New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FS#2525 - Logging of iptables is not working #8465
Comments
yousong: Please tell us about how to reproduce.
|
Sleepw4lker: I think this is the same as "my" issue. Since 18.06 I observe that the "Enable Logging on this Zone" Option, at least for the LAN Zone's Forwarding, seems to be without effect. Repro: The goal is to reject all outbound packets and selectively allow them. Beginning from a default Configuration, I remove the forwarding rule from the LAN to the WAN Zone, and enable Logging on the LAN Zone. Rejected packets should, if I understood it correctly, now appear in the System Log (logread). This worked in LEDE 17.01 but stopped working since OpenWrt 18.06 (as well as 19.07-rc1). Logging of rejected Packets on the WAN Zone works as expected. My config files are to be found here: openwrt/packages#10739 Thank you |
yousong: Hi Uwe, thanks for the detailed report. I just sent a patch [1] to the mailing list
[1] http://patchwork.ozlabs.org/patch/1208971/ [2] https://git.openwrt.org/30463d08056db8f03d17c0569581aef96418c38d UPDATE: the above line on "enforcement of zone forward policies" was wrong. See http://lists.infradead.org/pipermail/openwrt-devel/2019-December/020630.html Snippet from original github report (openwrt/packages#10739), for archive purposes /etc/config/firewall
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
iptables-save
iptables-save
# Generated by iptables-save v1.6.2 on Mon Dec 9 19:36:48 2019
*nat
:PREROUTING ACCEPT [6974:752506]
:INPUT ACCEPT [1900:139041]
:OUTPUT ACCEPT [1843:129017]
:POSTROUTING ACCEPT [256:15472]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Mon Dec 9 19:36:48 2019
# Generated by iptables-save v1.6.2 on Mon Dec 9 19:36:48 2019
*mangle
:PREROUTING ACCEPT [66237:70362869]
:INPUT ACCEPT [9919:14917422]
:FORWARD ACCEPT [55444:55131038]
:OUTPUT ACCEPT [7040:605277]
:POSTROUTING ACCEPT [61086:55645923]
-A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Mon Dec 9 19:36:48 2019
# Generated by iptables-save v1.6.2 on Mon Dec 9 19:36:48 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_dest_REJECT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_DROP - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_dest_REJECT -o br-lan -m limit --limit 10/sec -m comment --comment "!fw3" -j LOG --log-prefix "REJECT lan out: "
-A zone_lan_dest_REJECT -o br-lan -m comment --comment "!fw3" -j reject
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -d x.x.x.x/32 -p tcp -m tcp --dport 22 -m comment --comment "!fw3: Allow ssh,submission,imaps from LAN to x.x.x.x" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -d x.x.x.x/32 -p tcp -m tcp --dport 587 -m comment --comment "!fw3: Allow ssh,submission,imaps from LAN to x.x.x.x" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -d x.x.x.x/32 -p tcp -m tcp --dport 993 -m comment --comment "!fw3: Allow ssh,submission,imaps from LAN to x.x.x.x" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -s 192.168.1.0/24 -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow ping from LAN to WAN" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -s 192.168.1.0/24 -p udp -m udp --dport 123 -m comment --comment "!fw3: Allow ntp from LAN to WAN" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -s 192.168.1.0/28 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: Allow http,https from LAN/0-15 to WAN" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -s 192.168.1.0/28 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: Allow http,https from LAN/0-15 to WAN" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -s 192.168.1.64/27 -p tcp -m comment --comment "!fw3: Allow any from LAN/64-95 to WAN" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -s 192.168.1.64/27 -p udp -m comment --comment "!fw3: Allow any from LAN/64-95 to WAN" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -s 192.168.1.96/27 -p tcp -m tcp --dport 21 -m comment --comment "!fw3: Allow ftp,http,https from LAN/96-127 to WAN" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -s 192.168.1.96/27 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: Allow ftp,http,https from LAN/96-127 to WAN" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -s 192.168.1.96/27 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: Allow ftp,http,https from LAN/96-127 to WAN" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -s 192.168.1.96/27 -p udp -m udp --dport 80 -m comment --comment "!fw3: Allow quic from LAN/96-127 to WAN" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -s 192.168.1.96/27 -p udp -m udp --dport 443 -m comment --comment "!fw3: Allow quic from LAN/96-127 to WAN" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -s 192.168.1.96/27 -p tcp -m tcp --dport 27015:27030 -m comment --comment "!fw3: Allow Steam from LAN/96-127 to WAN" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -s 192.168.1.96/27 -p udp -m udp --dport 27015:27030 -m comment --comment "!fw3: Allow Steam from LAN/96-127 to WAN" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -s 192.168.1.0/28 -p udp -m udp --dport 5060 -m comment --comment "!fw3: Allow SIP from raspbx to WAN" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -s 192.168.1.0/28 -p udp -m udp --dport 15000:30000 -m comment --comment "!fw3: Allow SIP from raspbx to WAN" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -s 192.168.1.96/27 -p tcp -m tcp --dport 6881:6889 -m comment --comment "!fw3: Allow BitTorrent from LAN/96-127 to WAN" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -s 192.168.1.96/27 -p tcp -m tcp --dport 6969 -m comment --comment "!fw3: Allow BitTorrent from LAN/96-127 to WAN" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -s 192.168.1.96/27 -d x.x.x.x/32 -p tcp -m tcp --dport 587 -m comment --comment "!fw3: Allow Submission from LAN/96-127 to WAN" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -s 192.168.1.201/32 -p tcp -m tcp --dport 21 -m comment --comment "!fw3: Allow ftp,http,https from backup.lan to WAN" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -s 192.168.1.201/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: Allow ftp,http,https from backup.lan to WAN" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -s 192.168.1.201/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: Allow ftp,http,https from backup.lan to WAN" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_REJECT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -s x.x.x.x/32 -p tcp -m tcp --dport 22 -m comment --comment "!fw3: Allow ssh from x.x.x.x to FW" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_DROP
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_DROP -i eth0.2 -m comment --comment "!fw3" -j DROP
COMMIT
# Completed on Mon Dec 9 19:36:48 2019
|
xewonder:
Supply the following if possible:
zbt-we826-e
MediaTek MT7620A ver:2 eco:6
18.06.4
logs nowhere to be seen!
The text was updated successfully, but these errors were encountered: