RouterOS CHR设置防火墙log日志规则记录所有非DNS的连接请求

文章目录[隐藏]

前言
RouterOS配置

前言

由于监管需要以及对abuse的取证需求，需要记录下用户所有的连接请求，以备不时之需。

RouterOS配置

设置日志

首先在IP>Firewall>NAT中，选择已有的masquerade规则（只选择需要记录的规则，其他的如DNS之类的可以排除在外），在action中勾选log，并设置prefix前缀为nat

然后在System>Logging>Actions中新增一个natlog，type选择disk，filename写自己要存的位置和名称前缀，例如我这里存在挂载盘disk1/nat_log下：

最后只要在System>Logging>Rules中新增规则，Topic选Firewall，Prefix写nat，Action是natlog。
完成后效果如下：

点击展开



jan/17/2021 19:35:40 firewall,info nat: nat srcnat: in:(unknown 0) out:ether2, src-mac 2e:7f:1c:e3:a9:18, proto

19:43:03 echo: firewall,info nat: nat srcnat: in:(unknown 0) out:ether2, src-mac 2e:7f:1c:e3:a9:18, proto UDP, 

10.0.0.3:51258->1.1.1.1:53, NAT 10.0.0.3:51258->(213.133.98.98:53->1.1.1.1:53), len 73

19:43:03 echo: firewall,info nat: nat srcnat: in:(unknown 0) out:ether2, src-mac 2e:7f:1c:e3:a9:18, proto UDP, 

10.0.0.3:43433->1.1.1.1:53, NAT 10.0.0.3:43433->(213.133.98.98:53->1.1.1.1:53), len 60

19:43:03 echo: firewall,info nat: nat srcnat: in:(unknown 0) out:ether2, src-mac 2e:7f:1c:e3:a9:18, proto UDP, 

10.0.0.3:49361->1.1.1.1:53, len 61

19:43:03 echo: firewall,info nat: nat srcnat: in:(unknown 0) out:ether2, src-mac 2e:7f:1c:e3:a9:18, proto UDP, 

10.0.0.3:55716->1.1.1.1:53, len 61

19:43:06 echo: firewall,info nat: nat srcnat: in:(unknown 0) out:ether2, src

10.0.0.3:48121->1.1.1.1:53, len 72

19:43:07 echo: firewall,info nat: nat srcnat: in:(unknown 0) out:ether2, src

10.0.0.3:36238->1.1.1.1:53, NAT 10.0.0.3:36238->(213.133.98.98:53->1.1.1.1:5

19:43:07 echo: firewall,info nat: nat srcnat: in:(unknown 0) out:ether2, src

10.0.0.3:43510->1.1.1.1:53, len 73

19:43:07 echo: firewall,info nat: nat srcnat: in:(unknown 0) out:ether2, src

10.0.0.3:38589->1.1.1.1:53, len 71

19:43:07 echo: firewall,info nat: nat srcnat: in:(unknown 0) out:ether2, src

10.0.0.3:59520->1.1.1.1:53, len 71

19:43:08 echo: firewall,info nat: nat srcnat: in:(unknown 0) out:ether2, src

10.0.0.3:55957->1.1.1.1:53, NAT 10.0.0.3:55957->(213.133.98.98:53->1.1.1.1:5

19:43:08 echo: firewall,info nat: nat srcnat: in:(unknown 0) out:ether2, src

10.0.0.3:55026->1.1.1.1:53, len 61

19:43:08 echo: firewall,info nat: nat srcnat: in:(unknown 0) out:ether2, src

10.0.0.3:42986->1.1.1.1:53, len 61

19:43:09 echo: firewall,info nat: nat srcnat: in:(unknown 0) out:ether2, src

10.0.0.3:48052->1.1.1.1:53, NAT 10.0.0.3:48052->(213.133.98.98:53->1.1.1.1:5

19:43:09 echo: firewall,info nat: nat srcnat: in:(unknown 0) out:ether2, src

10.0.0.3:59710->1.1.1.1:53, NAT 10.0.0.3:59710->(213.133.98.98:53->1.1.1.1:5

19:43:09 echo: firewall,info nat: nat srcnat: in:(unknown 0) out:ether2, src

10.0.0.3:55766->1.1.1.1:53, NAT 10.0.0.3:55766->(213.133.98.98:53->1.1.1.1:5

19:43:14 echo: firewall,info nat: nat srcnat: in:(unknown 0) out:ether2, src-mac 2e:7f:1c:e3:a9:18, proto UDP

, 10.0.0.3:47882->1.1.1.1:53, NAT 10.0.0.3:47882->(213.133.98.98:53->1.1.1.1:53), len 72

19:43:15 echo: firewall,info nat: nat srcnat: in:(unknown 0) out:ether2, src-mac 2e:7f:1c:e3:a9:18, proto UDP

, 10.0.0.3:42274->1.1.1.1:53, len 61

19:43:15 echo: firewall,info nat: nat srcnat: in:(unknown 0) out:ether2, src-mac 2e:7f:1c:e3:a9:18, proto UDP

, 10.0.0.3:42562->1.1.1.1:53, len 61

19:43:18 echo: firewall,info nat: nat srcnat: in:(unknown 0) out:ether2, src-mac 2e:7f:1c:e3:a9:18, proto UDP

, 10.0.0.3:45822->1.1.1.1:53, NAT 10.0.0.3:45822->(213.133.98.98:53->1.1.1.1:53), len 61

设置DNS代理（可选）并排除在日志外

可以看到DNS查询通常会高频的出现，而且这个查询也没啥好记录的，所以直接排除在日志之外即可。
首先是全部强制解析到1.1.1.1：



/ip firewall nat add chain=dstnat action=dst-nat to-addresses=1.1.1.1 to-ports=53 protocol=udp dst-port=53

然后设置masquerade规则，将udp 53的所有流量排除在日志之外：



ip firewall nat add chain=srcnat dst-port=53 protocol=udp src-address=10.0.0.0/8 action=masquerade log=no

搞定！

This article is under CC BY-NC-SA 4.0 license.
Please quote the original link：https://www.liujason.com/article/1137.html