iptables TRACE not logged

iptables TRACE not logged

[Vieri Di Paola]

Hi,

I'm trying to see the TRACE log by issuing the following commands:

/sbin/iptables -t raw -A PREROUTING --destination 10.215.237.237 -j TRACE
/sbin/iptables -t raw -A OUTPUT --destination 10.215.237.237 -j TRACE

After ping'ing 10.215.237.237, I'd like to know where to look for the
TRACE messages.
I've looked in /var/log/messages (and other system logs) and
/proc/kmsg but no sign of them.

What can I try?

Kernel has support for TRACE (CONFIG_NETFILTER_XT_TARGET_TRACE=m).

# lsmod | grep -i trace
xt_TRACE                 551  0
x_tables                8695  52
xt_physdev,xt_pkttype,xt_statistic,xt_DSCP,xt_dscp,xt_iprange,xt_mark,xt_time,xt_CT,xt_helper,xt_length,xt_comment,xt_policy,xt_CHECKSUM,xt_recent,ip_tables,xt_socket,xt_tcpmss,xt_tcpudp,ipt_MASQUERADE,xt_LOGMARK,xt_condition,xt_NFQUEUE,xt_NFLOG,xt_TRACE,xt_iface,xt_ipp2p,xt_limit,xt_owner,xt_realm,xt_ACCOUNT,ipt_rpfilter,xt_connlimit,xt_conntrack,xt_IPMARK,xt_LOG,xt_mac,xt_nat,xt_set,xt_hashlimit,xt_multiport,iptable_filter,xt_CLASSIFY,xt_TARPIT,xt_TCPMSS,xt_TPROXY,xt_connmark,ipt_REJECT,xt_REDIRECT,iptable_mangle,xt_addrtype,iptable_raw

I'm using syslog-ng.but I've also tried metalog: still no TRACE messages.

So I guess the logger isn't to blame and there's something wrong with
my kernel or netfilter installation.

# uname -a
Linux fw3 4.1.4-hardened #1 SMP Thu Aug 13 15:49:17 CEST 2015 i686
Intel(R) Xeon(TM) CPU 2.66GHz GenuineIntel GNU/Linux

# iptables --version
iptables v1.4.21

Do you need more info?

What can I try?

Thanks,

Vieri

Re: iptables TRACE not logged

[Pablo Neira Ayuso]

On Fri, Sep 11, 2015 at 10:25:15AM +0200, Vieri Di Paola wrote:
> Hi,
> 
> I'm trying to see the TRACE log by issuing the following commands:
> 
> /sbin/iptables -t raw -A PREROUTING --destination 10.215.237.237 -j TRACE
> /sbin/iptables -t raw -A OUTPUT --destination 10.215.237.237 -j TRACE
> 
> After ping'ing 10.215.237.237, I'd like to know where to look for the
> TRACE messages.
> I've looked in /var/log/messages (and other system logs) and
> /proc/kmsg but no sign of them.
> 
> What can I try?
> 
> Kernel has support for TRACE (CONFIG_NETFILTER_XT_TARGET_TRACE=m).
> 
> # lsmod | grep -i trace
> xt_TRACE                 551  0
> x_tables                8695  52
> xt_physdev,xt_pkttype,xt_statistic,xt_DSCP,xt_dscp,xt_iprange,xt_mark,xt_time,xt_CT,xt_helper,xt_length,xt_comment,xt_policy,xt_CHECKSUM,xt_recent,ip_tables,xt_socket,xt_tcpmss,xt_tcpudp,ipt_MASQUERADE,xt_LOGMARK,xt_condition,xt_NFQUEUE,xt_NFLOG,xt_TRACE,xt_iface,xt_ipp2p,xt_limit,xt_owner,xt_realm,xt_ACCOUNT,ipt_rpfilter,xt_connlimit,xt_conntrack,xt_IPMARK,xt_LOG,xt_mac,xt_nat,xt_set,xt_hashlimit,xt_multiport,iptable_filter,xt_CLASSIFY,xt_TARPIT,xt_TCPMSS,xt_TPROXY,xt_connmark,ipt_REJECT,xt_REDIRECT,iptable_mangle,xt_addrtype,iptable_raw
> 
> I'm using syslog-ng.but I've also tried metalog: still no TRACE messages.
> 
> So I guess the logger isn't to blame and there's something wrong with
> my kernel or netfilter installation.
> 
> # uname -a
> Linux fw3 4.1.4-hardened #1 SMP Thu Aug 13 15:49:17 CEST 2015 i686
> Intel(R) Xeon(TM) CPU 2.66GHz GenuineIntel GNU/Linux
> 
> # iptables --version
> iptables v1.4.21
> 
> Do you need more info?
> 
> What can I try?

