Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FS#2525 - Logging of iptables is not working #8465

Closed
openwrt-bot opened this issue Sep 30, 2019 · 3 comments
Closed

FS#2525 - Logging of iptables is not working #8465

openwrt-bot opened this issue Sep 30, 2019 · 3 comments
Labels

Comments

@openwrt-bot
Copy link

xewonder:

Supply the following if possible:

  • Device problem occurs on
  • Software versions of OpenWrt/LEDE release, packages, etc.
  • Steps to reproduce

zbt-we826-e
MediaTek MT7620A ver:2 eco:6
18.06.4

logs nowhere to be seen!

@openwrt-bot
Copy link
Author

yousong:

Please tell us about how to reproduce.

  • what did you do to log
  • where and how have you tried to read the log

@openwrt-bot
Copy link
Author

Sleepw4lker:

I think this is the same as "my" issue. Since 18.06 I observe that the "Enable Logging on this Zone" Option, at least for the LAN Zone's Forwarding, seems to be without effect.

Repro: The goal is to reject all outbound packets and selectively allow them. Beginning from a default Configuration, I remove the forwarding rule from the LAN to the WAN Zone, and enable Logging on the LAN Zone. Rejected packets should, if I understood it correctly, now appear in the System Log (logread).

This worked in LEDE 17.01 but stopped working since OpenWrt 18.06 (as well as 19.07-rc1). Logging of rejected Packets on the WAN Zone works as expected.

My config files are to be found here: openwrt/packages#10739

Thank you

@openwrt-bot
Copy link
Author

yousong:

Hi Uwe, thanks for the detailed report. I just sent a patch [1] to the mailing list

The issue is related to firewall3 commit [2], but I think the root cause is in the enforcement of zone forward policies.

[1] http://patchwork.ozlabs.org/patch/1208971/

[2] https://git.openwrt.org/30463d08056db8f03d17c0569581aef96418c38d

UPDATE: the above line on "enforcement of zone forward policies" was wrong. See http://lists.infradead.org/pipermail/openwrt-devel/2019-December/020630.html


Snippet from original github report (openwrt/packages#10739), for archive purposes

/etc/config/firewall

config rule option name 'Allow-DHCP-Renew' option src 'wan' option proto 'udp' option dest_port '68' option target 'ACCEPT' option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config rule
option target 'ACCEPT'
option src 'wan'
option proto 'tcp'
option dest_port '22'
option name 'Allow ssh from x.x.x.x to FW'
option src_ip 'x.x.x.x'
option family 'ipv4'

config rule
option target 'ACCEPT'
option src 'lan'
option proto 'tcp'
option dest_port '22 587 993'
option dest_ip 'x.x.x.x'
option family 'ipv4'
option name 'Allow ssh,submission,imaps from LAN to x.x.x.x'
option dest 'wan'

config rule
option target 'ACCEPT'
option name 'Allow ping from LAN to WAN'
option src 'lan'
option src_ip '192.168.1.0/24'
option proto 'icmp'
option icmp_type 'echo-request'
option dest 'wan'
option family 'ipv4'

config rule
option target 'ACCEPT'
option name 'Allow ntp from LAN to WAN'
option src 'lan'
option proto 'udp'
option dest_port '123'
option family 'ipv4'
option src_ip '192.168.1.0/24'
option dest 'wan'

config rule
option target 'ACCEPT'
option name 'Allow http,https from LAN/0-15 to WAN'
option src 'lan'
option src_ip '192.168.1.0/28'
option proto 'tcp'
option dest_port '80 443'
option dest 'wan'
option family 'ipv4'

config rule
option target 'ACCEPT'
option name 'Allow any from LAN/64-95 to WAN'
option src 'lan'
option proto 'tcpudp'
option src_ip '192.168.1.64/27'
option family 'ipv4'
option dest 'wan'

config rule
option target 'ACCEPT'
option name 'Allow ftp,http,https from LAN/96-127 to WAN'
option src 'lan'
option src_ip '192.168.1.96/27'
option proto 'tcp'
option dest_port '21 80 443'
option dest 'wan'
option family 'ipv4'

config rule
option target 'ACCEPT'
option name 'Allow quic from LAN/96-127 to WAN'
option src 'lan'
option src_ip '192.168.1.96/27'
option proto 'udp'
option dest_port '80 443'
option dest 'wan'
option family 'ipv4'

config rule
option target 'ACCEPT'
option name 'Allow Steam from LAN/96-127 to WAN'
option src 'lan'
option src_ip '192.168.1.96/27'
option proto 'tcpudp'
option dest_port '27015:27030'
option dest 'wan'
option family 'ipv4'

