Introduction ------------- Netfilter support in ntopng is part of the packaged version available at http://packages.ntop.org. If you have a pro license, you can drop/shape traffic from within ntopng or ntopng will mark the traffic using the protocol identifier of the flow. The full list of protocol identifiers can be obtained by running ntopng with the help flag -h. For example, Skype flows will be marked with protocol identifier 125. # ntopng -h|grep Skype [125] Skype You can leverage protocol identifiers to assign different QoS classes to your traffic (e.g., shape, drop, etc). In essence you can implement an application-level firewall. Using NetFilter --------------- If you use ntopng over netfilter you need to: # 1 - Create a queueId and divert traffic to it. Following is an example to create a net filter queue with queueId equal to 0: # iptables -A FORWARD -i eth1 -j NFQUEUE --queue-num 0 With this rule all incoming traffic on eth1 interface in the forwarding phase will go to the netfilter queue 0. # 2 - start ntopng on device nf:X # ntopng -i nf:0 For example, if you run ntopng with -i nf:0 parameter, it will be able to get traffic from netfilter queue 0 and to decide whether to drop or accept it. Use Case --------------- A typical use case of ntopng over netfilter is when you have set the NAT ip forwarding between two interfaces (let’s say eth1 and eth2) and you want to monitor and policy the traffic via ntopng during the forwarding phase (monitoring interface eth0). The use case can be graphically illustrated as: Linux NAT <-----------------------> Internet (default route) -------------------- Private Network | | (public ip) eth1--------| ntopng |-------eth2 (private network) | | -------------------- / \ | | | eth0 (monitoring interface) For example: The configuration needed is: # 1 - Enable forwarding and NAT (for example private network: 192.168.1.0/24): # echo 1 > /proc/sys/net/ipv4/ip_forward # iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE Attention: before going ahead, make sure you are able to go out to Internet # 2 - Set netfilter queue rules: # iptables -A FORWARD -i eth1 -j NFQUEUE --queue-num 0 # iptables -A FORWARD -i eth2 -j NFQUEUE --queue-num 0 # 3 - Run ntopng: # ntopng -i nf:0 Now you can to to ntopng and filter/shaping the traffic. The configuration above works and was tested on ubuntu 14.04 and 16.04. Commands may slightly change on other distributions. Optimizing NetFilter Performance -------------------------------- Instead of sending ntopng all packets, it is possible to tell netfilter NOT to send ntopng packets once a pass/drop verdict is reached, thus increasing the performance. The script below illlustrates how to do this (this is a simple example that analyzes only TCP port 80 traffic). ============ #!/bin/bash -x iptables -F iptables -t mangle -F # Read CONNMARK and set it in mark iptables -A OUTPUT -t mangle -j CONNMARK --restore-mark # Set default actions for markers iptables -A OUTPUT -t mangle -m mark --mark 1 -j ACCEPT iptables -A OUTPUT -t mangle -m mark --mark 2 -j DROP # Send traffic to ntopng. In this example only TCP/80 is analyzed. iptables -A OUTPUT -t mangle -m mark --mark 0 -p tcp --destination-port 80 -j NFQUEUE --queue-num 0 # Save mark into CONNMARK # NOTE: Use POSTROUTING instead of OUTPUT as explained # in http://serverfault.com/questions/839132/how-to-pass-to-nfqueue-only-the-initial-connection-packets iptables -A POSTROUTING -t mangle -j CONNMARK --save-mark ============ NOTE ---- When you send traffic to NFQUEUE if ntopng is NOT running, packets will be blocked in the IP stack as they don't get processed. So make sure ntopng is running all the time before using this mechanism.