11

I'm trying to setup iptables rules for a docker container. I'm using nsenter to execute the iptables command inside of the container's network namespace:

# log access to port 8080
PID=$(docker inspect --format "{{.State.Pid}}" $ID)
/home/ubuntu/nsenter -n -t $PID iptables -A OUTPUT -o eth0 -p tcp -m tcp --dport 8080 -j LOG

This approach works perfectly except for LOG rules. Those don't seem to log anywhere. Note that the same rule applied to the host system works and logs to /var/log/kern.log.

Where can I find the output of those log rules? Is this a known issue/limitation of network namespaces?

Fabian Jakobs
  • 794
  • 9
  • 12
  • Update: I tried `NFLOG` instead but it still won't work – Fabian Jakobs May 13 '15 at 14:33
  • I did a test using a docker container based on centos 7 and it's works, the host is a centos, the same test with ubuntu Ubuntu 15.04 host and ubuntu 12.04.5 container doesn't works, anyway you need to be sure, the syslog is running in your host. – c4f4t0r May 20 '15 at 22:58
  • I'm using Debian wheezy as a host and Ubuntu 14.04 in a container. There it doesn't work. I'm wondering what is different there. – Fabian Jakobs May 21 '15 at 09:31
  • Did you find a solution to this? – gucki Sep 26 '15 at 09:22
  • @gucki I did not find a solution to get it working inside of the namespace. I moved the logging rules outside of the container. – Fabian Jakobs Oct 01 '15 at 13:55

4 Answers4

12

As Donald mentioned, iptables LOG rules inside containers are suppressed by default.

In kernels <=4.10, this behavior could not be adjusted without patching the kernel. As agrrd mentioned, a work-around is to run ulogd in each container and use iptables NFLOG (or ULOG) rules instead of LOG rules.

However, as of kernel 4.11, running echo 1 > /proc/sys/net/netfilter/nf_log_all_netns on the host (outside of the container) will cause iptables LOG rules inside all containers to log to the host. (See this Kernel Commit.)

Paul Donohue
  • 314
  • 2
  • 4
3

The output of iptables LOG targets from inside a network namespace is suppressed by design to prevent containers from DOSing their host by overrunning its log buffers.

commit introducing the change

relevant source code line in the current kernel

Donald
  • 41
  • 2
1

I was able to log iptables rules for docker containers by installing ulogd and replacing "-j LOG" with "-j ULOG". Matched packets are logged to /var/log/ulog directory

agrrd
  • 11
  • 1
  • Did you install ulogd on the host (gives no output from the rule) oder inside the container (which does not start)? – Phillipp Nov 13 '16 at 22:00
0

I've seen an example (not kernel related) of using -v /dev/log:/dev/log. I wonder if you need to do something similar..

Also, I see that you are using nsenter rather than docker exec: what version of docker are you running?

Cameron Kerr
  • 4,069
  • 19
  • 25
  • It's also not working when not using docker at all, but netns manually from the command line. – gucki Oct 01 '15 at 20:02
  • You'd nee /proc/kmsg or /dev/kmsg and docker effectively prevents you from mounting that in the container. – Phillipp Nov 13 '16 at 22:01