In vm doesnt work iptables logging

G

gamera

New Member
Sep 26, 2016
14
2
3
35
hi, i use in iptabels rules for loggin incomming and outgoing ports
Code: 
-A INPUT_LOGGING -m limit --limit 100/min -j LOG --log-prefix "iptables[INPUT] Dropped: " --log-level 7
-A OUTPUT_LOGGING -m limit --limit 100/min -j LOG --log-prefix "iptables[OUTPUT] Dropped: " --log-level 7

in hardware server all okey, in vms on syslog i doesnt see this logs

P.S. this problem only in CT in VM all okey
 
Last edited:
LnxBil said:
have you added the jump targets in INPUT and OUTPUT? Please report all iptables rules with e.g. iptables -vnL
Click to expand...
Hi, yeap, here rules
Code: 
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT

*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT

*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [1:272]
:INPUT_LOGGING - [0:0]
:OUTPUT_LOGGING - [0:0]
:SUBNET_FILTER - [0:0]

-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j SUBNET_FILTER
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8888 -j ACCEPT
-A INPUT -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -j INPUT_LOGGING

-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -m udp --dport 123 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 8888 -j ACCEPT
-A OUTPUT -j OUTPUT_LOGGING

-A INPUT_LOGGING -m limit --limit 5/min -j LOG --log-prefix "iptables[INPUT] Dropped: " --log-level 7
-A OUTPUT_LOGGING -m limit --limit 5/min -j LOG --log-prefix "iptables[OUTPUT] Dropped: " --log-level 7

-A SUBNET_FILTER -s 10.10.10.0/24 -j RETURN
-A SUBNET_FILTER -j DROP
COMMIT
 
Thank you, but that is not (all of) the output I asked for. My requested command will also show the matched packet count and packet bytes per rule so we can see if the targets are jumped or not. Please provide at least for chains *_LOGGING.
 
LnxBil said:
Thank you, but that is not (all of) the output I asked for. My requested command will also show the matched packet count and packet bytes per rule so we can see if the targets are jumped or not. Please provide at least for chains *_LOGGING.
Click to expand...
here chain:
Code: 
Chain INPUT_LOGGING (1 references)
pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables[INPUT] Dropped: "
Chain OUTPUT_LOGGING (1 references)
pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables[OUTPUT] Dropped: "
 
gamera said:
here chain:
Code: 
Chain INPUT_LOGGING (1 references)
pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables[INPUT] Dropped: "
Chain OUTPUT_LOGGING (1 references)
pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables[OUTPUT] Dropped: "
Click to expand...
P.S. this problem only in CT in VM all okey
 
gamera said:
here chain:
Code: 
Chain INPUT_LOGGING (1 references)
pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables[INPUT] Dropped: "
Chain OUTPUT_LOGGING (1 references)
pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables[OUTPUT] Dropped: "
Click to expand...

So, no packets will reach the chains. Is this iptables on the host or on the guest? If it's in the guest (lxc) maybe the problem lies there. Why do you not use logging of the built-in Proxmox VE Firewall? It is very good and easy to setup.
 
LnxBil said:
So, no packets will reach the chains. Is this iptables on the host or on the guest? If it's in the guest (lxc) maybe the problem lies there. Why do you not use logging of the built-in Proxmox VE Firewall? It is very good and easy to setup.
Click to expand...
hmm, can you send manual link?
 
gamera said:
hi, i use in iptabels rules for loggin incomming and outgoing ports
Code: 
-A INPUT_LOGGING -m limit --limit 100/min -j LOG --log-prefix "iptables[INPUT] Dropped: " --log-level 7
-A OUTPUT_LOGGING -m limit --limit 100/min -j LOG --log-prefix "iptables[OUTPUT] Dropped: " --log-level 7

in hardware server all okey, in vms on syslog i doesnt see this logs

P.S. this problem only in CT in VM all okey
Click to expand...

Hi there!
Absolutely correct - iptables logging doesn't work in CT. Doesn't matter INPUT, OUTPUT or FORWARD.
Sure rule counts logged packets but nothing in log (messages, kern, syslog etc). Even if set up dedicated log file you will get nothing there.
Any other rules work well (DROP, ACCEPT, REJECT for any chain, but LOG target doesn't)
Build-in FW feature is turned off.
Hope PVE developers may find this case interesting.

pve-manager/6.0-9/508dcee0 (running kernel: 5.0.18-1-pve)
 
0a797182 said:
Hi there!
Absolutely correct - iptables logging doesn't work in CT. Doesn't matter INPUT, OUTPUT or FORWARD.
Sure rule counts logged packets but nothing in log (messages, kern, syslog etc). Even if set up dedicated log file you will get nothing there.
Any other rules work well (DROP, ACCEPT, REJECT for any chain, but LOG target doesn't)
Build-in FW feature is turned off.
Hope PVE developers may find this case interesting.

pve-manager/6.0-9/508dcee0 (running kernel: 5.0.18-1-pve)
Click to expand...
Hi,
please try if logging with the NFLOG extension works, which is what we use for logging in the PVE firewall, see http://ipset.netfilter.org/iptables-extensions.man.html
 
gamera said:
Hi, yeap, here rules
Code: 
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT

*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT

*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [1:272]
:INPUT_LOGGING - [0:0]
:OUTPUT_LOGGING - [0:0]
:SUBNET_FILTER - [0:0]

-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j SUBNET_FILTER
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8888 -j ACCEPT
-A INPUT -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -j INPUT_LOGGING

-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -m udp --dport 123 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 8888 -j ACCEPT
-A OUTPUT -j OUTPUT_LOGGING

-A INPUT_LOGGING -m limit --limit 5/min -j LOG --log-prefix "iptables[INPUT] Dropped: " --log-level 7
-A OUTPUT_LOGGING -m limit --limit 5/min -j LOG --log-prefix "iptables[OUTPUT] Dropped: " --log-level 7

-A SUBNET_FILTER -s 10.10.10.0/24 -j RETURN
-A SUBNET_FILTER -j DROP
COMMIT
Click to expand...
Hi,
if your packets are routed then they will not show up in the input chain but in the forward chain, see for example http://linux-training.be/servers/ch08.html
Try logging also the packets in the forward chain.
 
Chris said:
Hi,
please try if logging with the NFLOG extension works, which is what we use for logging in the PVE firewall, see http://ipset.netfilter.org/iptables-extensions.man.html
Click to expand...

Thanks for your advice Chris!

NFLOG works as LOG - just counts a packages. It looks like this is because CT is unprivileged in my case.
Code: 
# cat /var/log/user.log
Dec 18 17:40:13 hostname rsyslogd: imklog: cannot open kernel log (/proc/kmsg): Permission denied.
# cat /proc/kmsg
cat: /proc/kmsg: Permission denied
# ls -la /proc/kmsg
-r-------- 1 nobody nogroup 0 Dec 18 18:21 /proc/kmsg
# id
uid=0(root) gid=0(root) groups=0(root)
# ps -f ax | grep rsyslog | grep -v grep
root      4198     1  0 17:40 ?        Ssl    0:00 /usr/sbin/rsyslogd -n -iNONE
Do you have any idea? Is it possible to avoid this issue and keep CT unprivileged?

Regards!
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back