Logging LAN traffic with ebtables-iptables-ddwrt

3

Goal

I am trying to log internal(eth0->eth0[via br0]) traffic to syslog on DD-WRT.

Problem

Bridged traffic is not seen by iptables. The same traffic is also not visible via ebtables.

Things I Tried

I would post what I have already tried but I have basically tried everything, quick recap:

insmod ebt*  #load all ebtables and extensions

echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables

ebtables -t nat -A PREROUTING --logical-in br0 -p ipv4 -j redirect --redirect-target ACCEPT

add logging[as first rule] to all tables and chains of both ebtables and iptables

"trick" iptables by redirecting "bridged" traffic to the network layer

SETUP(basically stock DD-WRT v3):

br0 = eth0[lan] + ath0[wlan]

no static route

no STP

What I Want

EDIT:
I want to log all traffic from 192.168.2.3(lan/eth0/br0) to 192.168.2.4(lan/eth0/br0), basically anything BETWEEN devices on eth0(lan ports)

[I can log all other traffic crossing the bridge, from lan to wan and vice versa. After reviewing the logs I did in fact have this working very briefly via some combination of ebtables and iptables(example output:

2016-XX-XXTXX:XX:41-XX:00 XXXXX kernel: [  XXX.850000] ACCEPT_ebt IN=br0 OUT=br0 MAC=XXXXXXXXXXXXXXXXXX SRC=192.168.2.12 DST=192.168.2.16 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=35259 DF PROTO=TCP SPT=45879 DPT=22 etc....
`]

Point me in the right direction

Tell me what I'm doing wrong

Tell me how to achieve this

lsmod

Module                  Size  Used by
ebt_802_3                708  0 
ebt_among               2116  0 
ebt_arp                 1572  0 
ebt_arpreply            1060  0 
ebt_dnat                 804  0 
ebt_ip                  1252  0 
ebt_limit                948  0 
ebt_log                 2100  0 
ebt_mark                 692  0 
ebt_mark_m               628  0 
ebt_nflog                660  0 
ebt_pkttype              580  0 
ebt_redirect             868  0 
ebt_snat                 852  0 
ebt_stp                 1780  0 
ebt_ulog                2724  0 
ebt_vlan                 916  0 
ebtable_broute           756  0 
ebtable_filter           916  0 
ebtable_nat              916  0 
ebtables               14253  3 ebtable_broute,ebtable_filter,ebtable_nat

route

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         10.11.AA.BB     0.0.0.0         UG    0      0        0 ppp0
10.11.AA.BB     *               255.255.255.255 UH    0      0        0 ppp0
10.137.0.0      SerVer          255.255.0.0     UG    0      0        0 br0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
169.254.0.0     *               255.255.0.0     U     0      0        0 br0
192.168.2.0     *               255.255.255.0   U     0      0        0 br0

codemonk113

Posted 2016-04-26T18:33:28.453

Reputation: 76

1

This isn't exactly what you are looking for, but will get you to the same place: https://www.dd-wrt.com/wiki/index.php/Network_traffic_analysis_with_netflow_and_ntop

– Argonauts – 2016-04-26T23:55:31.227

Thank you Argonauts, unfortunately rflow is not available in this build.

– codemonk113 – 2016-04-27T20:47:40.777

If you are still looking for help, could you provide a little more context? Specifically, are looking to log all traffic that crosses from lan to wan, lan to lan AND wan to lan, or those two + a vpn or other traffic? The way I read it it sounds like you want everything. – Argonauts – 2016-04-27T21:59:30.140

@ Argonauts updated with more info, I can log everything EXCEPT lan to lan, which is what I'm trying to accomplish.

– codemonk113 – 2016-04-27T22:52:04.383

Answers

0

If by "devices on eth0" you mean an integrated hardware switch that gives you the usual four LAN ports on routers and a fifth port that shows up as eth0 on the SoC, then you cannot do it that way, because the traffic stays in the hardware swith, never enters the SoC, and never appears on eth0 or br0.

Depending on the hardware you have, you may be able to use swconfig to expose the actual switch ports as network interfaces to the kernel (e.g. VLAN interfaces eth0.1 to eth0.4). Then you can add all of those to br0, and log traffic (and this configuration will also have significantly less bandwidth compared to the hardware switch).

But not all hardware does support this.

dirkt

Posted 2016-04-26T18:33:28.453

Reputation: 11 627

Asked: 2016-04-26T18:33:28.453

Viewed: 695 times

Active: 2019-06-28T10:47:16.953