quietearth [General News 10.25.06]



First off, we need to install iptables-mod-extra and kmod-ipt-extra:
# ipkg install iptables-mod-extra kmod-ipt-extra

then we can manually load the kernel module so we can use it, and also add it into our startup sequence:
# insmod ipt_LOG
# echo ipt_LOG > /etc/modules.d/60-iptableslogging


For testing purposes, we need to find out our wan (incoming) interface name:
# nvram get wan_ifname

For my linksys wrt54gv4 it's vlan1, but your router may be different. This is where all the traffic from the outside comes in. Now run:
# iptables -L

and we get a list of the available iptables policies (except for the pre-routing stuff which handles nat etc..). Here's what you might see for your INPUT chain:
Chain INPUT (policy DROP)
target     prot opt source       destination
DROP       all  --  anywhere     anywhere       state INVALID
ACCEPT     all  --  anywhere     anywhere       state RELATED,ESTABLISHED
DROP       tcp  --  anywhere     anywhere       tcp option=!2 flags:SYN/SYN
input_rule  all  --  anywhere    anywhere
ACCEPT     all  --  anywhere     anywhere
ACCEPT     icmp --  anywhere     anywhere
ACCEPT     gre  --  anywhere     anywhere
REJECT     tcp  --  anywhere     anywhere       reject-with tcp-reset
REJECT     all  --  anywhere     anywhere       reject-with icmp-port-unreachable

Rules are numbered in descending order. When the target is DROP, the packet is immediately dropped and no further processing happens. If the target is ACCEPT, the packet is passed along to the regular packet handling routines in the kernel and no further processing happens. Basically either of these targets stop the packet from continuing along in the iptables chain. Here's a description of the first 4 rules in the chain:

1. Any weird tcp packets are dropped.
2. Any connections which are related (for say ftp-data) or already established connections are accepted.
3. Anything tcp packet without the syn flag set is dropped. (Run iptables -L -v for more detailed information, -L by itself doesn't show everything)
4. Jump to the input_rule chain. This chain then will probably jump to another chain. If the packet makes it through these it will come back and continue with rule 5.

Hopefully you get the point. We need to insert a new rule somewhere in our chain to log exactly what we'd like. Based on the fact that any packet that gets to rule #4 which is a jump to a new chain, we should only be getting tcp connection requests as well as udp, icmp and other packets. This is a good place to try our first rule.

# iptables -I input_rule -i vlan1 -j LOG --log-prefix "input: "

This inserts a new rule in the input_rule chain at position 1, with the jump target of LOG which is the kernel module we installed before. This comes off the INPUT chain which is for packets sent to our router. For packets traveling through your router to other machines, or from inside going out, you will need to use FORWARD and OUTPUT respectively. The -i vlan1 means packets coming in our wan interface (we looked this up before). The log prefix is what will be sent to syslog as the beginning of the message. Once this is inserted, we can run the "logread" command to see if anything shows up, or check wherever our syslogs are sent too.

For me, I get a lot of random udp crap from my neighbors on the same network, so I need to further refine this. Let's delete our rule, doing so will not affect the order of anything else.
# iptables -D input_rule 1

Let's just match tcp packets:
# iptables -I input_rule -i vlan1 -j LOG --log-prefix "input: " -p tcp

Unfortunately we can't specify multiple protocols with -p. If we wanted to also log icmp, we'd have to add another logging rule.

To make the rules permanent, we can modify /etc/firewall.user, but this is a symlink by default, so:
# rm /etc/firewall.user
# cp /rom/etc/firewall.user /etc
It would also be a good idea to replace our wan interface name (vlan1 for me) with $WAN.

You should get the idea now. Here's a few more tips:

* -i is for traffic incoming on that interface. -o is for outgoing.
* we can also specify tcp flags, ports, ip addresses, etc in the filtering, so check out the Iptables match documentation for futher refinement.
* If you need more robust logging, say going to a mysql database or something, you will need to use ulogd (the userspace logging daemon). This is a howto for openwrt with ulog and postgressql, but it's relevant.

Finally, if any one has any further information, please comment!

Anonymous (5 years ago) Reply

very helpful, thanks

also note that after logging, the packet continues down the chain (it isnt dropped or accepted upon logging); this wasn't obvious to me so i tried it out lol

Roby (3 years ago) Reply

Great tutorial!

Leave a comment

Your Comment

Related articles