On a Linux RHEL8 system, I have enabled these iptables rules , which I am led to believe should enable ICMP packet syslog logging on interface ingress & egress :
# iptables -L -t raw
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
TRACE icmp -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
TRACE icmp -- anywhere anywhere
As described at : https://access.redhat.com/solutions/2313671 I have done :
# modprobe nf_log_ipv4
# sysctl -w net.netfilter.nf_log.2=nf_log_ipv4
I also did:
# modprobe nf_log_syslog
which I am led to believe replaces all previous nf_log* or ipt_LOG modules in modern (RHEL8 4.18.x) kernels.
But, when I 'ping' a NAT'd (with iptables) IP address, no TRACE log messages appear in 'dmesg -c' output or in syslog (systemd.journald in use).
What am I missing ? Much thanks for any informative replies.
The most comprehensive discussion I have found on this issue so far on the web is at :
https://backreference.org/2010/06/11/iptables-debugging/ (thanks waldner!)
But this is getting rather old (2010-06-11) , and evidently does not apply to kernel 4.18(RHEL) .
I have duplicated precisely the steps above on Fedora-36 (kernel-6.2.16) system , and it DOES work, TRACE log messages ARE generated :
# iptables -t raw -A PREROUTING -p icmp -j TRACE
# iptables -t raw -A OUTPUT -p icmp -j TRACE
# modprobe nf_log_ipv4
# echo nf_log_ipv4 > /proc/sys/net/netfilter/nf_log/2
But, these steps, when repeated on a RHEL8 kernel 4.18.0-477.13.1 host, do not work / produce any packet TRACE output in logs - this is what I am tearing what remains of my hair out trying to resolve.
