Logging port forwarded usage

I'm trying to log any access to ports which are set up for port forwarding and I've been following the details in this article:

I've added this to the /etc/firewall.user file, and adjusted the port so it's the open forwarded port on my system (port 31985 forwarded to 443 on an internal device). However, when I connect to the port and use the service, nothing shows up in the logs regardless of the log level I select in the System -> System -> Logging tab in Luci.

I'm running: OpenWrt 21.02.3 r16554-1d4dea6d4f / LuCI openwrt-21.02 branch git-22.119.37126-a993714, on a Raspberry Pi 4

Also, something else quirky is that no matter what I set the log level to in the system tab, I continue to get "daemon.info" level messages from dnsmasq-dhcp. Is there any way to limit those in the standard logging system? Setting the system log level to Warning or higher doesn't seem to remove those info level messages.

Thanks!

iptables-save -c ?

iptables -t nat -A prerouting_wan_rule -p tcp --dport 31985 -m limit --limit 5/sec -j LOG --log-prefix "port_fwrd: "
logread -e port_fwrd
1 Like
# Generated by iptables-save v1.8.7 on Mon Jun  6 13:20:51 2022
*nat
:PREROUTING ACCEPT [656686:88329675]
:INPUT ACCEPT [68103:5564225]
:OUTPUT ACCEPT [30912:2276354]
:POSTROUTING ACCEPT [250:50844]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[656785:88335739] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[554138:81798989] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[102647:6536750] -A PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i eth2 -m comment --comment "!fw3" -j zone_wan_prerouting
[265293:28902830] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[230:48872] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[265011:28850194] -A POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o eth2 -m comment --comment "!fw3" -j zone_wan_postrouting
[230:48872] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[0:0] -A zone_lan_postrouting -s 192.168.10.0/24 -d 192.168.10.8/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: Server (reflection)" -j SNAT --to-source 192.168.10.1
[0:0] -A zone_lan_postrouting -s 192.168.10.0/24 -d 192.168.10.8/32 -p udp -m udp --dport 443 -m comment --comment "!fw3: Server (reflection)" -j SNAT --to-source 192.168.10.1
[16:960] -A zone_lan_postrouting -s 192.168.10.0/24 -d 192.168.10.10/32 -p tcp -m tcp --dport 32400 -m comment --comment "!fw3: Plex (reflection)" -j SNAT --to-source 192.168.10.1
[0:0] -A zone_lan_postrouting -s 192.168.10.0/24 -d 192.168.10.10/32 -p udp -m udp --dport 32400 -m comment --comment "!fw3: Plex (reflection)" -j SNAT --to-source 192.168.10.1
[16:832] -A zone_lan_postrouting -s 192.168.10.0/24 -d 192.168.10.18/32 -p tcp -m tcp --dport 32400 -m comment --comment "!fw3: Plex (reflection)" -j SNAT --to-source 192.168.10.1
[0:0] -A zone_lan_postrouting -s 192.168.10.0/24 -d 192.168.10.18/32 -p udp -m udp --dport 32400 -m comment --comment "!fw3: Plex (reflection)" -j SNAT --to-source 192.168.10.1
[554138:81798989] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_lan_prerouting -s 192.168.10.0/24 -d 68.10.10.10/32 -p tcp -m tcp --dport 31985 -m comment --comment "!fw3: Server (reflection)" -j DNAT --to-destination 192.168.10.8:443
[0:0] -A zone_lan_prerouting -s 192.168.10.0/24 -d 68.10.10.10/32 -p udp -m udp --dport 31985 -m comment --comment "!fw3: Server (reflection)" -j DNAT --to-destination 192.168.10.8:443
[16:960] -A zone_lan_prerouting -s 192.168.10.0/24 -d 68.10.10.10/32 -p tcp -m tcp --dport 32401 -m comment --comment "!fw3: Plex (reflection)" -j DNAT --to-destination 192.168.10.10:32400
[0:0] -A zone_lan_prerouting -s 192.168.10.0/24 -d 68.10.10.10/32 -p udp -m udp --dport 32401 -m comment --comment "!fw3: Plex (reflection)" -j DNAT --to-destination 192.168.10.10:32400
[16:832] -A zone_lan_prerouting -s 192.168.10.0/24 -d 68.10.10.10/32 -p tcp -m tcp --dport 32402 -m comment --comment "!fw3: Plex (reflection)" -j DNAT --to-destination 192.168.10.18:32400
[0:0] -A zone_lan_prerouting -s 192.168.10.0/24 -d 68.10.10.10/32 -p udp -m udp --dport 32402 -m comment --comment "!fw3: Plex (reflection)" -j DNAT --to-destination 192.168.10.18:32400
[265011:28850194] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[265011:28850194] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[102647:6536750] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[44:2816] -A zone_wan_prerouting -p tcp -m tcp --dport 31985 -m comment --comment "!fw3: Server" -j DNAT --to-destination 192.168.10.8:443
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 31985 -m comment --comment "!fw3: Server" -j DNAT --to-destination 192.168.10.8:443
[12:760] -A zone_wan_prerouting -p tcp -m tcp --dport 32401 -m comment --comment "!fw3: Plex" -j DNAT --to-destination 192.168.10.10:32400
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 32401 -m comment --comment "!fw3: Plex" -j DNAT --to-destination 192.168.10.10:32400
[11:696] -A zone_wan_prerouting -p tcp -m tcp --dport 32402 -m comment --comment "!fw3: Plex" -j DNAT --to-destination 192.168.10.18:32400
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 32402 -m comment --comment "!fw3: Plex" -j DNAT --to-destination 192.168.10.18:32400
COMMIT
# Completed on Mon Jun  6 13:20:51 2022
# Generated by iptables-save v1.8.7 on Mon Jun  6 13:20:51 2022
*mangle
:PREROUTING ACCEPT [20496595:21408200409]
:INPUT ACCEPT [548727:62112287]
:FORWARD ACCEPT [19689181:21296117196]
:OUTPUT ACCEPT [309222:40958312]
:POSTROUTING ACCEPT [19995371:21336913540]
[39450:2296960] -A FORWARD -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[37168:2119312] -A FORWARD -i eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -o eth2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -i eth2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Mon Jun  6 13:20:51 2022
# Generated by iptables-save v1.8.7 on Mon Jun  6 13:20:51 2022
*filter
:INPUT ACCEPT [72:16009]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_log_chain - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[4873:407454] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[543854:61704833] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[142769:19078476] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[3139:131954] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[295850:35980150] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[105235:6646207] -A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i eth2 -m comment --comment "!fw3" -j zone_wan_input
[19689181:21296117196] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[19414689:21264546699] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[274420:31565905] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[72:4592] -A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i eth2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[4873:407454] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[304220:40536678] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[273072:38219506] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[240:78567] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[30908:2238605] -A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o eth2 -m comment --comment "!fw3" -j zone_wan_output
[19783629:21417676662] -A forwarding_rule -j forwarding_log_chain
[5808:251041] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[95640:6165750] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[3139:131954] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[240:78567] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[274420:31565905] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[274420:31565905] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[32:1792] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[295850:35980150] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[295850:35980150] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[240:78567] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[240:78567] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[295778:35964141] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[2903:147788] -A zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[302393:33654930] -A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o eth2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_dest_REJECT -o eth2 -m comment --comment "!fw3" -j reject
[72:4592] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[72:4592] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[105235:6646207] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[3787:229416] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[101448:6416791] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[30908:2238605] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[30908:2238605] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[101448:6416791] -A zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_src_REJECT -i eth2 -m comment --comment "!fw3" -j reject
COMMIT
#

