OpenVZ Forum: Support » Iptables logging on VPS not working

Home » General » Support » Iptables logging on VPS not working

Show: Today's Messages :: Show Polls :: Message Navigator
E-mail to friend

Iptables logging on VPS not working [message #1845]

Tue, 28 February 2006 20:57

Martijn
Messages: 9
Registered: December 2005
Location: The Netherlands

Junior Member

For some extra protection I'd like to have iptables run on the VPS's or the host system. Since the FAQ tells that stateful inspection on the host is "highly not recommended" I'd like to run iptables on the VPS's.

More info on the setup:
Host: CentOS 4.2; 2.6.8-022stab070.1
VPS: CentOS 4.2

Modules loaded with the VPS taken from the configfile:
IPTABLES="iptable_filter iptable_mangle ipt_limit ipt_REJECT ipt_LOG ipt_length "

/etc/sysconfig/iptables part:
...
-A INPUT -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -j LOG --log-prefix "INPUT-DENIED: "
-A RH-Firewall-1-INPUT -j DROP
COMMIT

As you can see, above is just an altertion of a stock firewall with CentOS 4.2.

The iptables is running and working but it doesn't log any dropped packets in syslog. Anybody a clue?

Thanks in advance,
Martijn

[Updated on: Tue, 28 February 2006 20:58]

Report message to a moderator

Re: Iptables logging on VPS not working [message #1847 is a reply to message #1845]

Tue, 28 February 2006 22:33

dev
Messages: 1693
Registered: September 2005
Location: Moscow

Senior Member

Where have you tried to see logged packets? in host system or in VPS?
Have you tried 'dmesg' in VPS?

http://static.openvz.org/userbars/openvz-developer.png

Report message to a moderator

Re: Iptables logging on VPS not working [message #1883 is a reply to message #1847]

Fri, 03 March 2006 11:06

Martijn
Messages: 9
Registered: December 2005
Location: The Netherlands

Junior Member

dev wrote on Tue, 28 February 2006 17:33

Where have you tried to see logged packets? in host system or in VPS?
Have you tried 'dmesg' in VPS?

Dev, sorry that it took a while but here we go:
- Looked in both files (messages/dmesg) on the host and VPS, nothing in regard to blocked packets for the VPS;
- The host blocks and logs the dropped packages fine but only uses the INPUT table (for access to the host). No FORWARD rules are applied on the host.

There must be something I overlook, the rules are there and the counters increase after an attempt which triggers the logging and the reject as seen below:

$vps> iptables -L -n -v
Chain RH-Firewall-1-INPUT (2 references)
 pkts bytes target prot opt in out source    destination
    0     0 ACCEPT all  --  lo *   0.0.0.0/0 0.0.0.0/0
    0     0 ACCEPT icmp --  *  *   0.0.0.0/0 0.0.0.0/0 icmp type 255
...
   82 11917 ACCEPT tcp  --  *  *   0.0.0.0/0 0.0.0.0/0 tcp dpt:80
   14  1188 LOG    all  --  *  *   0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `INPUT-DENIED: '
   14  1188 REJECT all  --  *  *   0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Bottom line is that the rules *DO WORK* but nothing is logged when packets are dropped of rejected.

Strange... any help is appreciated!

Report message to a moderator

Re: Iptables logging on VPS not working [message #1885 is a reply to message #1883]

Fri, 03 March 2006 15:41

dev
Messages: 1693
Registered: September 2005
Location: Moscow

Senior Member

I meant command 'dmesg', not file messages/dmesg
simply execute:

$vps> dmesg

Also please provide the output of
cat /proc/sys/kernel/printk
Maybe your log level doesn't allow such messages

[Updated on: Fri, 03 March 2006 15:41]

Report message to a moderator

Re: Iptables logging on VPS not working [message #1886 is a reply to message #1885]

Fri, 03 March 2006 21:54

Martijn
Messages: 9
Registered: December 2005
Location: The Netherlands

Junior Member

My fault, thought you were talking about logfiles. The dmesg definately gave the right answers.

