Iptables: LOG target not working in LXD containers

From lxadm | Linux administration tips, tutorials, HOWTOs and articles
Jump to: navigation, search

If you're using LXD, you may be surprised that you're not getting packets logged with iptables' LOG target. Or, not really surprised - since the LOG target is kernel logging, and LXD containers are pretty much limited when it comes to accessing various kernel functions, for security reason.

A workaround is to use NFLOG target and ulogd2:

apt install ulogd2


So if your rules looked like below:

(...)
-A INPUT -i eth0 -p udp --dport 53 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j LOG


Then just change LOG target to NFLOG:

(...)
-A INPUT -i eth0 -p udp --dport 53 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j NFLOG

Then, ulogd2 will write the logs to /var/log/ulog/ directory, i.e.:

Apr 29 17:32:03 web1  IN=eth0 OUT= MAC=00:16:3e:e2:60:96:c8:60:00:df:05:06:08:00 SRC=92.0.152.255 DST=1.2.3.102 LEN=40 TOS=00 PREC=0x00 TTL=244 ID=394 PROTO=TCP SPT=43745 DPT=23 SEQ=38969 ACK=0 WINDOW=14600 SYN URGP=0 MARK=0 
Apr 29 17:32:15 web1  IN=eth0 OUT= MAC=00:16:3e:e2:60:96:c8:60:00:df:05:06:08:00 SRC=218.5.65.218 DST=1.2.3.100 LEN=40 TOS=00 PREC=0x00 TTL=241 ID=50323 PROTO=TCP SPT=36924 DPT=23 SEQ=2584662722 ACK=0 WINDOW=1024 SYN URGP=0 MARK=0 
Apr 29 17:34:01 web1  IN=eth0 OUT= MAC=00:16:3e:e2:60:96:c8:60:00:df:05:06:08:00 SRC=183.158.92.122 DST=1.2.3.100 LEN=40 TOS=00 PREC=0x00 TTL=51 ID=41292 PROTO=TCP SPT=36250 DPT=23 SEQ=2990523236 ACK=0 WINDOW=41138 SYN URGP=0 MARK=0 
Apr 29 17:34:44 web1  IN=eth0 OUT= MAC=00:16:3e:e2:60:96:c8:60:00:df:05:06:08:00 SRC=125.77.194.178 DST=1.2.3.100 LEN=40 TOS=00 PREC=0x00 TTL=114 ID=256 PROTO=TCP SPT=51645 DPT=8080 SEQ=3367829504 ACK=0 WINDOW=16384 SYN URGP=0 MARK=0 
Apr 29 17:34:44 web1  IN=eth0 OUT= MAC=00:16:3e:e2:60:96:c8:60:00:df:05:06:08:00 SRC=125.77.194.178 DST=1.2.3.102 LEN=40 TOS=00 PREC=0x00 TTL=114 ID=256 PROTO=TCP SPT=51857 DPT=8080 SEQ=3381723136 ACK=0 WINDOW=16384 SYN URGP=0 MARK=0 
Apr 29 17:34:57 web1  IN=eth0 OUT= MAC=00:16:3e:e2:60:96:c8:60:00:df:05:06:08:00 SRC=122.129.75.46 DST=1.2.3.100 LEN=40 TOS=00 PREC=0x00 TTL=246 ID=36128 PROTO=TCP SPT=58137 DPT=23 SEQ=343428691 ACK=0 WINDOW=1024 SYN URGP=0 MARK=0 
Apr 29 17:35:16 web1  IN=eth0 OUT= MAC=00:16:3e:e2:60:96:c8:60:00:df:05:06:08:00 SRC=31.163.142.66 DST=1.2.3.102 LEN=40 TOS=00 PREC=0x00 TTL=56 ID=33541 PROTO=TCP SPT=63487 DPT=23 SEQ=2990523238 ACK=0 WINDOW=58863 SYN URGP=0 MARK=0 
Apr 29 17:35:40 web1  IN=eth0 OUT= MAC=00:16:3e:e2:60:96:c8:60:00:df:05:06:08:00 SRC=190.74.245.134 DST=1.2.3.100 LEN=40 TOS=00 PREC=0x00 TTL=52 ID=25273 PROTO=TCP SPT=7185 DPT=23 SEQ=2990523236 ACK=0 WINDOW=58745 SYN URGP=0 MARK=0 


Also, please note that ULOG target was deprecated (you'll still find a lot of info about it) - you need to use NFLOG instead.

# iptables -A INPUT -j ULOG
iptables: No chain/target/match by that name.