[lxc-users] per container iptables logging

Tamas Papp tompos at martos.bme.hu
Mon Sep 8 14:59:35 UTC 2014


Try ulog.

T


On September 8, 2014 4:36:04 PM Tom Weber <l_lxc-users at mail2news.4t2.com> 
wrote:

> I use containers with a veth setup like this:
>
> lxc.network.type = veth
> lxc.network.link = br0
> lxc.network.veth.pair = vcont1
> lxc.network.name = eth0
> lxc.network.flags = up
> lxc.network.ipv4 = 192.168.xx.xx/24
> lxc.network.ipv4.gateway = 192.168.xx.xx
> [...]
> lxc.hook.mount = /var/lib/lxc/vcont1/firewall/start
> [...]
> lxc.cap.drop = sys_admin
> lxc.cap.drop = net_admin
> [...]
>
> in the lxc.hook.mount script I set up some firewalling rules for the
> specific container.
> I want to enforce an IP setup for the container which can't be changed
> from inside.
>
> All of this works fine, BUT there's one thing missing:
> my per container firewall script is supposed to setup logging of
> dropped/rejected packets:
>
> I=/sbin/iptables
> [...]
> ${I} -A INPUT -j LOG --log-level info --log-prefix "DROP:${LXC_NAME} " 
> --log-uid
> ${I} -A INPUT -j DROP
> ${I} -A OUTPUT -j LOG --log-level info --log-prefix "REJECT:${LXC_NAME} " 
> --log-uid
> ${I} -A OUTPUT -j REJECT
>
> yet I cant find these log entries anywhere. neither on the host nor in
> the container (not dropping caps doesn't change anything).
>
> I guess that's namespace related somehow, but I have no idea where to
> start or what to try next.
>
> Regards,
>   Tom
>
>
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users




More information about the lxc-users mailing list