The reason I need to log the port forwarding is for audit purposes.
You are asking for a list of IPs that have been authorized via port forwarding.
/sbin/iptables -I PORTFWACCESS -m limit --limit 10/minute -j Log --log-prefix "PORTFWACCESS"
The commands you are using will log more than just the first packet (as I explained in my first post).
However I have not been able to get this to work. I've entered this at the command line, put it in the /etc/rc.d/rc.firewall script, and rc.firewall.local script, with no luck.
From the command line, you should be using just
iptables -I ...
Add the command via the commandline FIRST and make sure it is working before adding it to any scripts.
I've also tried tracing how IPCop creates new port forward rules from the GUI, and found that it does not use the iptables command directly, but used an executable called setportfw.
This script is used to reset the port fowarding based on the port forwarding config file.
I've managed to generate more questions than answers. So my list now looks like this:
1. How do I log port forwards? What is the specific syntax to use?
2. Where do I put this syntax? What file, and where?
3. What other inbound firewall events are not being logged?
1. The syntax you were using should work (test from commandline without the /sbin/ part at the beginning.
2. If you are going to be using the web interface, the port forwarding script will reset all forwarding access each time you make a change (i.e. removing old ports not being used, adding new ports, etc). Once it is working via the commandline, add it to rc.firewall.local.
3. IPCOP works similar to any other consumer router. Inbound traffic that is allowed (i.e. port forwarding, external access, VPNs on IPCOP) is not logged. Attempts to access a closed port is logged. What other access is there for inbound traffic?