SOLVED - Syslog for inbound NATed traffic???
SOLVED - See end of post.
With the whole Shellshock vulberability going around, it is time for me to assess the syslog and I'm seeing that none of my external NAT'ed web services are being logged by my RT-AC68U. Doh!
I found this thread which mentions a way to log via the FORWARD iptables chain, but I'm not sure if it is relevant to my issue.
http://forums.smallnetbuilder.com/showthread.php?t=13053
I had a discussion with merlin about logging and he said that the nat iptables table was used for NAT'ed connections.
Ex: iptables -t nat -L
So where do I put a new fw rule to log inbound connections?
I would suspect this is the correct format for the FORWARD chain, but I'm no iptables master.
iptables -I FORWARD -i eth+ -o br+ -p tcp --dport <MY_NAT_PORT> -m state --state NEW -j logaccept
FYI, this is my FORWARD chain:
Chain FORWARD (policy DROP)
target prot opt source destination
DROP gre -- anywhere anywhere
ACCEPT all -- anywhere anywhere
DROP udp -- anywhere anywhere udp dpt:1701
DROP tcp -- anywhere anywhere tcp dpt:1723
logaccept all -- anywhere anywhere state RELATED,ESTABLISHED
logdrop all -- anywhere anywhere
logdrop all -- anywhere anywhere state INVALID
logaccept all -- anywhere anywhere
logaccept all -- anywhere anywhere ctstate DNAT
ACCEPT all -- anywhere anywhere
SOLUTION:
Turns out I was simply looking for the wrong port in the logs. My NAT ports differ from my internal LAN ports used. Searching for the LAN ports shows the inbound connections.
SOLVED - See end of post.
With the whole Shellshock vulberability going around, it is time for me to assess the syslog and I'm seeing that none of my external NAT'ed web services are being logged by my RT-AC68U. Doh!
I found this thread which mentions a way to log via the FORWARD iptables chain, but I'm not sure if it is relevant to my issue.
http://forums.smallnetbuilder.com/showthread.php?t=13053
I had a discussion with merlin about logging and he said that the nat iptables table was used for NAT'ed connections.
Ex: iptables -t nat -L
So where do I put a new fw rule to log inbound connections?
I would suspect this is the correct format for the FORWARD chain, but I'm no iptables master.
iptables -I FORWARD -i eth+ -o br+ -p tcp --dport <MY_NAT_PORT> -m state --state NEW -j logaccept
FYI, this is my FORWARD chain:
Chain FORWARD (policy DROP)
target prot opt source destination
DROP gre -- anywhere anywhere
ACCEPT all -- anywhere anywhere
DROP udp -- anywhere anywhere udp dpt:1701
DROP tcp -- anywhere anywhere tcp dpt:1723
logaccept all -- anywhere anywhere state RELATED,ESTABLISHED
logdrop all -- anywhere anywhere
logdrop all -- anywhere anywhere state INVALID
logaccept all -- anywhere anywhere
logaccept all -- anywhere anywhere ctstate DNAT
ACCEPT all -- anywhere anywhere
SOLUTION:
Turns out I was simply looking for the wrong port in the logs. My NAT ports differ from my internal LAN ports used. Searching for the LAN ports shows the inbound connections.
Last edited:
