firewall log prefix not works

F

fropa

Member
Dec 12, 2017
14
1
8
33
Hi. I use Proxmox 4.3-1 version. early I created iptables firewall and used it on lots of servers. There are some rules and the bottom lines are like that :

-A INPUT -j LOG_DROP
-A LOG_DROP -j LOG --log-prefix --DROP--:
-A LOG_DROP -j DROP​

It's very easy. I use it on LVM that is on proxmox, but the problem is with containers. The firewall works great but there are no logs. I've googled ulogd and installed but there are errors :

Fri Feb 23 10:23:42 2018 <7> ulogd.c:813 error starting `log1'
Fri Feb 23 10:23:42 2018 <7> ulogd.c:1438 Could not nice process: Operation not permitted​

My problem is that I want to create logs with iptables and I can't. for me It doesn't matter how I will do that.

So what can I check or how I can do that all?
 
fropa said:
-A INPUT -j LOG_DROP
-A LOG_DROP -j LOG --log-prefix --DROP--:
-A LOG_DROP -j DROP​

It's very easy. I use it on LVM that is on proxmox, but the problem is with containers. The firewall works great but there are no logs. I've googled ulogd and installed but there are errors :

Fri Feb 23 10:23:42 2018 <7> ulogd.c:813 error starting `log1'
Fri Feb 23 10:23:42 2018 <7> ulogd.c:1438 Could not nice process: Operation not permitted​

My problem is that I want to create logs with iptables and I can't. for me It doesn't matter how I will do that.

So what can I check or how I can do that all?
Click to expand...

Should work in any case (regardless whether containers or WMs are use). If you post your current iptables settings and explain where you expect the missing logs we can have a look.
 
here is all firewall file. I've no idea where I miss logs. I set logs from web but It will be fine if I'll have them from cli.

In my logic every traffic should go at final log-drop and log-drop-output chains, then log in file and finally drop. when I check "iptables -L -v" I see that chains matched with some packets but there are no logs in files.



:INPUT DROP [184:15857]
:FORWARD DROP [0:0]
:OUTPUT DROP [175:21365]
:SIPCLI - [0:0]
:ACCEPTSIP - [0:0]
:LOG_DROP - [0:0]
:LOG_DROP_OUTPUT - [0:0]
#lo
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT



#gio
-A INPUT -s X.X.X.X -p tcp -m multiport --dports 80,8022 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -d X.X.X.X -p tcp -m multiport --sports 80,8022 -m state --state ESTABLISHED -j ACCEPT

#dato
-A INPUT -s X.X.X.X -m multiport -p tcp --dports 80,8022 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -d X.X.X.X -m multiport -p tcp --sports 80,8022 -m state --state ESTABLISHED -j ACCEPT

#beso/sopho
-A INPUT -s X.X.X.X -p tcp -m multiport --dports 80,8022 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -d X.X.X.X -p tcp -m multiport --sports 80,8022 -m state --state ESTABLISHED -j ACCEPT

#artur
-A INPUT -s X.X.X.X -p tcp -m multiport --dports 80,8022 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -d X.X.X.X -p tcp -m multiport --sports 80,8022 -m state --state ESTABLISHED -j ACCEPT

#sip for artur
-A INPUT -s X.X.X.X -p udp -m udp --dport 5060 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -d X.X.X.X -p udp --sport 5060 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s X.X.X.X -p udp -m udp --dport 10000:20000 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -d X.X.X.X -p udp --sport 10000:20000 -m state --state NEW,ESTABLISHED -j ACCEPT

#fop for geonet




#client office
-A INPUT -s 178.134.71.74 -p udp -m udp --dport 5060 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -d 178.134.71.74 -p udp --sport 5060 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 178.134.71.74 -p udp -m udp --dport 10000:20000 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -d 178.134.71.74 -p udp --sport 10000:20000 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 178.134.71.74 -p tcp --dport 4445 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -d 178.134.71.74 -p tcp --sport 4445 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 178.134.71.74 -p tcp -m multiport --dports 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -d 178.134.71.74 -p tcp -m multiport --sports 80 -m state --state ESTABLISHED -j ACCEPT


