Firewall Logged packets causes high usage/ping

[jpdsc]

Hi Merlin,

I use logged packets accepted to WOL my server based on a port trigger.
Meaning, if I go to https://MYDOMAIN:8088 it triggers an accepted packet in the logs and a script running in the background WOL the server.
The script I am using is the one in the GitHub FAQ.

Now, the issue is, the ACCEPTED logged packets are so many that syslog is rotating every 5-10 min which causes high usage in CPU or RAM and causes online games to lag out for a few seconds and disconnected.
I checked if the script itself was using high CPU or RAM, but this is not the case.

Is there any way to do this differently or logging the ACCEPTED packets to a different file (in external storage).
Or, is there a different logging I can use?

Thanks in advance.

Router: AC66U
Firmware: Latest BETA: 380.68_beta1
Script:

#!/bin/sh

INTERVAL=5
NUMP=3
OLD=""
TARGET=192.168.1.100
PORT=8088
IFACE=br0
MAC=44:8A:5B:65:11:0C
WOL=/usr/sbin/ether-wake
LOGFILE="/jffs/scripts/ether-wake.log"
while sleep $INTERVAL;do
NEW=`dmesg | awk '/ACCEPT/ && /DST='"$TARGET"'/ && /DPT='"$PORT"'/ {print }' | tail -1`
SRC=`echo $NEW | awk -F'[=| ]' '{print $8}'`
DPORT=`echo $NEW | awk -F'[=| ]' '{print $27}'`
PROTO=`echo $NEW | awk -F'[=| ]' '{print $23}'`
if [ "$NEW" != "" -a "$NEW" != "$OLD" ]; then
if ! ping -qc $NUMP $TARGET >/dev/null; then
echo "WAKE $TARGET requested by $SRC, port $DPORT, protocol $PROTO at" `date`>> $LOGFILE
$WOL -i $IFACE $MAC
sleep 5
fi
OLD=$NEW
fi
done

Cheers,

 

[ColinTaylor]

Router model? firmware version? Link to script?

 

[jpdsc]

Router model? firmware version? Link to script?

You're right. Was a bit too fast.
Added now.

 

[Jack Yaz]

Hi Merlin,

I use logged packets accepted to WOL my server based on a port trigger.
Meaning, if I go to https://MYDOMAIN:8088 it triggers an accepted packet in the logs and a script running in the background WOL the server.
The script I am using is the one in the GitHub FAQ.

Now, the issue is, the ACCEPTED logged packets are so many that syslog is rotating every 5-10 min which causes high usage in CPU or RAM and causes online games to lag out for a few seconds and disconnected.

Is there any way to do this differently or logging the ACCEPTED packets to a different file (in external storage).
Or, is there a different logging I can use?

Thanks in advance.

Router: AC66U
Firmware: Latest BETA: 380.68_beta1
Script:

#!/bin/sh

INTERVAL=5
NUMP=3
OLD=""
TARGET=192.168.1.100
PORT=8088
IFACE=br0
MAC=44:8A:5B:65:11:0C
WOL=/usr/sbin/ether-wake
LOGFILE="/jffs/scripts/ether-wake.log"
while sleep $INTERVAL;do
NEW=`dmesg | awk '/ACCEPT/ && /DST='"$TARGET"'/ && /DPT='"$PORT"'/ {print }' | tail -1`
SRC=`echo $NEW | awk -F'[=| ]' '{print $8}'`
DPORT=`echo $NEW | awk -F'[=| ]' '{print $27}'`
PROTO=`echo $NEW | awk -F'[=| ]' '{print $23}'`
if [ "$NEW" != "" -a "$NEW" != "$OLD" ]; then
if ! ping -qc $NUMP $TARGET >/dev/null; then
echo "WAKE $TARGET requested by $SRC, port $DPORT, protocol $PROTO at" `date`>> $LOGFILE
$WOL -i $IFACE $MAC
sleep 5
fi
OLD=$NEW
fi
done

Cheers,

I would use the iptables rule on the log chain, but then make your own that only packets accepted on your desired port are written to the SysLog.

iptables -S will give you iptables rules in place, look for logaccept I think

 

[jpdsc]

I would use the iptables rule on the log chain, but then make your own that only packets accepted on your desired port are written to the SysLog.

iptables -S will give you iptables rules in place, look for logaccept I think

Thank you for the reply. I actually checked:

iptables v1.3.8: Unknown arg `-S'
Try `iptables -h' or 'iptables --help' for more information.

-S is not valid.

 

[Jack Yaz]

Try -L

I think -S is in newer versions, my apologies.

 

[jpdsc]

Try -L

I think -S is in newer versions, my apologies.

Got it now.

Chain logaccept (9 references)
target prot opt source destination
LOG all -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `ACCEPT '
ACCEPT all -- anywhere anywhere

What can I do to ensure port 8088 is only logged?

Thanks again!

