[lxc-users] per container iptables logging
Tom Weber
l_lxc-users at mail2news.4t2.com
Mon Sep 8 14:27:54 UTC 2014
I use containers with a veth setup like this:
lxc.network.type = veth
lxc.network.link = br0
lxc.network.veth.pair = vcont1
lxc.network.name = eth0
lxc.network.flags = up
lxc.network.ipv4 = 192.168.xx.xx/24
lxc.network.ipv4.gateway = 192.168.xx.xx
[...]
lxc.hook.mount = /var/lib/lxc/vcont1/firewall/start
[...]
lxc.cap.drop = sys_admin
lxc.cap.drop = net_admin
[...]
in the lxc.hook.mount script I set up some firewalling rules for the
specific container.
I want to enforce an IP setup for the container which can't be changed
from inside.
All of this works fine, BUT there's one thing missing:
my per container firewall script is supposed to setup logging of
dropped/rejected packets:
I=/sbin/iptables
[...]
${I} -A INPUT -j LOG --log-level info --log-prefix "DROP:${LXC_NAME} " --log-uid
${I} -A INPUT -j DROP
${I} -A OUTPUT -j LOG --log-level info --log-prefix "REJECT:${LXC_NAME} " --log-uid
${I} -A OUTPUT -j REJECT
yet I cant find these log entries anywhere. neither on the host nor in
the container (not dropping caps doesn't change anything).
I guess that's namespace related somehow, but I have no idea where to
start or what to try next.
Regards,
Tom
More information about the lxc-users
mailing list