Iptables LOG rule inside a network namespace
Solution 1
As Donald mentioned, iptables LOG rules inside containers are suppressed by default.
In kernels <=4.10, this behavior could not be adjusted without patching the kernel. As agrrd mentioned, a work-around is to run ulogd in each container and use iptables NFLOG (or ULOG) rules instead of LOG rules.
However, as of kernel 4.11, running echo 1 > /proc/sys/net/netfilter/nf_log_all_netns on the host (outside of the container) will cause iptables LOG rules inside all containers to log to the host. (See this Kernel Commit.)
Solution 2
The output of iptables LOG targets from inside a network namespace is suppressed by design to prevent containers from DOSing their host by overrunning its log buffers.
relevant source code line in the current kernel
Solution 3
I was able to log iptables rules for docker containers by installing ulogd and replacing "-j LOG" with "-j ULOG". Matched packets are logged to /var/log/ulog directory
Related videos on Youtube
25 : 51
![IPTABLES [PART-1] : "UNDERSTANDING THE CONCEPT"](https://i.ytimg.com/vi/vbhr4csDeI4/hq720.jpg?sqp=-oaymwEcCNAFEJQDSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLBovKYd5heeT0eQFP4enqBJ_GCa1Q)
07 : 53
02 : 06
09 : 19
48 : 17
Francisco Gallego Salido
Updated on September 18, 2022Comments
-
Francisco Gallego Salido over 1 year
I'm trying to setup iptables rules for a docker container. I'm using nsenter to execute the iptables command inside of the container's network namespace:
# log access to port 8080 PID=$(docker inspect --format "{{.State.Pid}}" $ID) /home/ubuntu/nsenter -n -t $PID iptables -A OUTPUT -o eth0 -p tcp -m tcp --dport 8080 -j LOGThis approach works perfectly except for
LOGrules. Those don't seem to log anywhere. Note that the same rule applied to the host system works and logs to/var/log/kern.log.Where can I find the output of those log rules? Is this a known issue/limitation of network namespaces?
-
Francisco Gallego Salido almost 9 yearsUpdate: I tried
NFLOGinstead but it still won't work -
c4f4t0r almost 9 yearsI did a test using a docker container based on centos 7 and it's works, the host is a centos, the same test with ubuntu Ubuntu 15.04 host and ubuntu 12.04.5 container doesn't works, anyway you need to be sure, the syslog is running in your host. -
Francisco Gallego Salido almost 9 yearsI'm using Debian wheezy as a host and Ubuntu 14.04 in a container. There it doesn't work. I'm wondering what is different there.
-
gucki over 8 yearsDid you find a solution to this?
-
-
gucki over 8 yearsIt's also not working when not using docker at all, but netns manually from the command line.
-
Phillipp over 7 yearsDid you install ulogd on the host (gives no output from the rule) oder inside the container (which does not start)? -
Phillipp over 7 yearsYou'd nee /proc/kmsg or /dev/kmsg and docker effectively prevents you from mounting that in the container.
