How to take IPTables trace inside a container
https://www.udemy.com/course/linux-security-the-complete-iptables-firewall-guide

How to take IPTables trace inside a container

Syed Miftahur Rahman Syed Miftahur Rahman

Syed Miftahur Rahman

Containerization SME | Delivering Telco Microservices on Multi-Cloud Kubernetes (OpenShift, Rancher, Robin)

发布日期: 2021年9月26日
+ 关注

The output of iptables LOG targets from inside a network namespace is suppressed by design to prevent containers from DOSing their host by overrunning its log buffers.

Workaround is to install ulogd and replacing "-j LOG" with "-j ULOG". Matched packets are logged to /var/log/ulog directory.

STEPS on how to get this done

  1. Run kubectl get pods -o wide to get the host VM or host Compute on which the pod is running. (Pod is the one from which you want to get the iptables log)
  2. Now login to the identified Host VM or Host Compute.
  3. sudo wget https://ftp.netfilter.org/pub/ulogd/ulogd-2.0.7.tar.bz2 --> download the ulogd package.

3a. tar -xvf ulogd-2.0.7.tar.bz2 --> Unzip the downloaded package

3b.?cd ulogd-2.0.7/

In the next few steps install the support packages

4. sudo apt-get update -y

5. sudo apt-get install -y libnfnetlink-dev

6. sudo apt-get install -y libnetfilter-log-dev

7. sudo apt-get install -y libnetfilter-conntrack-dev

8. sudo apt-get install -y libnetfilter-acct-dev

9. sudo apt-get install -y ulogd2-pcap

领英推荐

NEXT TWO STEPS WILL INSTALL ulogd

10. ./configure

11. sudo make install

12. ls /etc/ulogd.conf --> existence of this file means successful installation

13. sudo echo 1 > /proc/sys/net/netfilter/nf_log_all_netns --> enables dumping of log output from containers onto the host VM or host compute

If you have trouble with steps 14 and 15 - please refer to the article at the bottom which explains why "nsenter" is used and how this "3663988" is arrived at

14. sudo nsenter -t 3663988 -n ulogd --daemon -c /etc/ulogdconf --uid ulog --> this need to be run from the host VM or host Compute

15. sudo nsenter -t 3663988 -n iptables -t raw -A PREROUTING -j NFLOG --nflog-prefix "FROM raw preRouting" --> you can directly run the iptables command from inside the container

CHECK THE LOG in the host VM or host Compute

16. iptables -t raw -nvL à shows if packets are hitting the newly created log rule

17. ls -l /var/log/ulog à check if the file size is increasing

18. tail /var/log/ulog/syslogemu.log à get the log output

This article presumes that reader is comfortable with iptables and how a packet travels through the different tables and chains for incoming, outgoing and routed scenarios.


要查看或添加评论,请登录

Syed Miftahur Rahman的更多文章

社区洞察

其他会员也浏览了