[lxc-users] lxc-security: iptables audit with nflog not working with default settings (insecure)

[Fajar A. Nugraha]

On Wed, Mar 11, 2015 at 5:48 PM, Fiedler Roman <Roman.Fiedler at ait.ac.at> wrote:
> Hello list,
>
> Has someone managed to get reliable network traffic auditing with LXC up and
> running? That means, that it is possible to write a protocol of e.g. every
> new connection from and to host.
>
> On my setup (Ubuntu Trusty), both host and guest may have different iptables
> rulesets. But the guest NFLOG messages are lost completely, those from host
> are sometimes sent to the ulogd in the guest (time-race), so the host log is
> not trustworthy also.
>
> What could be the best solution to get trustworthy logs with LXC?

Try something like this on the host:

echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables
iptables -I FORWARD 1 -d 192.168.124.173 -j NFLOG --nflog-group 0
--nflog-prefix lxc-v
iptables -I FORWARD 1 -s 192.168.124.173 -j NFLOG --nflog-group 0
--nflog-prefix lxc-v

with the default ulogd2 setup on ubuntu 14.10 (which already includes
rules for nflog-group 0 logging to a file)  you should then be able to
get something like this when the container (192.168.124.173) pings
another container (192.168.124.134)

# tail -f /var/log/ulog/syslogemu.log
Mar 11 18:40:49 utopic lxc-v IN=br0 OUT=br0
MAC=00:16:3e:2e:d2:6d:00:16:3e:f5:cd:94:08:00 SRC=192.168.124.173
DST=192.168.124.134 LEN=84 TOS=00 PREC=0x00 TTL=64 ID=10868 DF
PROTO=ICMP TYPE=8 CODE=0 ID=1916 SEQ=2 MARK=0
Mar 11 18:40:49 utopic lxc-v IN=br0 OUT=br0
MAC=00:16:3e:f5:cd:94:00:16:3e:2e:d2:6d:08:00 SRC=192.168.124.134
DST=192.168.124.173 LEN=84 TOS=00 PREC=0x00 TTL=64 ID=46525 PROTO=ICMP
TYPE=0 CODE=0 ID=1916 SEQ=2 MARK=0


You might only be missing the "bridge-nf-call-iptables" part. Note
that you shouldn't need it IF you use a custom lxc network setup which
doesn't use bridges:
https://www.mail-archive.com/lxc-users@lists.linuxcontainers.org/msg02587.html

-- 
Fajar