How to enable logging for iptables inside a Docker container?

How to enable logging for iptables inside a Docker container?

I created some Docker images lately in order to set up a container with open VPN and firewall (iptables) support.
So far most things are working fine, but as I have some issues with the firewall, I added some more iptables rules to log dropped packages to /var/log/messages. I realized though, that even if something is dropped, no log file can be found under /var/log.
Thus my question is: How does Alpine Linux handle (system) logging and how can I check the iptables log specifically?
As larsks pointed out, default logging has been disabled in the kernel in order to prevent DDOS attacks by flooding logs.
In order to get logging to work, I installed ulogd and followed the instructions from here.


Solution 1:

The problem is not Alpine Linux. The problem is that you are trying to log from the iptables stack inside a Docker container, and to the best of my knowledge kernel doesn’t handle messages generated by iptables LOG targets in network namespaces other than the global one. LOG messages in network namespaces are intentionally suppressed to prevent a container from performing a DOS attack on the host with a high volume of log messages. See this commit in the kernel, which explicitly disabled LOG support in containers.

Your best bet is to look at packet counts on your firewall rules to see what is matching and where packets are being dropped. You may also have some luck with the NFLOG target and ulogd.


Related:  docker --insecure-registry flag not working as expected