What does

cat /proc/net/netfilter/nf_log

say?

If it looks like this, then you have no logger registered into the
nf_log framework:

 0 NONE ()
 1 NONE ()
 2 NONE ()
 3 NONE ()
 4 NONE ()
 5 NONE ()
 6 NONE ()
 7 NONE ()
 8 NONE ()
 9 NONE ()
10 NONE ()
11 NONE ()
12 NONE ()

Re: iptables TRACE not logged

[Vieri Di Paola]

[sorry, I previously replied only to Pablo instead of the mailing list]

# cat /proc/net/netfilter/nf_log
 0 NONE (nfnetlink_log)
 1 NONE (nfnetlink_log)
 2 nfnetlink_log (nf_log_ipv4,nfnetlink_log)
 3 NONE (nfnetlink_log)
 4 NONE (nfnetlink_log)
 5 NONE (nfnetlink_log)
 6 NONE (nfnetlink_log)
 7 NONE (nfnetlink_log)
 8 NONE (nfnetlink_log)
 9 NONE (nfnetlink_log)
10 NONE (nfnetlink_log)
11 NONE (nfnetlink_log)
12 NONE (nfnetlink_log)

Do I need to change the backend?
eg. sysctl net.netfilter.nf_log.2=ipt_LOG

Re: iptables TRACE not logged

[Pablo Neira Ayuso]

On Fri, Sep 11, 2015 at 03:31:05PM +0200, Vieri Di Paola wrote:
> [sorry, I previously replied only to Pablo instead of the mailing list]
> 
> # cat /proc/net/netfilter/nf_log
>  0 NONE (nfnetlink_log)
>  1 NONE (nfnetlink_log)
>  2 nfnetlink_log (nf_log_ipv4,nfnetlink_log)
>  3 NONE (nfnetlink_log)
>  4 NONE (nfnetlink_log)
>  5 NONE (nfnetlink_log)
>  6 NONE (nfnetlink_log)
>  7 NONE (nfnetlink_log)
>  8 NONE (nfnetlink_log)
>  9 NONE (nfnetlink_log)
> 10 NONE (nfnetlink_log)
> 11 NONE (nfnetlink_log)
> 12 NONE (nfnetlink_log)
> 
> Do I need to change the backend?
> eg. sysctl net.netfilter.nf_log.2=ipt_LOG

You have to switch to nf_log_ipv4, yes. Otherwise the trace messages
go to nfnetlink_log, thus you'll need ulogd2, which is something that
you may not need in your setup.

Re: iptables TRACE not logged

[Vieri Di Paola]

Thanks Pablo.
This worked:
sysctl net.netfilter.nf_log.2=nf_log_ipv4
Now I'm getting TRACE messages in system log.

Re: iptables TRACE not logged

[Pablo Neira Ayuso]

On Sun, Sep 13, 2015 at 12:13:41AM +0200, Vieri Di Paola wrote:
> Thanks Pablo.
> This worked:
> sysctl net.netfilter.nf_log.2=nf_log_ipv4
> Now I'm getting TRACE messages in system log.

BTW, this used to work with ipt_LOG, right?

Thanks!

Re: iptables TRACE not logged

[Vieri Di Paola]

On Sun, Sep 13, 2015 at 1:50 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> BTW, this used to work with ipt_LOG, right?

I believe so.

Vieri