2

I have several applications that are potentially high-risk and high-throughput (like bind, ntpd, etc.). I plan on having a "management domain" for OS tasks, updates, SNMP, automation, etc. and a "service domain" that only includes the daemons I'm providing services with.

I've successfully created network namespaces for them, assigned dedicated IP addresses, discrete routes, etc. I would like to be able to use IPtables to log certain behaviors hitting the daemons within the namespaces (unique devices requesting recursive lookups on dns, etc.) but I can't get the "LOG" target in IPtables to work. I've tried running a syslog daemon inside the ns but it still doesn't work. It may want to write to the global filesystem and not be getting permitted. I'm somewhat new to namespaces, so any thoughts are appreciated.

dfc
  • 1,341
  • 8
  • 16
Dan
  • 21
  • 1
  • The network namespace has nothing to do with the UTS namespace! – Michael Hampton Apr 23 '15 at 16:54
  • Thanks Michael. I'm not entirely sure how UTS namespaces are involved here (I'll claim ignorance on that one). Ultimately, I just want to be able to send logging messages from iptables rules that are applied to the ns to my global syslog service. I don't know if it's possible or if I'm just missing something necessary to make it come together. – Dan Apr 23 '15 at 20:20
  • Replying to my own question (again), I've been able to get logging within iptables in a network namespace working with the NFLOG target and ulogd2. In order to get this working, I had to launch ulogd from the context of the namespace (i.e. global startup didn't receive messages from the IPtables rules). So, for example: ip netns exec vntp /etc/init.d/ulogd2 restart interestingly, performing the above in an init script didn't yield results, but if I put a shell interpreter in: ip netns exec vntp sh /etc/init.d/ulogd2 restart Can anyone familiar with namespaces comment? – Dan Apr 28 '15 at 20:51

0 Answers0