On a Linux RHEL8 system, I have enabled these iptables rules , which I am led to believe should enable ICMP packet syslog logging on interface ingress & egress :
# iptables -L -t raw
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
TRACE icmp -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
TRACE icmp -- anywhere anywhere
As described at : https://access.redhat.com/solutions/2313671 I have done :
# modprobe nf_log_ipv4
# sysctl -w net.netfilter.nf_log.2=nf_log_ipv4
I also did:
# modprobe nf_log_syslog
which I am led to believe replaces all previous nf_log* or ipt_LOG modules in modern (RHEL8 4.18.x) kernels.
But, when I 'ping' a NAT'd (with iptables) IP address, no TRACE log messages appear in 'dmesg -c' output or in syslog (systemd.journald in use).
What am I missing ? Much thanks for any informative replies.
The most comprehensive discussion I have found on this issue so far on the web is at :
https://backreference.org/2010/06/11/iptables-debugging/ (thanks waldner!)
But this is getting rather old (2010-06-11) , and evidently does not apply to kernel 4.18(RHEL) .
I have duplicated precisely the steps above on Fedora-36 (kernel-6.2.16) system , and it DOES work, TRACE log messages ARE generated :
# iptables -t raw -A PREROUTING -p icmp -j TRACE
# iptables -t raw -A OUTPUT -p icmp -j TRACE
# modprobe nf_log_ipv4
# echo nf_log_ipv4 > /proc/sys/net/netfilter/nf_log/2
But, these steps, when repeated on a RHEL8 kernel 4.18.0-477.13.1 host, do not work / produce any packet TRACE output in logs - this is what I am tearing what remains of my hair out trying to resolve.
Redhat migrated to nftable since RHEL8. Even though
iptablescommand should still works on RHEL8 and translates rules to nftable format, you can try to use nativenftcommand to create the rules.Here are some more details https://developers.redhat.com/blog/2020/08/18/iptables-the-two-variants-and-their-relationship-with-nftables#