L
lurdan
Guest
hi,
I use proxmox 1.9 mainly with debian squeeze VEs, connected on bridged network.
I've tried to configure iptables firewall on each node, and it seems to work fine.
but I've got lost how to logging iptables log through ULOG netlink interface.
host# grep IPTABLES /etc/vz/vz.conf
IPTABLES="nfnetlink nfnetlink_log ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_TOS ip_conntrack ipt_conntrack ipt_state ipt_helper iptable_nat ipt_REDIRECT xt_mac ipt_owner ipt_tcpmss ipt_LOG ipt_ULOG xt_NFLOG"
IPTABLES_MODULES="$IPTABLES"
host # lsmod | grep LOG
xt_NFLOG 1211 0
nfnetlink_log 8543 1 xt_NFLOG
ipt_ULOG 11021 265
ipt_LOG 6405 55
host # vzctl 100 enter
Warning: Unknown iptable module: nfnetlink, skipped
Warning: Unknown iptable module: nfnetlink_log, skipped
Warning: Unknown iptable module: ipt_ULOG, skipped
Warning: Unknown iptable module: xt_NFLOG, skipped
entered into CT 100
ve # iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ULOG all -- anywhere anywhere ULOG copy_range 0 nlgroup 1 queue_threshold 1
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ve # tail /var/log/ulogd/syslogemu.log
~
Jan 1 09:00:00 ve IN=? OUT= MAC= SRC=0.0.0.0 DST=0.0.0.0 LEN=0 TOS=00 PREC=0x00 TTL=0 ID=0 PROTO=0
Jan 1 09:00:00 ve IN=?? OUT= MAC= SRC=0.0.0.0 DST=0.0.0.0 LEN=0 TOS=00 PREC=0x00 TTL=0 ID=0 PROTO=0
~
All data seems to be corrupted (null?).
vzctl don't have predefined ipt_ULOG mask in VZCTL_ENV_CREATE_DATA, so can't I use ULOG feature inside VEs?
(Though with googling, I've found many vz.conf snippets which has IPTABLES=" ..... ipt_ULOG ....".)
I use proxmox 1.9 mainly with debian squeeze VEs, connected on bridged network.
I've tried to configure iptables firewall on each node, and it seems to work fine.
but I've got lost how to logging iptables log through ULOG netlink interface.
host# grep IPTABLES /etc/vz/vz.conf
IPTABLES="nfnetlink nfnetlink_log ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_TOS ip_conntrack ipt_conntrack ipt_state ipt_helper iptable_nat ipt_REDIRECT xt_mac ipt_owner ipt_tcpmss ipt_LOG ipt_ULOG xt_NFLOG"
IPTABLES_MODULES="$IPTABLES"
host # lsmod | grep LOG
xt_NFLOG 1211 0
nfnetlink_log 8543 1 xt_NFLOG
ipt_ULOG 11021 265
ipt_LOG 6405 55
host # vzctl 100 enter
Warning: Unknown iptable module: nfnetlink, skipped
Warning: Unknown iptable module: nfnetlink_log, skipped
Warning: Unknown iptable module: ipt_ULOG, skipped
Warning: Unknown iptable module: xt_NFLOG, skipped
entered into CT 100
ve # iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ULOG all -- anywhere anywhere ULOG copy_range 0 nlgroup 1 queue_threshold 1
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ve # tail /var/log/ulogd/syslogemu.log
~
Jan 1 09:00:00 ve IN=? OUT= MAC= SRC=0.0.0.0 DST=0.0.0.0 LEN=0 TOS=00 PREC=0x00 TTL=0 ID=0 PROTO=0
Jan 1 09:00:00 ve IN=?? OUT= MAC= SRC=0.0.0.0 DST=0.0.0.0 LEN=0 TOS=00 PREC=0x00 TTL=0 ID=0 PROTO=0
~
All data seems to be corrupted (null?).
vzctl don't have predefined ipt_ULOG mask in VZCTL_ENV_CREATE_DATA, so can't I use ULOG feature inside VEs?
(Though with googling, I've found many vz.conf snippets which has IPTABLES=" ..... ipt_ULOG ....".)