#test
-A INPUT -s X.X.X.X -p tcp --dport 4445 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -d X.X.X.X -p tcp --sport 4445 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s X.X.X.X -p tcp -m multiport --dports 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -d X.X.X.X -p tcp -m multiport --sports 80 -m state --state ESTABLISHED -j ACCEPT


-A INPUT -s X.X.X.X -p tcp --dport 4445 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -d X.X.X.X -p tcp --sport 4445 -m state --state NEW,ESTABLISHED -j ACCEPT


#VPN Range
-A INPUT -s X.X.X.X/29 -p tcp -m multiport --dports 80,8022 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -d X.X.X.X/29 -p tcp -m multiport --sports 80,8022 -m state --state ESTABLISHED -j ACCEPT

#whois.ripe.net

-A INPUT -s 193.0.6.135 -p tcp --sport 43 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -d 193.0.6.135 -p tcp --dport 43 -m state --state NEW,ESTABLISHED -j ACCEPT
#user web interface

-A INPUT -s X.X.X.X -p tcp --sport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -d X.X.X.X -p tcp --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT



#mail

-A INPUT -s X.X.X.X -p tcp --sport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -d X.X.X.X -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s X.X.X.X -p udp --sport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -d X.X.X.X -p udp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT


-A INPUT -s X.X.X.X -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -d X.X.X.X -m state --state NEW,ESTABLISHED -j ACCEPT

-A INPUT -s X.X.X.X -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -d X.X.X.X -m state --state NEW,ESTABLISHED -j ACCEPT

#NTP
-A OUTPUT -d 188.93.95.200 -p udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 188.93.95.200 -p udp --sport 123 -m state --state ESTABLISHED -j ACCEPT


#Allow Ping from Inside to Outside
-A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT


# Allow outbound DNS
-A OUTPUT -d X.X.X.X -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s X.X.X.X -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT

-A OUTPUT -d X.X.X.X -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s X.X.X.X -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT


#repos
-A INPUT -s 199.102.239.168 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -d 199.102.239.168 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT


-A INPUT -s X.X.X.X -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -d X.X.X.X -p tcp -m tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

-A INPUT -s X.X.X.X -p udp -m udp --dport 161 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -d X.X.X.X -p udp -m udp --sport 161 -m state --state ESTABLISHED -j ACCEPT

-A INPUT -s X.X.X.X -p icmp --icmp-type echo-request -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -d X.X.X.X -p icmp --icmp-type echo-reply -m state --state ESTABLISHED -j ACCEPT


#mor
-A INPUT -s X.X.X.X -p udp -m udp --dport 5060 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -d X.X.X.X -p udp --sport 5060 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s X.X.X.X -p udp -m udp --dport 10000:20000 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -d X.X.X.X -p udp --sport 10000:20000 -m state --state NEW,ESTABLISHED -j ACCEPT

#it
-A INPUT -s X.X.X.X -p udp -m udp --dport 5060 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -d X.X.X.X -p udp --sport 5060 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s X.X.X.X -p udp -m udp --dport 10000:20000 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -d X.X.X.X -p udp --sport 10000:20000 -m state --state NEW,ESTABLISHED -j ACCEPT

-A INPUT -s X.X.X.X -p udp -m udp --dport 5060 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -d X.X.X.X -p udp --sport 5060 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s X.X.X.X -p udp -m udp --dport 10000:20000 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -d X.X.X.X -p udp --sport 10000:20000 -m state --state NEW,ESTABLISHED -j ACCEPT


#final
-A INPUT -j LOG_DROP

-A LOG_DROP -j LOG --log-prefix --DROP--:
-A LOG_DROP -j DROP

#OUTPUT DROP

-A OUTPUT -j LOG_DROP_OUTPUT

-A LOG_DROP_OUTPUT -j LOG --log-prefix --DROP_OUTPUT--:
-A LOG_DROP_OUTPUT -j DROP

COMMIT
 
Now I understand you set firewall inside the container - yes, that would work only with ulogd(2), but it's not working fine in all templates.

Recommended to set iptables in the host instead; to create a log for e.g. container 144 at net interface 0 is

Code: 
iptables -A FORWARD -m physdev --physdev-out veth144i0 --physdev-is-bridged -j LOG


You have to put int into the proper place in you chain, of course.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back