config rule
option target 'ACCEPT'
option name 'Allow SIP from raspbx to WAN'
option src 'lan'
option src_ip '192.168.1.0/28'
option proto 'udp'
option dest_port '5060 15000:30000'
option dest 'wan'
option family 'ipv4'

config rule
option target 'ACCEPT'
option name 'Allow BitTorrent from LAN/96-127 to WAN'
option src 'lan'
option src_ip '192.168.1.96/27'
option proto 'tcp'
option dest_port '6881:6889 6969'
option dest 'wan'
option family 'ipv4'

config rule
option target 'ACCEPT'
option name 'Allow Submission from LAN/96-127 to WAN'
option src 'lan'
option src_ip '192.168.1.96/27'
option proto 'tcp'
option dest_port '587'
option dest 'wan'
option dest_ip 'x.x.x.x'
option family 'ipv4'

config rule
option target 'ACCEPT'
option name 'Allow ftp,http,https from backup.lan to WAN'
option src 'lan'
option src_ip '192.168.1.201'
option proto 'tcp'
option dest_port '21 80 443'
option dest 'wan'
option family 'ipv4'

config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option drop_invalid '1'
option flow_offloading '0'

config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option log '1'
option network 'lan'

config zone
option name 'wan'
option input 'DROP'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option log '0'
option network 'wan wan6'

config include
option path '/etc/firewall.user'

