1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

iptable exclude logging

Discussion in 'Tomato Firmware' started by kisenberg, Nov 25, 2008.

  1. kisenberg

    kisenberg Addicted to LI Member

    I use my tomato with a cable-modem. On the WAN-side, many DHCP-answers are broadcasted.
    Code:
    Nov 25 13:42:24 rt0001 user.warn kernel: DROP IN=vlan1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:18:74:83:c0:01:08:00:45:00:01:84 SRC=91.64.252.38 DST=255.255.255.255 LEN=388 TOS=0x00 PREC=0x00 TTL=255 ID=18982 PROTO=UDP SPT=67 DPT=68 LEN=368 
    Nov 25 13:42:24 rt0001 user.warn kernel: DROP IN=vlan1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:18:74:83:c0:01:08:00:45:00:01:6c SRC=91.64.252.38 DST=255.255.255.255 LEN=364 TOS=0x00 PREC=0x00 TTL=255 ID=18985 PROTO=UDP SPT=67 DPT=68 LEN=344 
    Nov 25 13:42:24 rt0001 user.warn kernel: DROP IN=vlan1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:18:74:83:c0:01:08:00:45:00:01:6c SRC=91.64.252.38 DST=255.255.255.255 LEN=364 TOS=0x00 PREC=0x00 TTL=255 ID=18988 PROTO=UDP SPT=67 DPT=68 LEN=344 
    Nov 25 13:42:25 rt0001 user.warn kernel: DROP IN=vlan1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:18:74:83:c0:01:08:00:45:00:01:6c SRC=91.64.252.38 DST=255.255.255.255 LEN=364 TOS=0x00 PREC=0x00 TTL=255 ID=18991 PROTO=UDP SPT=67 DPT=68 LEN=344 
    Nov 25 13:42:25 rt0001 user.warn kernel: DROP IN=vlan1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:18:74:83:c0:01:08:00:45:00:01:6c SRC=91.64.252.38 DST=255.255.255.255 LEN=364 TOS=0x00 PREC=0x00 TTL=255 ID=18994 PROTO=UDP SPT=67 DPT=68 LEN=344 
    Nov 25 13:42:25 rt0001 user.warn kernel: DROP IN=vlan1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:18:74:83:c0:01:08:00:45:00:01:6c SRC=91.64.252.38 DST=255.255.255.255 LEN=364 TOS=0x00 PREC=0x00 TTL=255 ID=18997 PROTO=UDP SPT=67 DPT=68 LEN=344 
    Nov 25 13:42:27 rt0001 user.warn kernel: DROP IN=vlan1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:18:74:83:c0:01:08:00:45:00:01:84 SRC=91.64.252.38 DST=255.255.255.255 LEN=388 TOS=0x00 PREC=0x00 TTL=255 ID=19002 PROTO=UDP SPT=67 DPT=68 LEN=368
    Is it possible to exclude only these messages from my log?
     
  2. admiralross

    admiralross LI Guru Member

    Those msgs are being generated from the firewall. That is from your log settings "Dropped" packets. Only way I know is to turn off dropped packets from being logged. There is a more complicated way of filtering it via IPTABLES. I don't have sufficient knowledge to do that.
     
  3. KrakenSkulls

    KrakenSkulls Networkin' Nut Member

    Look at me using the search button to dig up old questions from 2008! I have the same question as the OP. I'm running Tomato v1.28.7476 MIPSR2-Toastman-RT K26 USB Ext on a Netgear WNR3500L, not that it really matters because this is an iptables issue.

    Yes, those BOOTP messages from my ISP every second of every day jam up my syslog making it nearly unreadable. I believe I know how to fix this, but I'd like confirmation because I don't want to screw up my system, which is working great.

    Here is the text cluttering up my syslog:
    Code:
    Jan  6 10:58:18 boss user.warn kernel: ACCEPT IN=vlan2 OUT= MACSRC=00:01:5c:22:xx:xx MACDST=ff:ff:ff:ff:ff:ff MACPROTO=0800 SRC=96.97.236.1 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=38610 PROTO=UDP SPT=67 DPT=68 LEN=308
    Let's start with displaying some of my iptables. I would have pasted the results using the -v verbose switch, which displays the packet counts, but I was afraid it wouldn't display correctly.

    Code:
    root@boss:/tmp/etc/dnsmasq/hosts# iptables -L --line-numbers
    Chain INPUT (policy DROP)
    num  target    prot opt source              destination
    1    DROP      all  --  anywhere            anywhere            state INVALID
    2    ACCEPT    all  --  anywhere            anywhere            state RELATED,ESTABLISHED
    3    shlimit    tcp  --  anywhere            anywhere            tcp dpt:22 state NEW
    4    shlimit    tcp  --  anywhere            anywhere            tcp dpt:telnet state NEW
    5    ACCEPT    all  --  anywhere            anywhere
    6    ACCEPT    all  --  anywhere            anywhere
    7    logaccept  udp  --  anywhere            anywhere            udp spt:bootps dpt:bootpc
    8    logaccept  tcp  --  anywhere            anywhere            tcp dpt:22
    
    (snipped for brevity)
    
    Chain logaccept (2 references)
    num  target    prot opt source              destination
    1    LOG        all  --  anywhere            anywhere            state NEW LOG level warning tcp-sequence tcp-options ip-options macdecode prefix `ACCEPT '
    2    ACCEPT    all  --  anywhere            anywhere
    
    
    Line 7 of the INPUT chain seems to be the culprit here. I need to replace it with just an "accept" instead of "logaccept". My buddy told me I shouldn't be accepting just any DHCP server, but let's cross that bridge later.

    The old standby for me is to use the dd-wrt wiki iptables page here. It looks like the correct command is to use -R to replace INPUT 7 (line #7 in that chain) with the following: -p udp (p is protocol, probably) and --dport bootpc --sport bootps to specify the ports. (I want to replicate what was there, only changing it to accept and not logaccept)
    iptables -R INPUT 7 -p udp --dport bootpc --sport bootps -j ACCEPT

    This worked! No more clutter!

    Now to make sure it gets loaded each time, do I need to put it in the firewall form in the Tomato web GUI?
     
  4. Toastman

    Toastman Super Moderator Staff Member Member

    Is connection logging turned on in Admin-Logging? Normally one doesn't have a logaccept chain. One would use this for debugging, it wouldn't usually be turned on permanently. If not, what has enabled this logging?
     
  5. KrakenSkulls

    KrakenSkulls Networkin' Nut Member

    Is that why?? Yes, I do enable the feature to log incoming connections blocked by firewall and outbound allowed, mostly because I want to see people trying to probe me, although it doesn't seem to work the way I want. I'll set them to the "don't log (recommended)" values.
     

Share This Page