Logging in LXC Logging One problem I ran into is that access to kernel logging is limited or unavailable from inside of a LXC container. For some usecases (like netfilter 's LOG action) any logging that happens in a LXC container will be blackholed and not recorded anywhere without a change on the host. Most often the solution to these permission/security problems is to find a way to allow access to these things from userspace. ulogd2 I solved the netfilter LOG problem by simply using ulogd2 to replace kernel logging with userspace logging. After installing and configuring ulogd2 I just replaced any references to LOG with NFLOG in my netfilter/iptables rules. Don't worry if this doesn't make sense right now I'll talk about this more in the Firewall Setup section. ulogd is a userspace logging daemon for netfilter/iptables related logging. This includes per-packet logging of security violations, per-packet logging for accounting, per-flow logging and flexible user-defined accounting. Installation apt install ulogd2 Configuration To get the output I wanted I had to edit the ulogd2 config… # /etc/ulogd2.conf - stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU + #stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU ... + stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,firewall:LOGEMU + stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,firewall:LOGEMU + stack=log3:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,firewall:LOGEMU + + [firewall] + file="/var/log/ulog/firewall.log" + sync=1 Connection Tracking Similarly to netfilter logging connection tracking in a LXC container is more limited due to not having access to the host's /proc/ filesystem. But I can install conntrack to provide a way to see connection tracking from userspace. conntrack The conntrack utilty provides a full featured userspace interface to the Netfilter connection tracking system that is intended to replace the old /proc/net/ip_conntrack interface. This tool can be used to search, list, inspect and maintain the connection tracking subsystem of the Linux kernel. Installation apt install conntrack