Menu
What's new
By:
Filters Better Search

Iptables stops logging

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

B

bobfandango

Occasional Visitor
I'm trying to log all web page access using Iptables.

I placed the following in /jffs/scripts/firewall-start and rebooted...

Code: 
#!/bin/sh
iptables -I OUTPUT -o eth+ -p tcp --dport 80 -m state --state NEW -j LOG --log-level 7 --log-prefix "FIREWALL: "
touch /tmp/firewallstarted


After reboot and browsing to a few websites, there is one and only one entry in syslog.log (excerpted below) from this iptables entry.

Code: 
Dec 31 16:00:24 kernel: FIREWALL:  <7>FIREWALL: IN= OUT=eth0 <1>SRC=192.168.1.2 DST=103.10.4.108 <1>LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=59613 DF PROTO=TCP <1>SPT=38716 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Dec 31 16:00:25 ddns update: connected to ns1.asuscomm.com (103.10.4.108) on port 80.

The router is connecting to ns1.asuscomm.com during boot, and the rule fires and is logged, but no other events are ever logged.

iptables -L shows that the entry is still there (OUTPUT chain shown below), so I assume logging is getting fubar somehow.

Code: 
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
LOG        tcp  --  anywhere             anywhere            tcp dpt:www state NEW LOG level debug prefix `FIREWALL: '

Ideas anyone? Thanks in advance!

P.S. I'm running 3.0.0.4_374.32 on an AC66U
 
Last edited:
The INPUT chain is only for traffic terminated on the router. For anything related to your LAN devices, you must use the FORWARD chain.
 
The command I showed specifies the OUTPUT chain, and eth+ interfaces, not br0. So I'm not following you here...

Thanks...
 
bobfandango said:
The command I showed specifies the OUTPUT chain, and eth+ interfaces, not br0. So I'm not following you here...

Thanks...
Click to expand...

Traffic going to the Internet to any computer on your network will pass through the FORWARD chain. The INPUT chain is only for traffic accessing the router itself (for example, if you had enabled the web interface to be accessible over WAN). Likewise, the OUTPUT chain is only for traffic going from your router to the Internet (for example, DDNS client updates).

So if you want to log any activity from your LAN computers, the rules must be in FORWARD, and on either the br0 or eth0 interface.
 
Thanks very much... Simply changing OUTPUT to FORWARD did the trick.

Obviously, I'm pretty new to iptables. But, I'm not going at this completely blind. I did some research first, and some of what I found seems inconsistent. For example, the page at: http://www.thegeekstuff.com/2011/01/iptables-fundamentals/

states the following:

1. Filter Table

Filter is default table for iptables. So, if you don’t define you own table, you’ll be using filter table. Iptables’s filter table has the following built-in chains.

INPUT chain – Incoming to firewall. For packets coming to the local server.
OUTPUT chain – Outgoing from firewall. For packets generated locally and going out of the local server.
FORWARD chain – Packet for another NIC on the local server. For packets routed through the local server.
Click to expand...

Re: INPUT and OUTPUT chains, this is ambiguous I suppose. Re: "packets coming to the local server", this could mean either packets *directed specifically* to the local server, or it could mean literally all packets coming in off the WAN (since all incoming packets must go through the firewall on the local server). If I understand you, the INPUT chain is scoped to the former.

Similarly, I took "packets generated locally" to mean packets generated anywhere on the LAN whether on the router itself or LAN clients. I take it from what you say that the OUTPUT chain comes into play only for packets generated on the router itself (this is certainly consistent with what I saw re: the ddns connection to Asus at boot).

At any rate, I think I understand now... The FORWARD chain handles any packet that must go *through* the router, not simply originates or terminates at the router.

Thanks very much!
 
You must log in or register to reply here.

Similar threads

iJorgen
Optimize blocked events from firewall in the system-log
Replies
5
Views
778
iJorgen
iJorgen
NoBenefit
Does my iptables looks normal?
Replies
1
Views
683
ColinTaylor
C
Nick B
Allowing Incoming WAN Connections for WireGuard Client Listed in Director
Replies
7
Views
1K
arkywein
A
M
ASUS Merlin iptables rule not applying.
Replies
11
Views
3K
Boysa22
B
J
IPTables allow access to specific ports from tun21 to new bridge
Replies
5
Views
2K
eibgrad
eibgrad
Similar threads
Thread starter Title Forum Replies Date
SkierInAvon Asus Merlin - iptables command (not working?) Asuswrt-Merlin 8
v.y.k iptables pkts & bytes numbers are too low on Merlin 3004.388 Asuswrt-Merlin 13
M iptables module rateest - loadbalancing split over Asuswrt-Merlin 0
A Entware iptables no chain/target/match and tcpdump problems Asuswrt-Merlin 3
Z wgclient-start with iptables nat rules after router reboot Asuswrt-Merlin 19
H Does VPN Director Use Routes or IPTables Rules To Route Clients Over a VPN Connection? Asuswrt-Merlin 5
H Does firewall-start Script Ever Run Twice With Same iptables Rules? Asuswrt-Merlin 13
L merlin default iptables. why are there strange logdrops for specific pattens and ips? Asuswrt-Merlin 3
NoBenefit Does my iptables looks normal? Asuswrt-Merlin 1
J Allowing just one device to subnet (iptables or Network Services Filter?) Asuswrt-Merlin 0

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 642 (members: 25, guests: 617)
Top