Linux netfilter / iptables : How to enable iptables TRACE chain handling with nf_log_syslog on RHEL8+?

Linux netfilter / iptables : How to enable iptables TRACE chain handling with nf_log_syslog on RHEL8+?

[Jason Vas Dias]

Good day -

  On a Linux RHEL8 system, I have enabled these iptables rules,
  which I am led to believe should enable ICMP packet syslog
  logging on interface ingress & egress :

    # iptables -L -t raw
    Chain PREROUTING (policy ACCEPT)
    target     prot opt source               destination         
    TRACE      icmp --  anywhere             anywhere            

    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination         
    TRACE      icmp --  anywhere             anywhere            

  As described at : https://access.redhat.com/solutions/2313671 I have done :

    # modprobe  nf_log_ipv4
    # sysctl -w net.netfilter.nf_log.2=nf_log_ipv4

  I also did:

    # modprobe nf_log_syslog

  which I am led to believe replaces all previous nf_log* or ipt_LOG
  modules in modern (RHEL8 4.18.x+) kernels.

  But, when I 'ping' a NAT'd (with iptables) IP address,
  no TRACE log messages appear in 'dmesg -c' output or in
  syslog (systemd.journald in use).

  What am I missing ?

  The most comprehensive discussion I have found on this issue so far on the web is at :

  https://backreference.org/2010/06/11/iptables-debugging/ (thanks waldner!)

  But this is getting rather old (2010-06-11) , and evidently does not
  apply to kernel 4.18+(RHEL) .

  I have duplicated precisely the steps above on Fedora-36
  (kernel v6.2.16) system , and it DOES work, TRACE log messages ARE generated :

  # iptables -t raw -A PREROUTING -p icmp -j TRACE
  # iptables -t raw -A OUTPUT -p icmp -j TRACE
  # modprobe nf_log_ipv4
  # echo nf_log_ipv4 > /proc/sys/net/netfilter/nf_log/2

  But, these steps, when repeated on a RHEL8 kernel 4.18.0-477.13.1
  host, do not work or produce any packet TRACE output in logs -
  this is what I am tearing what remains of my hair out trying to resolve.

  Thanks in advance for any informative replies .

Best Regards,
Jason Vas Dias (SW+SYS+NET)-Engineer, West Cork, Eire.

Re: Linux netfilter / iptables : How to enable iptables TRACE chain handling with nf_log_syslog on RHEL8+?

[Florian Westphal]

Jason Vas Dias <jason.vas.dias@ptt.ie> wrote:
> 
> Good day -
> 
>   On a Linux RHEL8 system, I have enabled these iptables rules,
>   which I am led to believe should enable ICMP packet syslog
>   logging on interface ingress & egress :
> 
>     # iptables -L -t raw
>     Chain PREROUTING (policy ACCEPT)
>     target     prot opt source               destination         
>     TRACE      icmp --  anywhere             anywhere            
> 
>     Chain OUTPUT (policy ACCEPT)
>     target     prot opt source               destination         
>     TRACE      icmp --  anywhere             anywhere            

Run "xtables-monitor --trace".

RE: Linux netfilter / iptables : How to enable iptables TRACE chain handling with nf_log_syslog on RHEL8+?

[Jason Vas Dias]

Good day Florian -

  RE: you wrote:
  > Run "xtables-monitor --trace".

  Thanks for the info about xtables-monitor - yes, that does give alot
  of extra information about rule chain processing.

  But I'd just like to understand :
    Why does this work under kernel v6.2.16 and not under v4.18.0-477 ?
    :
    # iptables -t raw -A PREROUTING -p icmp -j TRACE
    # iptables -t raw -A OUTPUT -p icmp -j TRACE
    # modprobe nf_log_ipv4
    # echo nf_log_ipv4 > /proc/sys/net/netfilter/nf_log/2

  How can I enable the 'nf_log_syslog' module, so that it does
  in fact emit TRACE kernel messages to syslog, as it purports
  to be able to do, under v4.18.0-477 ?

  xtables-monitor is great, it provides ALOT of information, but
  really I'd like to just trace packet ingress / egress to from
  interfaces, with messages written to syslog .  Has this functionality
  been disabled somehow from the 'nf_log_syslog' module in v4.18.0-477 ?
  If so, how can I enable it ?

  There is very little documentation about nf_log_syslog, besides that
  it is meant to take over everything done by ipt_LOG .

  ipt_LOG WAS meant to log packets that meet the rules on the TRACE
  chain to syslog, no ? So how can I enable that functionality only
  with nf_log_syslog under v4.18.0-477 ?

  I am reading its source code, it SEEMS like it should be getting
  triggered when 'sysctl netfilter.nf_log.2' is not NONE, no ?
  But the v4.18.0-477 version of it it is not doing so.  Why ?

Best Regards,
Jason

 
 

Re: Linux netfilter / iptables : How to enable iptables TRACE chain handling with nf_log_syslog on RHEL8+?

[Florian Westphal]

Jason Vas Dias <jason.vas.dias@ptt.ie> wrote:
>   RE: you wrote:
>   > Run "xtables-monitor --trace".
> 
>   Thanks for the info about xtables-monitor - yes, that does give alot
>   of extra information about rule chain processing.
> 
>   But I'd just like to understand :
>     Why does this work under kernel v6.2.16 and not under v4.18.0-477 ?
>     :
>     # iptables -t raw -A PREROUTING -p icmp -j TRACE
>     # iptables -t raw -A OUTPUT -p icmp -j TRACE
>     # modprobe nf_log_ipv4
>     # echo nf_log_ipv4 > /proc/sys/net/netfilter/nf_log/2
> 
>   How can I enable the 'nf_log_syslog' module, so that it does
>   in fact emit TRACE kernel messages to syslog, as it purports
>   to be able to do, under v4.18.0-477 ?

You need to install iptables-legacy, not shipped in RHEL8.