Logging ICMP Packets with Iptables

Question

I am learning about iptables and I am hitting a wall here.

My task is to log ICMP Requests and Replies from 192.168.1.2 to 192.168.1.1

That's why I added this rule

iptables -A INPUT -p icmp --icmp-type 8 --source 192.168.1.2 -j LOG

and

iptables -A OUTPUT -p icmp --icmp-type 0 -d 192.168.1.2 -j LOG

It seems to log the requests when I ping from 192.168.1.2 on 192.168.1.1

But it fails to log the replies. Any ideas why?

// Edit

bash-5.1# iptables-save -c
# Generated by iptables-save v1.8.7 on Fri Apr  1 09:20:45 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
[43:3612] -A INPUT -s 192.168.1.2/32 -p icmp -m icmp --icmp-type 8 -j LOG
[37:3108] -A OUTPUT -d 192.168.1.2/32 -p icmp -m icmp --icmp-type 0 -j LOG
COMMIT

Not sure why both rules are in OUTPUT ACCEPT, but it looks like this with iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
LOG        icmp --  192.168.1.2          anywhere             icmp echo-request LOG level warning

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
LOG        icmp --  anywhere             192.168.1.2          icmp echo-reply LOG level warning

Answer 1

When you try to ping from 192.168.1.2 to 192.168.1.1, OUTPUT chain will be used to scan sending requests and INPUT chain will be used to scan receiving responses, so correct iptables would be created as follows:

iptables -A OUTPUT -p icmp --icmp-type 8 -s 192.168.1.2 -j LOG
iptables -A INPUT -p icmp --icmp-type 0 -d 192.168.1.2 -j LOG