Log LAN > Outbound traffic/stats

[v1k0d3n]

can anyone tell me a good way to log outbound traffic? i have an interesting u-verse setup, so i have to run in dmz mode. i am working with splunk to create a useful app to log intrusion attempts etc. what i have noticed is A). lan to outbound traffic is not logged by default; i want to change this, and B). the information logged is a little wonky when wanting to stat out tcp connection stats (unless i am missing something; which is probably the case). so far though, i have a pretty useful app though! i just need to get some interesting outbound statistics etc, so i can create some realtime traffic flow radial gauges.

 

[v1k0d3n]

is nobody logging inbound AND outbound traffic on these devices? i find that hard to believe...

 

[RMerlin]

Both IPTraffic and the regular traffic manager will log both upload and download traffic.

 

[v1k0d3n]

Both IPTraffic and the regular traffic manager will log both upload and download traffic.

when i leave the iptables config default, i am only seeing accept/drop traffic logged from eth0 and nothing really from br0. it would probably be best to log traffic INPUT DROP(s) from eth0 coming from the internet and OUTPUT ACCEPT from br0.

when i create an firewall-start script in /jffs/scripts which rules are loaded first, and then second? for instance, there are several rules/options set in /tmp/filter_rules and filter.defaults, and i have rules configured in /jffs/scripts/firewall-start, but i don't want them to get overwritten or overruled by what is in other iptables. is there a way to change the default filter_rules without an overwrite or is there a better way of doing this?

 

[RMerlin]

when i leave the iptables config default, i am only seeing accept/drop traffic logged from eth0 and nothing really from br0. it would probably be best to log traffic INPUT DROP(s) from eth0 coming from the internet and OUTPUT ACCEPT from br0.

I thought you were just referring to traffic statistics. I never really looked at how actual logging was implemented.

when i create an firewall-start script in /jffs/scripts which rules are loaded first, and then second? for instance, there are several rules/options set in /tmp/filter_rules and filter.defaults, and i have rules configured in /jffs/scripts/firewall-start, but i don't want them to get overwritten or overruled by what is in other iptables. is there a way to change the default filter_rules without an overwrite or is there a better way of doing this?

filter.defaults is what gets applied if the firewall isn't configured. When the firewall is configured with WAN up and ready, filter_rules is applied. Once that's applied, firewall-start is executed, so from that you can delete existing rules, or insert yourself anywhere in it.

You cannot modify the filter_rules file, as this is dynamically generated by the router before being applied using iptables-restore. You have to work directly on the iptables chains from the firewall-start (and nat-start, which is run after the mangle rules are applied).

 

[v1k0d3n]

...

great information, thanks! i ended up getting around this by logging information from the br0 interface with:
iptables -I INPUT -i br0 -j logaccept

I noticed that "logaccept" worked for what i wanted by default, but it needed to be applied to br0 (by default, it isn't). once that switch was made, i was getting tons of lan > wan syslog information which i was able use in splunk.

i'm now creating all sorts of useful splunk graphs in my new app for a Merlin Build of Asuswrt (which was originally taken from the "Home Monitor" splunk app).

 

[ericbergan]

great information, thanks! i ended up getting around this by logging information from the br0 interface with:
iptables -I INPUT -i br0 -j logaccept

I noticed that "logaccept" worked for what i wanted by default, but it needed to be applied to br0 (by default, it isn't). once that switch was made, i was getting tons of lan > wan syslog information which i was able use in splunk.

i'm now creating all sorts of useful splunk graphs in my new app for a Merlin Build of Asuswrt (which was originally taken from the "Home Monitor" splunk app).

After playing with this more (and narrowing it down to just tcp to avoid all the udp traffic), I'm seeing the br0 traffic, but it's not giving me what I'm looking for. The DST is always the local IP address of the router, not the final destination IP address. What am I missing? Thanks!

 

[ericbergan]

I think I may have found my solution. Instead of INPUT, put it in the FORWARD chain, although at least on my installation, it needs to be the next to last entry:

iptables -I FORWARD 8 -i br0 -j logaccept

Seems to be correctly logging new outgoing connections, with correct src and dst addresses, and without causing lots of other cruft to get logged.

Does this make sense to others? Thanks.