I have added the following rules to my firewall (/etc/connman/firewall.conf):
IPv4.INPUT.RULES = -j DROP; -m limit --limit 5/minute --limit-burst 10 -j LOG --log-prefix "INPUT-DROP: "; -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT; -i lo -j ACCEPT
It seems like --log-prefix flag makes the rule ignorable to the parser. If I remove it, the rule is added to ConnMan. Otherwise the second rule is dismissed. Any ideas why?
1 Like
I’m suspecting it’s to do with the quotes.
Try using one of:
- single quotes
- backslash-escaped double quotes
- backslash-escaping the space and using no quotes at all
Another possible, more likely reason: the LOG target is not supported by the kernel.
On my device, SFOS 3.3.0.16 with kernel 4.9.213, the config shows the following:
root@device # zcat /proc/config.gz | grep TARGET | grep LOG
# CONFIG_NETFILTER_XT_TARGET_LOG is not set
CONFIG_NETFILTER_XT_TARGET_NFLOG=y
So try using -j NFLOG instead of -j LOG. Note that nflog needs an nflog group set as well as the prefix, so you’ll ave to figure out which ones work.
In general:
iptables --foo --stuff -j NFLOG --nflog-group 2 --nflog-prefix "IPTABLES-LOG: "
2 Likes
Thank you for the answers.
Unfortunately any of your suggestions concerning on quotes did not work.
The LOG target is mentioned in Jolla’s documentation about the firewall, so I assume it should be supported. But I will try NFLOG too.
Based on testing, --log-level parameter causes the same behavior. So, do any of the parameters of LOG target work?
This rule works
IPv4.INPUT.RULES = -j DROP; -m limit --limit 5/minute --limit-burst 10 -j LOG; -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT; -i lo -j ACCEPT
But, for example, this does not
IPv4.INPUT.RULES = -j DROP; -m limit --limit 5/minute --limit-burst 10 -j LOG --log-level info --log-prefix "INPUT-DROP: "; -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT; -i lo -j ACCEPT