Iptables LOG rule inside a network namespace
I'm trying to setup iptables rules for a docker container. I'm using nsenter to execute the iptables command inside of the container's network namespace:
# log access to port 8080
PID=$(docker inspect --format "{{.State.Pid}}" $ID)
/home/ubuntu/nsenter -n -t $PID iptables -A OUTPUT -o eth0 -p tcp -m tcp --dport 8080 -j LOG
This approach works perfectly except for LOG
rules. Those don't seem to log anywhere. Note that the same rule applied to the host system works and logs to /var/log/kern.log
.
Where can I find the output of those log rules? Is this a known issue/limitation of network namespaces?
As Donald mentioned, iptables LOG rules inside containers are suppressed by default.
In kernels <=4.10, this behavior could not be adjusted without patching the kernel. As agrrd mentioned, a work-around is to run ulogd in each container and use iptables NFLOG (or ULOG) rules instead of LOG rules.
However, as of kernel 4.11, running echo 1 > /proc/sys/net/netfilter/nf_log_all_netns
on the host (outside of the container) will cause iptables LOG rules inside all containers to log to the host. (See this Kernel Commit.)
The output of iptables LOG targets from inside a network namespace is suppressed by design to prevent containers from DOSing their host by overrunning its log buffers.
commit introducing the change
relevant source code line in the current kernel
I was able to log iptables rules for docker containers by installing ulogd and replacing "-j LOG" with "-j ULOG". Matched packets are logged to /var/log/ulog directory