 

[Jack Yaz]

If you look through the rules for things ending -J logaccept and post, I'll try to give you the right line to add in a firewall-start script

 

[jpdsc]

Below is the output from iptables -L, there are no -J logaccept and post.

Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP icmp -- anywhere anywhere icmp echo-request
logaccept all -- anywhere anywhere state RELATED,ESTABLISHED
DROP all -- anywhere anywhere state INVALID
PTCSRVWAN all -- anywhere anywhere
PTCSRVLAN all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere state NEW
logaccept udp -- anywhere anywhere udp spt:bootps dpt:bootpc
logaccept tcp -- anywhere guerra. ctstate DNAT tcp dpt:8443
INPUT_ICMP icmp -- anywhere anywhere
DROP all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
logaccept all -- anywhere anywhere state RELATED,ESTABLISHED
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere state INVALID
logaccept all -- anywhere anywhere
SECURITY all -- anywhere anywhere
NSFW all -- anywhere anywhere
logaccept all -- anywhere anywhere ctstate DNAT
logaccept all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain ACCESS_RESTRICTION (0 references)
target prot opt source destination

Chain FUPNP (0 references)
target prot opt source destination
ACCEPT tcp -- anywhere ZEUS tcp dpt:6881
ACCEPT tcp -- anywhere ZEUS tcp dpt:4433
ACCEPT udp -- anywhere ZEUS udp dpt:6881

Chain INPUT_ICMP (1 references)
target prot opt source destination
RETURN icmp -- anywhere anywhere icmp echo-request
RETURN icmp -- anywhere anywhere icmp timestamp-request
logaccept icmp -- anywhere anywhere

Chain NSFW (1 references)
target prot opt source destination

Chain PControls (0 references)
target prot opt source destination
logaccept all -- anywhere anywhere

Chain PTCSRVLAN (1 references)
target prot opt source destination

Chain PTCSRVWAN (1 references)
target prot opt source destination

Chain SECURITY (1 references)
target prot opt source destination
RETURN tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
RETURN tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST
RETURN icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5
DROP icmp -- anywhere anywhere icmp echo-request
RETURN all -- anywhere anywhere

Chain logaccept (9 references)
target prot opt source destination
LOG all -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `ACCEPT '
ACCEPT all -- anywhere anywhere

Chain logdrop (0 references)
target prot opt source destination
LOG all -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `DROP '
DROP all -- anywhere anywhere

 

[jpdsc]

Found the rule

-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT

How can I add a port to this?

 

[Jack Yaz]

I'll need to do some testing my end to make sure, shouldn't be too difficult.

 

[jpdsc]

I'll need to do some testing my end to make sure, shouldn't be too difficult.

I tried:
iptables -A logaccept -m state --state NEW -dport 8088 -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
iptables -A logaccept -m state --state NEW --dport 8088 -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options

Both show error.

 

[Jack Yaz]

A quick untested guess is you need to load the tcp module with -m tcp, but I'm not sure if that'll then include the info you want for your script. I'll need to test when i get home in a few hours

iptables -A logaccept -m tcp -dport 8088 -j LOG

or even

iptables -I logaccept -p tcp -m tcp --dport 8088 -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options

 

[jpdsc]

or even

iptables -I logaccept -p tcp -m tcp --dport 8088 -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options

Was just writing this one . Any command to reload iptables or is it not needed?

 

[Jack Yaz]

Was just writing this one . Any command to reload iptables or is it not needed?

Rule will be effective when run. I think we'll need to make a script to remove the other logaccept rules, to stop your syslog being flooded. When I get home I'll enable logging on my Asus and see what rules need removing, in favour of our rule that should log only the specified port.

 

[jpdsc]

Rule will be effective when run. I think we'll need to make a script to remove the other logaccept rules, to stop your syslog being flooded. When I get home I'll enable logging on my Asus and see what rules need removing, in favour of our rule that should log only the specified port.

Perfect. Thanks. Meanwhile I will mess around with iptables and see if I can figure it out also .

 

[jpdsc]

I also tried adding LOG to INPUT:
iptables -I INPUT -p tcp -m tcp --dport 8088 -m state --state NEW -j LOG --log-level 1 --log-prefix "WOL "

Doesn't show connections log in syslog :-(

@thelonelycoder could you please assist on this one?

 

[ColinTaylor]

Are you port forwarding 8088? What happens if you put it in the FORWARD chain?

If that fails can you post the output of iptables-save

 

[ColinTaylor]

Yes, just tested it. If you're port forwarding you need this:

iptables -I FORWARD -i eth0 -p tcp -m tcp --dport 8088 -m state --state NEW -j LOG --log-level 1 --log-prefix "WOL "

If you don't specify your WAN interface (-i eth0) your syslog could become flooded with LAN entries. And of course you'll need to turn off the logging of accepted packets in the GUI.

 

[Jack Yaz]

Sorry, my WAN was down last night so couldn't test until very late. I'll try to look at it tonight