What's the proper chain to use when adding logging for use with this project?
hopper-signifyd opened this issue · 5 comments
The setup instructions on the README just have this: iptables -A CHAIN_NAME -j LOG --log-prefix "EXAMPLE_LOG_PREFIX: "
What is typically used as CHAIN_NAME? I assume this should be a chain with a policy of DROP as a chain with the policy of ACCEPT would just result in logging everything that passes through and this project would assume that they're all dropped packets, no?
Also, should this rule be added to the filter table or would there be a reason to add it to the nat table instead?
What's the standard chain name to use? We have a pretty basic Kubernetes setup with the following chains:
*filter
:INPUT ACCEPT [7233:2389351]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [7974:2056167]
:DOCKER - [0:0]
:DOCKER-ISOLATION - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
:KUBE-EXTERNAL-SERVICES - [0:0]
:KUBE-FIREWALL - [0:0]
:KUBE-FORWARD - [0:0]
:KUBE-SERVICES - [0:0]
Is FORWARD typically the best place to add our LOG rule for this project?
I would very much like to know this too.. @hopper-signifyd did you figure it out ?
I see this chart adds the rule via a calico GlobalNetworkPolicy object - but that doesn't work for me - honestica/lifen-charts#69
@KlavsKlavsen I couldn't get this working. The lack of any sort of timely response to this ticket made me realize that I was really on my own if I wanted to use this project. So I ditched this project and moved on to something else.
@KlavsKlavsen I answered on the issue and it should work by specifying the right version you are using.
@hopper-signifyd We maintain a helm chart which do all the setup https://artifacthub.io/packages/helm/lifen-charts/kube-iptables-tailer, happy to help if you any issue.
We got it working. Moving to using tigera operator to update calico - made v3 api available - and hence the chart worked (we also had to rebuild docker image - v0.2.2 of it for it to work)