iptables on openwrt router: logging connections to a host from clients on the same subnet

4

I am trying to setup an auto wake-on-lan setup using my router that is running OpenWRT 14.07, Barrier Breaker. My idea is that the router monitors any connection attempts to the host I want to wake up and in the case it registers such an event it sends the magic packet to wake the host. I have been trying to do this using iptables to write any such connection attempt to a log-file, which I could then check from another script. For iptables I arrived at this rule:

iptables -I FORWARD 1 -d 192.168.1.20 -p tcp -j LOG --log-prefix "WAKE_UP_EVENT"

192.168.1.20 is the fixed IP of the host I want to wake. I could then use logread in a bash script to monitor the logs and send the magic packet if it finds WAKE_UP_EVENT. Something like that anyway.

While this works fine when trying to connect using SSH from a client outside of my home network (e.g. the internet), it does not work for clients on the same subnet as the host inside my home network. If I understand correctly the reason for this is that the FORWARD rule is for any packets that "pass" iptables, but in this cases the packets stay within the same network and have no(?) contact with iptables.

So two questions:

1) Is my understanding of the behavior correct?

2) Is there any way of achieving what I am trying to do, be it with iptables or another way?

I have been trying to get this working for 4 hours to no avail and without finding helpful information. Hope somebody a can give me some helpful input. Thanks in advance!

packoman

Posted 2015-06-14T01:23:17.410

Reputation: 193

Answers

3

By default bridged traffic doesn't hit iptables. You can enable it in /etc/sysctl.conf:

# disable bridge firewalling by default
net.bridge.bridge-nf-call-arptables=0
net.bridge.bridge-nf-call-ip6tables=0
net.bridge.bridge-nf-call-iptables=1

Then reload the settings:

sysctl -p

Ref: OpenWRT: Netfilter/Nftables

Brian

Posted 2015-06-14T01:23:17.410

Reputation: 8 439

First of all: thanks. Unfortunately changing the option, it still does not work. The behavior is as before. I checked the configuration using sysctl -a | grep net.bridge.bridge-nf-call-iptables and it outputs three lines: net.bridge.bridge-nf-call-iptables = 1 sysctl: error reading key 'net.ipv4.route.flush': Permission denied sysctl: error reading key 'net.ipv6.route.flush': Permission denied So it appears to set it. Not sure if the errors are relevant. Looking at http://wiki.openwrt.org/doc/howto/netfilter I did not find anything else. I even rebooted. Any other suggestions?

– packoman – 2015-06-14T09:09:58.113

I just found this, which states that Unlike OpenWrt, the stock Ubuntu kernels already have CONFIG_BRIDGE_NETFILTER support compiled in... and that the kernel must be compiled with the CONFIG_BRIDGE_NETFILTER option. So this suggests, that I would need to recompile the kernel. On the other hand I am guessing, that setting the sysctl option should fail, if the kernel was not compiled with the CONFIG_BRIDGE_NETFILTER option. Does anyone know if this is still accurate? The article is from 2011...

– packoman – 2015-06-14T09:19:41.910

Might be ARP related - if local systems can't discover the MAC address of the target system they won't send any IP packets. You can add a static ARP entry on the router to get around this. – Brian – 2015-06-14T14:04:39.617

You were spot on: It is ARP related. When the host is turned on it now works and the requests from inside the home network show up in the iptables logs. Which is great! Unfortunately I haven't found a solution yet for solving the ARP issue though. Following this, the host (turned off) shows up in the ARP table, when running arp. But the client still does not appear to send any packets. I have accepted your answer, since it is the solution for the original issue. If you have a suggestion for the ARP issue, I would be greatful. Many thanks!

– packoman – 2015-06-14T18:04:21.507

Asked: 2015-06-14T01:23:17.410

Viewed: 972 times

Active: 2015-06-15T17:21:12.410