That worked beautifully @pavelgl Thank you!

1 Like

There is no rule for logging there.
uci export firewall; cat /etc/firewall.user; service firewall restart

Not sure if it matters, but all of this is located in firewall.user. Should it still show in the iptables-save -c dump?

/etc/firewall.user should be called from /etc/config/firewall
And iptables-save -c should show it, if it has been configured properly.

Just be aware that firewall.user will no longer wirk from 22.03~ onwards.

1 Like

Do we know how install-specific iptables rules would be handled as of 22.03?

There must've been an issue with the tutorial I was following noted above. When I put the rule that Pavel suggested, it's working and it shows in the iptables-save dump as well now. I'm guessing that maybe something is outdated or incorrect in the original tutorial I was following from 2018. I wonder if there's a way we could have it updated with current info maybe, or how that works on the site. Is it just a wiki style where someone can recommend a change to the page?

iptables are not carried over in 22.03. They are replaced by nftables.

Which rule did you create from the mentioned guide?

I used the first three blocks of code:

# create a new chain for logging forwarded packets
iptables -N forwarding_log_chain

# append to openwrt forwarding_rule chain (which generally has nothing in it)
iptables -A forwarding_rule -j forwarding_log_chain

# add log rules all HTTP/S SYN (can use --syn instead of --tcp-flags) and FIN-ACK events
iptables -A forwarding_log_chain -p tcp --dport 31985 --tcp-flags ALL SYN -j LOG --log-prefix "HTTP-SYN:"
iptables -A forwarding_log_chain -p tcp --dport 31985 --tcp-flags ALL ACK,FIN -j LOG --log-prefix "HTTP-ACK-FIN:"

When that didn't work, I tried adding in their verbose versions as well:

# alternative log rule for all HTTP/S events.  NOISY - causes some througput delays)
iptables -A forwarding_log_chain -p tcp --dport 31985 -j LOG --log-prefix "HTTP-DPRT-ALL:"
iptables -A forwarding_log_chain -p tcp --sport 31985 -j LOG --log-prefix "HTTP-SPRT-ALL:"

I wasn't sure that last line would ever fire, but figured it couldn't hurt to try. However, none of these -j LOG rules seemed to write to the log.

Please know that I'm extremely unfamiliar with iptables and very new to OpenWRT, even though I've worked in various flavors of UNIX/Linux for a long time. My apologies in advance if I'm missing something very simple.

The commands do work fine. I tried them on my router and they appeared in the running output. Do you get some error while running the commands on the console?

1 Like

You must use the "real" destination port (443) in the FORWARD chain.
Port 31985 has already been rewritten to 443 by the nat PREROUTING chain.

2 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.