Why does iptables NAT work in mininet, but iptables logging does not?
I looked up the NAT class in mininet.nodelib, it is implemented through iptables:
self.cmd( 'iptables -I FORWARD',
'-i', self.localIntf, '-d', self.subnet, '-j DROP' )
self.cmd( 'iptables -A FORWARD',
'-i', self.localIntf, '-s', self.subnet, '-j ACCEPT' )
self.cmd( 'iptables -A FORWARD',
'-o', self.localIntf, '-d', self.subnet,'-j ACCEPT' )
self.cmd( 'iptables -t nat -A POSTROUTING',
'-s', self.subnet, "'!'", '-d', self.subnet, '-j MASQUERADE' )
However when I install a logging rule :
iptables -A INPUT -j LOG --log-prefix "IPT log: " --log-level 4
Not a single /related/ entry appears in the /var/log/kern.log file (it works, if I run the same rule with no mininet).
Thanks in advance!
Edit:
To be more precise, here is what I tried to do:
mininet>h2 iptables -A OUTPUT -j LOG --log-prefix "IPT log: " --log-level 3
mininet>h2 iptables -I OUTPUT -j LOG --log-prefix "IPT log: " --log-level 3
mininet>h2 ping h0
.... normal ping output ....
mininet>h2 wget h0
.... index.html being saved on disk ....
mininet>h2 grep "IPT log" /var/log -R
As grep shows, there is no a single relevant line in the logs, despite multiple ICMP message being sent by ping and TCP communication performed by wget.
Edit2:
Here is my iptables rules, after the experiments (sorry for the text-picture):
The INPUT chain will contain only packets whose destination is the local machine, not packets that are being forwarded.
A packet that is being routed (forwarded) by the node (in this case, the machine containing the iptables rules) will pass through the following chains:
PREROUTING -> FORWARD -> POSTROUTING
If you want to log all the packets that are being forwarded, you need to change the INPUT chain with the FORWARD chain in your log rule.
If you want to log only packets that that are being NATd, you need to use the POSTROUTING chain and the nat table in your log rule.
EDIT
Since the iptables rules (in the OUTPUT chain from your experiment) targeting LOG are being triggered (based on your screenshot), we can rule out any iptables [log rules] problem.
The issue must be somewhere else, such as the logging facility service (eg, syslog).
- Why does launching socat with some arguments result in two processes?
- Python socket-module: How to change the local port on the client side?
- Do UDP sockets delineate received data into distinct messages, or does recv read in as much data as possible all at once?
- Can't delete AWS internet Gateway
- How to convert message to (copco) open protocol based on tcp/ip with Java sockets?
- How SO_KEEPALIVE works in socket programming
- Docker Network Nginx Resolver
- How do you get the network interface index for the loopback interface?
- Unable to correctly parse packet payloads using Pnet and Etherparse
- how long does it take for igraph r to estimate network centrality measures for a large network
- Can I bind ip and port to receive mulitcast traffic from a specific network interface
- Can I determine the current IP from a known MAC Address?
- Raw Socket Buffer
- TDD and Mocking out TcpClient
- What's a good language to develop a game server in?
- Proper way to obtain dynamic source port for raw socket (IP_HDRINCL) on macOS for custom TCP implementation
- Receive one UDP stream with 2 applications
- systemd: start service at boot time after network is really up (for WoL purpose)
- How to send packets according to the MTU value
- Python find value in text string
- Nic Buffer In Raw Socket
- is tcpdump affected by iptables filtering?
- What is a simple way to implement a websocket client in Android? Is the following example correct?
- How to close TCP and UDP ports via windows command line
- Port 6443 connection refused when setting up kubernetes
- Bridging two ports with netcat/socat
- How to intercept HTTP requests and responses of a client machine (like fiddler does)
- Since IPv6 is going to replace IPv4, should I develop my new application to support it?
- accept4 blocks though SOCK_NONBLOCK is set
- How to read leb128 from TcpStream in Rust