netfilter/iptable logging
Logging from network namespaces other than init has been disabled since kernel 3.10 in order to prevent host kernel log flooding from inside a container.
Source: lxc-users.linuxcontainers.narkive.com
There are two ways to get logging working on guests running in Namespaces. The first is to simply enable it on even though it is off by default due to the security concerns.concerns mentioned above. The second and better way is to use User space logging which doesn't carry the same restrictions because it doesn't interact with Kernel space in the same way. Besides the User space logging optionmethod being the best security practice, anytime it is possible to muck around onmodify the host machine less it is better in my opinion so I'd always recommend the method of using the logging from User space.opinion.
Method 1: Userspace Logging (on guest)
Install ulogd2
apt install ulogd2
Replace LOG
in any iptable/netfilter
rules with NFLOG
- -A INPUT -j LOG
+ -A INPUT -j NFLOG
Source: lxadm.com
Method 2: Enable Logging In Namespaces (on host)
Logging from network namespaces other than init has been disabled since kernel 3.10 in order to prevent host kernel log flooding from inside a container.
If you have kernel >= 4.11 or one with commit 2851940ffee3 ("netfilter: allow logging from non-init namespaces") backported, you can enable netfilter logging from other network namespaces by...
sysctl net.netfilter.nf_log_all_netns=1
Source: lxc-users.linuxcontainers.narkive.com
This will enable all netfilter (the nf
part in nf_log_all_netns
) logging from namespaces until the next reboot. It can also be enabled persistently using one of the following methods…
Option 1: Always On with sysctl.conf
Add a single line to sysctl.conf
so the setting gets applied at boot.
echo "net.netfilter.nf_log_all_netns = 1" >> /etc/sysctl.conf
Option 2: On Demand with Snippets (for Proxmox only)
Add a bash script to use as a snippet
.
# /var/lib/vz/snippets/nf_log_all_netns.sh
+ #!/bin/bash
+
+ case $2 in
+ pre-start)
+ echo "[pre-start]"
+ echo -e "\tEnabling netfilter namespace logging."
+ echo -e "\t$(sysctl net.netfilter.nf_log_all_netns=1)"
+ ;;
+ pre-stop)
+ echo "[pre-stop]"
+ echo -e "\tDisabling netfilter namespace logging."
+ echo -e "\t$(sysctl net.netfilter.nf_log_all_netns=0)"
+ ;;
+ esac
Then add the "hookscript" to that container. If your container ID was 100
it would look like
$ pct set 100 -hookscript local:snippets/nf_log_all_netns.sh