iptables-save

iptables-save # Generated by iptables-save v1.6.2 on Mon Dec 9 19:36:48 2019 *nat :PREROUTING ACCEPT [6974:752506] :INPUT ACCEPT [1900:139041] :OUTPUT ACCEPT [1843:129017] :POSTROUTING ACCEPT [256:15472] :postrouting_lan_rule - [0:0] :postrouting_rule - [0:0] :postrouting_wan_rule - [0:0] :prerouting_lan_rule - [0:0] :prerouting_rule - [0:0] :prerouting_wan_rule - [0:0] :zone_lan_postrouting - [0:0] :zone_lan_prerouting - [0:0] :zone_wan_postrouting - [0:0] :zone_wan_prerouting - [0:0] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule COMMIT # Completed on Mon Dec 9 19:36:48 2019 # Generated by iptables-save v1.6.2 on Mon Dec 9 19:36:48 2019 *mangle :PREROUTING ACCEPT [66237:70362869] :INPUT ACCEPT [9919:14917422] :FORWARD ACCEPT [55444:55131038] :OUTPUT ACCEPT [7040:605277] :POSTROUTING ACCEPT [61086:55645923] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu COMMIT # Completed on Mon Dec 9 19:36:48 2019 # Generated by iptables-save v1.6.2 on Mon Dec 9 19:36:48 2019 *filter :INPUT ACCEPT [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] :forwarding_lan_rule - [0:0] :forwarding_rule - [0:0] :forwarding_wan_rule - [0:0] :input_lan_rule - [0:0] :input_rule - [0:0] :input_wan_rule - [0:0] :output_lan_rule - [0:0] :output_rule - [0:0] :output_wan_rule - [0:0] :reject - [0:0] :syn_flood - [0:0] :zone_lan_dest_ACCEPT - [0:0] :zone_lan_dest_REJECT - [0:0] :zone_lan_forward - [0:0] :zone_lan_input - [0:0] :zone_lan_output - [0:0] :zone_lan_src_ACCEPT - [0:0] :zone_wan_dest_ACCEPT - [0:0] :zone_wan_dest_REJECT - [0:0] :zone_wan_forward - [0:0] :zone_wan_input - [0:0] :zone_wan_output - [0:0] :zone_wan_src_DROP - [0:0] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT -A INPUT -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT -A FORWARD -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward -A FORWARD -m comment --comment "!fw3" -j reject -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT -A OUTPUT -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN -A syn_flood -m comment --comment "!fw3" -j DROP -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT -A zone_lan_dest_REJECT -o br-lan -m limit --limit 10/sec -m comment --comment "!fw3" -j LOG --log-prefix "REJECT lan out: " -A zone_lan_dest_REJECT -o br-lan -m comment --comment "!fw3" -j reject -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule -A zone_lan_forward -d x.x.x.x/32 -p tcp -m tcp --dport 22 -m comment --comment "!fw3: Allow ssh,submission,imaps from LAN to x.x.x.x" -j zone_wan_dest_ACCEPT -A zone_lan_forward -d x.x.x.x/32 -p tcp -m tcp --dport 587 -m comment --comment "!fw3: Allow ssh,submission,imaps from LAN to x.x.x.x" -j zone_wan_dest_ACCEPT -A zone_lan_forward -d x.x.x.x/32 -p tcp -m tcp --dport 993 -m comment --comment "!fw3: Allow ssh,submission,imaps from LAN to x.x.x.x" -j zone_wan_dest_ACCEPT -A zone_lan_forward -s 192.168.1.0/24 -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow ping from LAN to WAN" -j zone_wan_dest_ACCEPT -A zone_lan_forward -s 192.168.1.0/24 -p udp -m udp --dport 123 -m comment --comment "!fw3: Allow ntp from LAN to WAN" -j zone_wan_dest_ACCEPT -A zone_lan_forward -s 192.168.1.0/28 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: Allow http,https from LAN/0-15 to WAN" -j zone_wan_dest_ACCEPT -A zone_lan_forward -s 192.168.1.0/28 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: Allow http,https from LAN/0-15 to WAN" -j zone_wan_dest_ACCEPT -A zone_lan_forward -s 192.168.1.64/27 -p tcp -m comment --comment "!fw3: Allow any from LAN/64-95 to WAN" -j zone_wan_dest_ACCEPT -A zone_lan_forward -s 192.168.1.64/27 -p udp -m comment --comment "!fw3: Allow any from LAN/64-95 to WAN" -j zone_wan_dest_ACCEPT -A zone_lan_forward -s 192.168.1.96/27 -p tcp -m tcp --dport 21 -m comment --comment "!fw3: Allow ftp,http,https from LAN/96-127 to WAN" -j zone_wan_dest_ACCEPT -A zone_lan_forward -s 192.168.1.96/27 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: Allow ftp,http,https from LAN/96-127 to WAN" -j zone_wan_dest_ACCEPT -A zone_lan_forward -s 192.168.1.96/27 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: Allow ftp,http,https from LAN/96-127 to WAN" -j zone_wan_dest_ACCEPT -A zone_lan_forward -s 192.168.1.96/27 -p udp -m udp --dport 80 -m comment --comment "!fw3: Allow quic from LAN/96-127 to WAN" -j zone_wan_dest_ACCEPT -A zone_lan_forward -s 192.168.1.96/27 -p udp -m udp --dport 443 -m comment --comment "!fw3: Allow quic from LAN/96-127 to WAN" -j zone_wan_dest_ACCEPT -A zone_lan_forward -s 192.168.1.96/27 -p tcp -m tcp --dport 27015:27030 -m comment --comment "!fw3: Allow Steam from LAN/96-127 to WAN" -j zone_wan_dest_ACCEPT -A zone_lan_forward -s 192.168.1.96/27 -p udp -m udp --dport 27015:27030 -m comment --comment "!fw3: Allow Steam from LAN/96-127 to WAN" -j zone_wan_dest_ACCEPT -A zone_lan_forward -s 192.168.1.0/28 -p udp -m udp --dport 5060 -m comment --comment "!fw3: Allow SIP from raspbx to WAN" -j zone_wan_dest_ACCEPT -A zone_lan_forward -s 192.168.1.0/28 -p udp -m udp --dport 15000:30000 -m comment --comment "!fw3: Allow SIP from raspbx to WAN" -j zone_wan_dest_ACCEPT -A zone_lan_forward -s 192.168.1.96/27 -p tcp -m tcp --dport 6881:6889 -m comment --comment "!fw3: Allow BitTorrent from LAN/96-127 to WAN" -j zone_wan_dest_ACCEPT -A zone_lan_forward -s 192.168.1.96/27 -p tcp -m tcp --dport 6969 -m comment --comment "!fw3: Allow BitTorrent from LAN/96-127 to WAN" -j zone_wan_dest_ACCEPT -A zone_lan_forward -s 192.168.1.96/27 -d x.x.x.x/32 -p tcp -m tcp --dport 587 -m comment --comment "!fw3: Allow Submission from LAN/96-127 to WAN" -j zone_wan_dest_ACCEPT -A zone_lan_forward -s 192.168.1.201/32 -p tcp -m tcp --dport 21 -m comment --comment "!fw3: Allow ftp,http,https from backup.lan to WAN" -j zone_wan_dest_ACCEPT -A zone_lan_forward -s 192.168.1.201/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: Allow ftp,http,https from backup.lan to WAN" -j zone_wan_dest_ACCEPT -A zone_lan_forward -s 192.168.1.201/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: Allow ftp,http,https from backup.lan to WAN" -j zone_wan_dest_ACCEPT -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_REJECT -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT -A zone_lan_src_ACCEPT -i br-lan -m comment --comment "!fw3" -j ACCEPT -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT -A zone_wan_input -s x.x.x.x/32 -p tcp -m tcp --dport 22 -m comment --comment "!fw3: Allow ssh from x.x.x.x to FW" -j ACCEPT -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_DROP -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT -A zone_wan_src_DROP -i eth0.2 -m comment --comment "!fw3" -j DROP COMMIT # Completed on Mon Dec 9 19:36:48 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant