Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

What's the proper chain to use when adding logging for use with this project? #19

Open
hopper-signifyd opened this issue Jul 20, 2020 · 5 comments
Open

What's the proper chain to use when adding logging for use with this project? #19

hopper-signifyd opened this issue Jul 20, 2020 · 5 comments

Comments

@hopper-signifyd
Copy link

The setup instructions on the README just have this: iptables -A CHAIN_NAME -j LOG --log-prefix "EXAMPLE_LOG_PREFIX: "

What is typically used as CHAIN_NAME? I assume this should be a chain with a policy of DROP as a chain with the policy of ACCEPT would just result in logging everything that passes through and this project would assume that they're all dropped packets, no?

Also, should this rule be added to the filter table or would there be a reason to add it to the nat table instead?

What's the standard chain name to use? We have a pretty basic Kubernetes setup with the following chains:

*filter
:INPUT ACCEPT [7233:2389351]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [7974:2056167]
:DOCKER - [0:0]
:DOCKER-ISOLATION - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
:KUBE-EXTERNAL-SERVICES - [0:0]
:KUBE-FIREWALL - [0:0]
:KUBE-FORWARD - [0:0]
:KUBE-SERVICES - [0:0]

Is FORWARD typically the best place to add our LOG rule for this project?
@KlavsKlavsen
Copy link

I would very much like to know this too.. @hopper-signifyd did you figure it out ?

@KlavsKlavsen
Copy link

I see this chart adds the rule via a calico GlobalNetworkPolicy object - but that doesn't work for me - honestica/lifen-charts#69

@hopper-signifyd
Copy link
Author

@KlavsKlavsen I couldn't get this working. The lack of any sort of timely response to this ticket made me realize that I was really on my own if I wanted to use this project. So I ditched this project and moved on to something else.

@mtparet
Copy link

mtparet commented Apr 21, 2022

@KlavsKlavsen I answered on the issue and it should work by specifying the right version you are using.

@hopper-signifyd We maintain a helm chart which do all the setup https://artifacthub.io/packages/helm/lifen-charts/kube-iptables-tailer, happy to help if you any issue.

@KlavsKlavsen
Copy link

We got it working. Moving to using tigera operator to update calico - made v3 api available - and hence the chart worked (we also had to rebuild docker image - v0.2.2 of it for it to work)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mtparet @KlavsKlavsen @hopper-signifyd