1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

iptables syntax to enable logging

Discussion in 'DD-WRT Firmware' started by dellsweig, Nov 5, 2005.

  1. dellsweig

    dellsweig Network Guru Member

    Greetings

    Loaded up V23 11/04 on my WRT54G and loggng no longer functions - either to GUI or syslog

    Way back in the hyperWRT days, I used the following iptables commands to enable logging

    iptables -R INPUT 7 -j logdrop
    iptables -R INPUT 1 -j logdrop -m state --state INVALID

    This syntax no longer works with this Linux version.

    Does anyone know what I can manually enter to get some level of logging running - at least until Brainslayer fixes this bug

    Thanks

    Dan
     
  2. dellsweig

    dellsweig Network Guru Member

    Doe ANYONE have logging working on any V23 11/04 build on any G/GS platform??
     
  3. 4Access

    4Access Network Guru Member

    The last few days and through the next 2 weeks are really busy for me but I'll try to find time to test logging tomorrow.

    Update: I just read through the V23 beta 04.11.2005 Bug Reports thread and noticed that there seems to be a lot more bugs than usual... I think I'm going to wait for the next build since I have a feeling something may have gotten goofed up in this release.
     
  4. dellsweig

    dellsweig Network Guru Member

    OK - iptables output for both 11/04 and 10/27 builds.
    10/27 - logging works
    11/04 - logging does not work

    (Notice the different versions of BusyBox - I wonder if that is the problem)

    How about one of you iptables gurus telling us why??




    Here is iptables -L from 11/04 (logging does not work)


    yak login: root
    Password:
    ---------------------------------------------------------------

    DD-WRT build #23
    some code portions OpenWRT and EWRT
    additional thanks to Cesar Gonzales, Toxic,
    Elektik, MBChris, Nbd
    and all the wonderfull supporters of this Project


    http://www.dd-wrt.com

    ---------------------------------------------------------------


    BusyBox v1.01 (2005.11.01-14:52+0000) Built-in shell (ash)
    Enter 'help' for a list of built-in commands.

    ~ # iptables -L
    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere state RELATED,ESTAB
    LISHED
    DROP udp -- anywhere anywhere udp dpt:route
    DROP udp -- anywhere anywhere udp dpt:route
    ACCEPT udp -- anywhere anywhere udp dpt:route
    ACCEPT tcp -- anywhere 192.168.1.1 tcp dpt:https
    logaccept tcp -- anywhere anywhere tcp dpt:ssh
    logdrop icmp -- anywhere anywhere
    ACCEPT igmp -- anywhere anywhere
    ACCEPT all -- anywhere anywhere state NEW
    logaccept all -- anywhere anywhere state NEW
    logdrop all -- anywhere anywhere

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere
    logdrop all -- anywhere anywhere state INVALID
    TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/S
    YN tcpmss match 1461:65535 TCPMSS set 1460
    lan2wan all -- anywhere anywhere
    ACCEPT all -- anywhere anywhere state RELATED,ESTAB
    LISHED
    logaccept udp -- anywhere BASE-ADDRESS.MCAST.NET/4 udp
    TRIGGER all -- anywhere anywhere TRIGGER type:in mat
    ch:0 relate:0
    trigger_out all -- anywhere anywhere
    logaccept all -- anywhere anywhere state NEW
    logdrop all -- anywhere anywhere

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    Chain advgrp_1 (0 references)
    target prot opt source destination

    Chain advgrp_10 (0 references)
    target prot opt source destination

    Chain advgrp_2 (0 references)
    target prot opt source destination

    Chain advgrp_3 (0 references)
    target prot opt source destination

    Chain advgrp_4 (0 references)
    target prot opt source destination

    Chain advgrp_5 (0 references)
    target prot opt source destination

    Chain advgrp_6 (0 references)
    target prot opt source destination

    Chain advgrp_7 (0 references)
    target prot opt source destination

    Chain advgrp_8 (0 references)
    target prot opt source destination

    Chain advgrp_9 (0 references)
    target prot opt source destination

    Chain grp_1 (0 references)
    target prot opt source destination

    Chain grp_10 (0 references)
    target prot opt source destination

    Chain grp_2 (0 references)
    target prot opt source destination

    Chain grp_3 (0 references)
    target prot opt source destination

    Chain grp_4 (0 references)
    target prot opt source destination

    Chain grp_5 (0 references)
    target prot opt source destination

    Chain grp_6 (0 references)
    target prot opt source destination

    Chain grp_7 (0 references)
    target prot opt source destination

    Chain grp_8 (0 references)
    target prot opt source destination

    Chain grp_9 (0 references)
    target prot opt source destination

    Chain lan2wan (1 references)
    target prot opt source destination

    Chain logaccept (4 references)
    target prot opt source destination
    LOG all -- anywhere anywhere state NEW LOG level
    warning tcp-sequence tcp-options ip-options prefix `ACCEPT '
    ACCEPT all -- anywhere anywhere

    Chain logdrop (4 references)
    target prot opt source destination
    LOG all -- anywhere anywhere state NEW LOG level
    warning tcp-sequence tcp-options ip-options prefix `DROP '
    LOG all -- anywhere anywhere state INVALID LOG l
    evel warning tcp-sequence tcp-options ip-options prefix `DROP '
    DROP all -- anywhere anywhere

    Chain logreject (0 references)
    target prot opt source destination
    LOG all -- anywhere anywhere LOG level warning t
    cp-sequence tcp-options ip-options prefix `WEBDROP '
    REJECT tcp -- anywhere anywhere tcp reject-with tcp
    -reset

    Chain trigger_out (1 references)
    target prot opt source destination
    ~ #

    Connection to host lost.

