[lxc-users] Logging from iptables to rsyslog inside container fails.

netritious at gmail.com netritious at gmail.com
Tue Feb 14 11:27:36 UTC 2017


Hi, long time fan of LxC and loving LxD thus far. Having a slight problem though.

Moved from an Ubuntu 14.04 amd64 (bastion/single server) to Ubuntu 16.04 amd64 host with Ubuntu 16.04 amd64 LxD/LxC container. Works!

I then proceeded to move iptables rules to container. Works!

I setup iptables logging identically to the configuration on original 14.04 server inside container. Fail!

The output file defined in rsyslog.conf (/var/log/iptables.log) is not being written to. I'm not sure how to debug this. I keep searching log files (kern.log, syslog, etc) and nothing about "iptables dropped: " as defined by the logging parameter in iptables.

root at www:~# cat /etc/iptables.up.rules
# Generated by iptables-save v1.6.0 on Mon Feb 13 09:05:00 2017
*filter
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:INPUT DROP [0:0]
# Accept traffic from internal interfaces
-A INPUT ! -i eth0 -j ACCEPT
# Accept traffic with the ACK flag set
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
# Allow incoming data that is part of a connection we established
-A INPUT -m state --state ESTABLISHED -j ACCEPT
# Allow data that is related to existing connections
-A INPUT -m state --state RELATED -j ACCEPT
# Accept responses to our pings
-A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
# Accept notifications of unreachable hosts
-A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT
# Accept notifications to reduce sending speed
-A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT
# Allow connections to webserver
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
# Allow SSL connections to webserver
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
# Log dropped - I've tried with and without --log-level=7
-A INPUT -m limit --limit 5/second -j LOG --log-prefix "iptables dropped: "
# DROP
-A INPUT -j DROP
COMMIT
# Completed on Mon Feb 13 09:05:00 2017
# Generated by iptables-save v1.6.0 on Mon Feb 13 09:05:00 2017
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Mon Feb 13 09:05:00 2017
# Generated by iptables-save v1.6.0 on Mon Feb 13 09:05:00 2017
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Mon Feb 13 09:05:00 2017

root at www:~# cat /etc/rsyslog.conf
#  /etc/rsyslog.conf    Configuration file for rsyslog.log
......
# Using /etc/rsyslog.d/ conf files did not work in 14.04 for me.
# Haven't bothered changing with 16.04.
:msg,contains,"iptables dropped: " -/var/log/iptables.log
& ~

#
# Include all config files in /etc/rsyslog.d/
......

root at www:~# ls -l /var/log/iptables.log
-rwxrwxrwx 1 syslog adm 0 Feb 13 9:02 /var/log/iptables.log

I originally had permissions set to 600, then 660, 666, and now 777. Just trying to get the logger to write.

Also, when I just tail kern.log in the container:

root at www:~# tail /var/log/kern.log
Feb 13 09:12:41 www rsyslogd: imklog: cannot open kernel log (/proc/kmsg): Permission denied.
Feb 13 10:05:08 www rsyslogd: imklog: cannot open kernel log (/proc/kmsg): Permission denied.
......

Related?

What am I doing wrong here? What to check and how? If I need to troubleshoot or investigate dropped traffic on this particular container, how would I do that without iptables logging?

TIA




More information about the lxc-users mailing list