1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Logging outgoing connections from particular machine

Discussion in 'Tomato Firmware' started by touser, Aug 2, 2014.

  1. touser

    touser Network Newbie Member

    I am trying to log the outgoing connections (all ports, not just http(s)) from a particular local IP address (say, 192.168.1.2). I added:
    iptables -A OUTPUT -s 192.168.1.2 -m limit --limit 5/m -j LOG --log-prefix="foo"
    to Administration: Firewall; and then restarted the router. The rule appears in 'iptables -L' (although with the machine name, rather than the IP address), but nothing gets logged in /var/log/messages.
    This is on the latest v.121 of Shibby's mod.

    Any ideas what I am doing wrong?
     
  2. koitsu

    koitsu Network Guru Member

    Yes, lots of ideas what you're doing wrong.

    The main reason is that you're using the wrong chain. OUTPUT is for things that come from the router itself natively, e.g. connections the router initiates itself, not packets that are forwarded through the router (e.g. NAT'd LAN machines). You want FORWARD. However, before just blinding putting that in, keep reading.

    The rule appears with the machine name due to DNS resolution. Get used to using the -n flag on iptables. I would also suggest you get used to using -v and --line-numbers.

    You need to look at the existing FORWARD chain and pay close attention; simply appending to the chain using -A is probably not going to work, as a rule that precedes that will probably happen first, thus your rule will never get reached. So you may want to insert a rule at a specific location, hence --line-numbers being needed (again my rant: why this isn't the default in iptables is beyond me, it's incredibly important).

    There is already a "sub-chain" on TomatoUSB that's used in the OUTPUT chain in the appropriate location. It's called wanout. That chain is usually empty, so you can use -A to append things to it. So your rule should be this:

    Code:
    iptables -A wanout -s 192.168.1.2 -m limit --limit 5/m -j LOG --log-prefix="foo"
    
    I have personally verified this works. How I tested:

    Code:
    iptables -A wanout -d 4.2.2.1 -j LOG
    
    Then proceeded to send a single ping request from a LAN machine (192.168.1.51) to 4.2.2.1 and see what happened. The result:

    Code:
    Chain wanout (1 references)
    pkts bytes target     prot opt in     out     source               destination
        1    84 LOG        all  --  *      *       0.0.0.0/0            4.2.2.1             LOG flags 0 level 4
    
    Log line:

    Code:
    IN=br0 OUT=vlan2 SRC=192.168.1.51 DST=4.2.2.1 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=41554 PROTO=ICMP TYPE=8 CODE=0 ID=14687 SEQ=0
    
    Enjoy.
     
  3. touser

    touser Network Newbie Member

    This works fine, thanks a lot for the explanation!
     

Share This Page