Here is the output of printk

bash-3.00# cat /proc/sys/kernel/printk
6       4       1       7
bash-3.00#

Report message to a moderator

Re: Iptables logging on VPS not working [message #1893 is a reply to message #1886]

Sat, 04 March 2006 09:14

dev
Messages: 1693
Registered: September 2005
Location: Moscow

Senior Member

ok. So I suppose the whole issue is resolved?
or you want to log them to some file?
then you need to start syslog/klogd which will save dmesg output to /var/log/messages

Report message to a moderator

Re: Iptables logging on VPS not working [message #1898 is a reply to message #1893]

Sat, 04 March 2006 14:21

Martijn
Messages: 9
Registered: December 2005
Location: The Netherlands

Junior Member

dev wrote on Sat, 04 March 2006 04:14

ok. So I suppose the whole issue is resolved?
or you want to log them to some file?
then you need to start syslog/klogd which will save dmesg output to /var/log/messages

Dev, the only issue is the logging to /var/log/messages. On the host is syslogd running but no klogd.

bash-3.00# ps aux|grep logd|grep -v grep
root     27895  0.0  0.0  1520  592 ?        Ss   16:15   0:00 syslogd -m 0
bash-3.00#

A restart of the syslog service didn't help for the logging to the file but dmesg did show the dropped packets.

Idea is that the VPS runs just like a standard out-of-the-box installation of CentOS.

Report message to a moderator

Re: Iptables logging on VPS not working [message #1975 is a reply to message #1845]

Fri, 10 March 2006 13:01

Martijn
Messages: 9
Registered: December 2005
Location: The Netherlands

Junior Member

Dev, do you have any tips how to turn on the "default CentOS" logging so the iptables logging ends up in the /var/log/messages file?

Thanks in advance!

Report message to a moderator

Re: Iptables logging on VPS not working [message #1976 is a reply to message #1898]

Fri, 10 March 2006 15:45

kir
Messages: 1645
Registered: August 2005
Location: Moscow, Russia

Senior Member

For the historical reasons klogd was disabled in template. In your case you need to enable it. If you use precreated template, the best way to do it is to take the original /etc/init.d/syslog file from sysklogd rpm and put it into your VPS.

If you use template tools and use vzpkgcache to create a template, edit the /vz/template/centos/4/(your-arch)/config/install-post file and remove (or comment out) these lines:

# Disable klogd
$VZCTL exec2 $VEID \
        "sed -i -e 's/daemon\\ klogd/passed\\ klogd\\ skipped/' \
                -e 's/killproc\\ klogd/passed\\ klogd\\ skipped/' \
                        /etc/init.d/syslog"
# FIXME: fix '/etc/init.d/syslog status' to return 0
# even if klogd is not running

After that, run vzpkgcache -f to forcibly recreate the template cache, and then create a new VPS. It will have klogd running.

Kir Kolyshkin

Report message to a moderator

Re: Iptables logging on VPS not working [message #2018 is a reply to message #1976]

Tue, 14 March 2006 17:57

Martijn
Messages: 9
Registered: December 2005
Location: The Netherlands

Junior Member

kir wrote on Fri, 10 March 2006 10:45

After that, run vzpkgcache -f to forcibly recreate the template cache, and then create a new VPS. It will have klogd running.

Kir, thanks a lot for clearing it!

Report message to a moderator

Re: Iptables logging on VPS not working [message #2034 is a reply to message #1845]

Wed, 15 March 2006 23:24

RapidVPS
Messages: 32
Registered: January 2006

Member

This is an informative post. Martijn, is the iptables log finally printed to /var/log/messages? It is not clear based on your response.

[Updated on: Wed, 15 March 2006 23:24]

Report message to a moderator

Re: Iptables logging on VPS not working [message #42270 is a reply to message #1845]

Tue, 29 March 2011 12:17

gralex
Messages: 62
Registered: December 2008
Location: Russia, Novosibirsk

Member

That's working solution for me:

rm -f /etc/init.d/syslog
yum reinstall sysklogd
/etc/init.d/syslog restart

Thanks.

p.s. iptables logs both in dmesg in /var/log/messages. Is it how the things should be?

[Updated on: Tue, 29 March 2011 12:18]

Report message to a moderator

Previous Topic:	DAHDI doesn't compile with OVZ Kernel
Next Topic:	Kernel 2.6.32-5-openvz-amd64 & CPULIMIT

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

] [

]

Current Time: Fri Jul 12 13:22:02 GMT 2024

Total time taken to generate the page: 0.02391 seconds