Hi, long time fan of LxC and loving LxD thus far. Having a slight problem though.
Moved from an Ubuntu 14.04 amd64 (bastion/single server) to Ubuntu 16.04 amd64 host with Ubuntu 16.04 amd64 LxD/LxC container. Works! I then proceeded to move iptables rules to container. Works! I setup iptables logging identically to the configuration on original 14.04 server inside container. Fail! The output file defined in rsyslog.conf (/var/log/iptables.log) is not being written to. I'm not sure how to debug this. I keep searching log files (kern.log, syslog, etc) and nothing about "iptables dropped: " as defined by the logging parameter in iptables. root@www:~# cat /etc/iptables.up.rules # Generated by iptables-save v1.6.0 on Mon Feb 13 09:05:00 2017 *filter :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :INPUT DROP [0:0] # Accept traffic from internal interfaces -A INPUT ! -i eth0 -j ACCEPT # Accept traffic with the ACK flag set -A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT # Allow incoming data that is part of a connection we established -A INPUT -m state --state ESTABLISHED -j ACCEPT # Allow data that is related to existing connections -A INPUT -m state --state RELATED -j ACCEPT # Accept responses to our pings -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT # Accept notifications of unreachable hosts -A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT # Accept notifications to reduce sending speed -A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT # Allow connections to webserver -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT # Allow SSL connections to webserver -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT # Log dropped - I've tried with and without --log-level=7 -A INPUT -m limit --limit 5/second -j LOG --log-prefix "iptables dropped: " # DROP -A INPUT -j DROP COMMIT # Completed on Mon Feb 13 09:05:00 2017 # Generated by iptables-save v1.6.0 on Mon Feb 13 09:05:00 2017 *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT # Completed on Mon Feb 13 09:05:00 2017 # Generated by iptables-save v1.6.0 on Mon Feb 13 09:05:00 2017 *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT # Completed on Mon Feb 13 09:05:00 2017 root@www:~# cat /etc/rsyslog.conf # /etc/rsyslog.conf Configuration file for rsyslog.log ...... # Using /etc/rsyslog.d/ conf files did not work in 14.04 for me. # Haven't bothered changing with 16.04. :msg,contains,"iptables dropped: " -/var/log/iptables.log & ~ # # Include all config files in /etc/rsyslog.d/ ...... root@www:~# ls -l /var/log/iptables.log -rwxrwxrwx 1 syslog adm 0 Feb 13 9:02 /var/log/iptables.log I originally had permissions set to 600, then 660, 666, and now 777. Just trying to get the logger to write. Also, when I just tail kern.log in the container: root@www:~# tail /var/log/kern.log Feb 13 09:12:41 www rsyslogd: imklog: cannot open kernel log (/proc/kmsg): Permission denied. Feb 13 10:05:08 www rsyslogd: imklog: cannot open kernel log (/proc/kmsg): Permission denied. ...... Related? What am I doing wrong here? What to check and how? If I need to troubleshoot or investigate dropped traffic on this particular container, how would I do that without iptables logging? TIA _______________________________________________ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
