now. I'm guessing that maybe something is outdated or incorrect in the original tutorial I was following from 2018. I wonder if there's a way we could have it updated with current info maybe, or how that works on the site. Is it just a wiki style where someone can recommend a change to the page?

iptables are not carried over in 22.03. They are replaced by nftables.

Which rule did you create from the mentioned guide?

I used the first three blocks of code:

# create a new chain for logging forwarded packets
iptables -N forwarding_log_chain

# append to openwrt forwarding_rule chain (which generally has nothing in it)
iptables -A forwarding_rule -j forwarding_log_chain

# add log rules all HTTP/S SYN (can use --syn instead of --tcp-flags) and FIN-ACK events
iptables -A forwarding_log_chain -p tcp --dport 31985 --tcp-flags ALL SYN -j LOG --log-prefix "HTTP-SYN:"
iptables -A forwarding_log_chain -p tcp --dport 31985 --tcp-flags ALL ACK,FIN -j LOG --log-prefix "HTTP-ACK-FIN:"

When that didn't work, I tried adding in their verbose versions as well:

# alternative log rule for all HTTP/S events.  NOISY - causes some througput delays)
iptables -A forwarding_log_chain -p tcp --dport 31985 -j LOG --log-prefix "HTTP-DPRT-ALL:"
iptables -A forwarding_log_chain -p tcp --sport 31985 -j LOG --log-prefix "HTTP-SPRT-ALL:"

I wasn't sure that last line would ever fire, but figured it couldn't hurt to try. However, none of these -j LOG rules seemed to write to the log.

Please know that I'm extremely unfamiliar with iptables and very new to OpenWRT, even though I've worked in various flavors of UNIX/Linux for a long time. My apologies in advance if I'm missing something very simple.

The commands do work fine. I tried them on my router and they appeared in the running output. Do you get some error while running the commands on the console?

You must use the "real" destination port (443) in the FORWARD chain.
Port 31985 has already been rewritten to 443 by the nat PREROUTING chain.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.