Skip to main content

netfilter/iptable logging

There are two ways to get logging working on guests running in Namespaces. The first is to simply enable it on even though it is off by default due to security concerns. The second and better way is to use User space logging which doesn't carry the same restrictions because it doesn't interact with Kernel space in the same way. Besides the User space logging option being the best security practice, anytime it is possible to muck around on the host machine less it is better in my opinion so I'd always recommend the method of using the logging from User space.

Method 1: Userspace Logging (on guest)

Install ulogd2

apt install ulogd2

Replace LOG in rules with NFLOG

- -A INPUT -j LOG
+ -A INPUT -j NFLOG

Source: lxadm.com

Method 2: Enable Logging In Namespaces (on host)

Logging from network namespaces other than init has been disabled since kernel 3.10 in order to prevent host kernel log flooding from inside a container.

If you have kernel >= 4.11 or one with commit 2851940ffee3 ("netfilter: allow logging from non-init namespaces") backported, you can enable netfilter logging from other network namespaces by...

sysctl net.netfilter.nf_log_all_netns=1

Source: lxc-users.linuxcontainers.narkive.com

This will enable all netfilter (the nf part in nf_log_all_netns) logging from namespaces until the next reboot. It can also be enabled persistently using one of the following methods…

Option 1: Always On with sysctl.conf

Add a single line to sysctl.conf so the setting gets applied at boot.

echo "net.netfilter.nf_log_all_netns = 1" >> /etc/sysctl.conf

Option 2: On Demand with Snippets (for Proxmox only)

Add a bash script to use as a snippet.

# /var/lib/vz/snippets/nf_log_all_netns.sh
+ #!/bin/bash
+ 
+ case $2 in
+   pre-start)
+     echo "[pre-start]"
+     echo -e "\tEnabling netfilter namespace logging."
+     echo -e "\t$(sysctl net.netfilter.nf_log_all_netns=1)"
+     ;;
+   pre-stop)
+     echo "[pre-stop]"
+     echo -e "\tDisabling netfilter namespace logging."
+     echo -e "\t$(sysctl net.netfilter.nf_log_all_netns=0)"
+     ;;
+ esac

Then add the "hookscript" to that container. If your container ID was 100 it would look like

$ pct set 100 -hookscript local:snippets/nf_log_all_netns.sh