    C:\Documents and Settings\Dan>


    ################################################

    Here is iptables -L from 10/27 build - same configuration - logging works


    yak login: root
    Password:
    ---------------------------------------------------------------

    DD-WRT build #23
    some code portions OpenWRT and EWRT
    additional thanks to Cesar Gonzales, Toxic,
    Elektik, MBChris, Nbd
    and all the wonderfull supporters of this Project


    http://www.dd-wrt.com

    ---------------------------------------------------------------


    BusyBox v1.01 (2005.10.26-16:17+0000) Built-in shell (ash)
    Enter 'help' for a list of built-in commands.

    ~ # iptables -L
    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere state RELATED,ESTAB
    LISHED
    DROP udp -- anywhere anywhere udp dpt:route
    DROP udp -- anywhere anywhere udp dpt:route
    ACCEPT udp -- anywhere anywhere udp dpt:route
    ACCEPT tcp -- anywhere 192.168.1.1 tcp dpt:https
    logaccept tcp -- anywhere anywhere tcp dpt:ssh
    logdrop icmp -- anywhere anywhere
    ACCEPT igmp -- anywhere anywhere
    ACCEPT all -- anywhere anywhere state NEW
    logaccept all -- anywhere anywhere state NEW
    logdrop all -- anywhere anywhere

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere
    logdrop all -- anywhere anywhere state INVALID
    TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/S
    YN tcpmss match 1461:65535 TCPMSS set 1460
    lan2wan all -- anywhere anywhere
    ACCEPT all -- anywhere anywhere state RELATED,ESTAB
    LISHED
    logaccept udp -- anywhere BASE-ADDRESS.MCAST.NET/4 udp
    TRIGGER all -- anywhere anywhere TRIGGER type:in mat
    ch:0 relate:0
    trigger_out all -- anywhere anywhere
    logaccept all -- anywhere anywhere state NEW
    logdrop all -- anywhere anywhere

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    Chain advgrp_1 (0 references)
    target prot opt source destination

    Chain advgrp_10 (0 references)
    target prot opt source destination

    Chain advgrp_2 (0 references)
    target prot opt source destination

    Chain advgrp_3 (0 references)
    target prot opt source destination

    Chain advgrp_4 (0 references)
    target prot opt source destination

    Chain advgrp_5 (0 references)
    target prot opt source destination

    Chain advgrp_6 (0 references)
    target prot opt source destination

    Chain advgrp_7 (0 references)
    target prot opt source destination

    Chain advgrp_8 (0 references)
    target prot opt source destination

    Chain advgrp_9 (0 references)
    target prot opt source destination

    Chain grp_1 (0 references)
    target prot opt source destination

    Chain grp_10 (0 references)
    target prot opt source destination

    Chain grp_2 (0 references)
    target prot opt source destination

    Chain grp_3 (0 references)
    target prot opt source destination

    Chain grp_4 (0 references)
    target prot opt source destination

    Chain grp_5 (0 references)
    target prot opt source destination

    Chain grp_6 (0 references)
    target prot opt source destination

    Chain grp_7 (0 references)
    target prot opt source destination

    Chain grp_8 (0 references)
    target prot opt source destination

    Chain grp_9 (0 references)
    target prot opt source destination

    Chain lan2wan (1 references)
    target prot opt source destination

    Chain logaccept (4 references)
    target prot opt source destination
    LOG all -- anywhere anywhere state NEW LOG level
    warning tcp-sequence tcp-options ip-options prefix `ACCEPT '
    ACCEPT all -- anywhere anywhere

    Chain logdrop (4 references)
    target prot opt source destination
    LOG all -- anywhere anywhere state NEW LOG level
    warning tcp-sequence tcp-options ip-options prefix `DROP '
    LOG all -- anywhere anywhere state INVALID LOG l
    evel warning tcp-sequence tcp-options ip-options prefix `DROP '
    DROP all -- anywhere anywhere

    Chain logreject (0 references)
    target prot opt source destination
    LOG all -- anywhere anywhere LOG level warning t
    cp-sequence tcp-options ip-options prefix `WEBDROP '
    REJECT tcp -- anywhere anywhere tcp reject-with tcp
    -reset

    Chain trigger_out (1 references)
    target prot opt source destination
    ~ #
     

Share This Page