netfilter/iptable logging

Logging from network namespaces other than init has been disabled since kernel 3.10 in order to prevent host kernel log flooding from inside a container.

Source: lxc-users.linuxcontainers.narkive.com

There are two ways to get logging working on guests running in Namespaces. The first is to simply enable it on even though it is off by default due to the security concerns mentioned above. The second and better way is to use User space logging which doesn't carry the same restrictions because it doesn't interact with Kernel space in the same way. Besides the User space logging method being the best security practice, anytime it is possible to modify the host machine less it is better in my opinion.

Method 1: Userspace Logging (on guest)

Install ulogd2

apt install ulogd2

Replace LOG in any iptable/netfilter rules with NFLOG

- -A INPUT -j LOG
+ -A INPUT -j NFLOG

Source: lxadm.com

Method 2: Enable Logging In Namespaces (on host)

Logging from network namespaces other than init has been disabled since kernel 3.10 in order to prevent host kernel log flooding from inside a container.

If you have kernel >= 4.11 or one with commit 2851940ffee3 ("netfilter: allow logging from non-init namespaces") backported, you can enable netfilter logging from other network namespaces by...

sysctl net.netfilter.nf_log_all_netns=1

Source: lxc-users.linuxcontainers.narkive.com

This will enable all netfilter (the nf part in nf_log_all_netns) logging from namespaces until the next reboot. It can also be enabled persistently using one of the following methods…

Option 1: Always On with sysctl.conf

Add a single line to sysctl.conf so the setting gets applied at boot.

echo "net.netfilter.nf_log_all_netns = 1" >> /etc/sysctl.conf

Option 2: On Demand with Snippets (for Proxmox only)

Add a bash script to use as a snippet.

# /var/lib/vz/snippets/nf_log_all_netns.sh
+ #!/bin/bash
+ 
+ case $2 in
+   pre-start)
+     echo "[pre-start]"
+     echo -e "\tEnabling netfilter namespace logging."
+     echo -e "\t$(sysctl net.netfilter.nf_log_all_netns=1)"
+     ;;
+   pre-stop)
+     echo "[pre-stop]"
+     echo -e "\tDisabling netfilter namespace logging."
+     echo -e "\t$(sysctl net.netfilter.nf_log_all_netns=0)"
+     ;;
+ esac

Then add the "hookscript" to that container. If your container ID was 100 it would look like

$ pct set 100 -hookscript local:snippets/nf_log_all_netns.sh

Revision #4
Created Sat, Mar 20, 2021 5:05 PM by dustin@swigg.net
Updated Tue, Apr 13, 2021 11:54 AM by dustin@swigg.net