Why my iptables LOG rule doesn't get applied for local traffic?

[Patryk]

I have the following rule to log traffic (for wake on LAN purposes)

iptables -I FORWARD -d 192.168.1.X -p tcp --dport 7000:8332 -m state --state NEW -j LOG --log-prefix "[2WAKE] XX:XX:XX:XX:XX:XX"

which does work for traffic from WAN that gets to my local network (through opened ports) but doesn't work for local only traffic.

Why is that? I've tried with `INPUT` chain as well but I've got the same results.

Is that because the traffic goes through internal switch and we cannot control this with `iptables`?

 

[eibgrad]

All local traffic is bridged, not routed, and therefore the router's IP firewall doesn't get involved in local traffic. All local devices communicate directly with one another over ethernet via the switch. That's why if you didn't even have a router, but only a switch, all local devices could still communicate w/ each other.

 

[Patryk]

That's what I thought. Any chance to see/touch/manipulate local traffic on Asus RT-AC routers?

 

[eibgrad]

That's what I thought. Any chance to see/touch/manipulate local traffic on Asus RT-AC routers?

There may be access to ebtables, which is a layer 2 (ethernet) firewall.

 

[Jack Yaz]

There may be access to ebtables, which is a layer 2 (ethernet) firewall.

There is