Topic: Using syslogd to log ADSL router.

[markleman]

I found the howto (http://wiki.contribs.org/Syslog) on how to use syslogd to record messages from other devices. This works well to record messages from the wireless access points inside my network. Now I would like to record the messages from my ADSL router which is on the WAN side.

I did a quick test using port-forwarding to forward external port 514 to localhost:514 and the messages appeared in /var/log/messages as expected. However I think this is a security risk because anyone could send messages to my log, fill up my drive etc so I removed the port temporary port forward. 

I think I need to create a firewall rule to allow access to UDP port 514 on the WAN Ethernet interface from the IP of my ADSL router (which is the WAN gateway address so is known as a config parameter I assume).

I looked at the firewall howto page (http://wiki.contribs.org/Firewall) but could not see how to achieve what I am after. Can anyone confirm/deny this?

Otherwise I suppose a custom template would be required to insert a line in to /etc/rc.d/init.d/masq?

My aim would be to create template without any hard coded values (i.e. using the parameters stored in the database) to create rule as follows:
source IP          : WAN gateway IP
source port       : 514? (my router appears to always used 514 as the source, but I wonder if this is necessary) 
destination IP    : SME server WAN IP
destination port : 514
Type of data     : UDP

I could then add this info to the original howto.

Any thoughts or suggestions appreciated .

Regards, Mark Leman

[markleman]

I have been looking in to this further and whilst it is still not yet solved, below are my notes so far. I hope I am not going about this the wrong way 

(x.x.x.x is my ADSL router address, y.y.y.y is my SME WAN IP address)

Once I have a template which correctly inserts my hard coded values I can look at using the correct variables to make it a more general solution. I'm not great at perl so one step at a time

Regards, Mark Leman

To see current iptables rules:
iptables -L --line-numbers

To add my temporary rule:
iptables -I InboundUDP 1 -i eth1 -p udp  -s x.x.x.x -d y.y.y.y --dport 514  -j ACCEPT

This works and router log entries appear in /var/log/messages but is not a permanent solution because any restart of iptables will lose the rule.

To remove my temporary rule, restart iptables:
/etc/rc.d/init.d/masq restart

To see where the SMEs iptables rules are setup:
more /etc/rc.d/init.d/masq

Looks like the InboundUDP part of /etc/rc.d/init.d/masq is generated by the following templates:
/etc/e-smith/templates/etc/rc.d/init.d/masq/90InboundUDP00Start
/etc/e-smith/templates/etc/rc.d/init.d/masq/90InboundUDP10filter_udp
/etc/e-smith/templates/etc/rc.d/init.d/masq/90InboundUDP50adjust_udp
/etc/e-smith/templates/etc/rc.d/init.d/masq/90InboundUDP99Finish

So I need to create a custom template in:
/etc/e-smith/templates-custom/etc/rc.d/init.d/masq/   

probably:
mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/   
nano /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/90InboundUDP05allow_syslog
and entered:
{
    $OUT .= "    /sbin/iptables -A InboundUDP  -i eth1 -p udp  -s x.x.x.x -d y.y.y.y --dport 514  -j ACCEPT\n";
}

BUT when I added this the output from it was already too late for an iptables append so remoce and try modifying an existing template...

rm /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/90InboundUDP05allow_syslog

cp  /etc/e-smith/templates/etc/rc.d/init.d/masq/90InboundUDP00Start /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/90InboundUDP00Start
and modified it to read:

{
    # Find the current InboundUDP_$$ chain and create a new one.
    $OUT .=<<'EOF';
    OLD_InboundUDP=$(get_safe_id InboundUDP filter find)
    NEW_InboundUDP=$(get_safe_id InboundUDP filter new)
    /sbin/iptables --new-chain $NEW_InboundUDP
EOF
    $OUT .= "    /sbin/iptables -A InboundUDP  -i eth1 -p udp  -s x.x.x.x -d y.y.y.y --dport 514  -j ACCEPT\n";
    $OUT .= "    /sbin/iptables --append \$NEW_InboundUDP \\! " .
            "--destination \$OUTERNET --jump denylog\n";
}

(expand template and restart iptables - see later)

BUT- this did not end up with my rule in the right order in the InboundUDP filter
Not sure why. So still needs some work.

Having created a new custom template expand it and restart iptables:
/sbin/e-smith/expand-template /etc/rc.d/init.d/masq
/etc/rc.d/init.d/masq restart

Then make sure the messages are now appearing here:
tail -f -n 50 /var/log/messages
 
and not showing as blocked here:
tail -f -n 50 /var/log/iptables/current | tai64nlocal

Once this is working look at syslog config options and consider separating syslog traffic from the ADSL router and wireless access points in to a separate logfile, making sure log rotate works on this new log.