On Wed, Mar 11, 2015 at 5:48 PM, Fiedler Roman <roman.fied...@ait.ac.at> wrote: > Hello list, > > Has someone managed to get reliable network traffic auditing with LXC up and > running? That means, that it is possible to write a protocol of e.g. every > new connection from and to host. > > On my setup (Ubuntu Trusty), both host and guest may have different iptables > rulesets. But the guest NFLOG messages are lost completely, those from host > are sometimes sent to the ulogd in the guest (time-race), so the host log is > not trustworthy also. > > What could be the best solution to get trustworthy logs with LXC?
Try something like this on the host: echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables iptables -I FORWARD 1 -d 192.168.124.173 -j NFLOG --nflog-group 0 --nflog-prefix lxc-v iptables -I FORWARD 1 -s 192.168.124.173 -j NFLOG --nflog-group 0 --nflog-prefix lxc-v with the default ulogd2 setup on ubuntu 14.10 (which already includes rules for nflog-group 0 logging to a file) you should then be able to get something like this when the container (192.168.124.173) pings another container (192.168.124.134) # tail -f /var/log/ulog/syslogemu.log Mar 11 18:40:49 utopic lxc-v IN=br0 OUT=br0 MAC=00:16:3e:2e:d2:6d:00:16:3e:f5:cd:94:08:00 SRC=192.168.124.173 DST=192.168.124.134 LEN=84 TOS=00 PREC=0x00 TTL=64 ID=10868 DF PROTO=ICMP TYPE=8 CODE=0 ID=1916 SEQ=2 MARK=0 Mar 11 18:40:49 utopic lxc-v IN=br0 OUT=br0 MAC=00:16:3e:f5:cd:94:00:16:3e:2e:d2:6d:08:00 SRC=192.168.124.134 DST=192.168.124.173 LEN=84 TOS=00 PREC=0x00 TTL=64 ID=46525 PROTO=ICMP TYPE=0 CODE=0 ID=1916 SEQ=2 MARK=0 You might only be missing the "bridge-nf-call-iptables" part. Note that you shouldn't need it IF you use a custom lxc network setup which doesn't use bridges: https://www.mail-archive.com/lxc-users@lists.linuxcontainers.org/msg02587.html -- Fajar _______________________________________________ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users