vrr/ntopng
2
0
Fork 0
mirror of https://github.com/ntop/ntopng.git synced 2026-04-28 06:59:33 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3
ntopng/doc/README.netfilter

92 lines
3.1 KiB
Text
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Introduction
-------------
Netfilter support in ntopng is part of the packaged version available at http://packages.ntop.org.
If you have a pro license, you can drop/shape traffic from within ntopng or ntopng will
mark the traffic using the protocol identifier of the flow. The full list of protocol identifiers
can be obtained by running ntopng with the help flag -h. For example, Skype flows will be
marked with protocol identifier 125.
# ntopng -h|grep Skype
[125] Skype
You can leverage protocol identifiers to assign different QoS classes to your traffic
(e.g., shape, drop, etc). In essence you can implement an application-level firewall.
Using NetFilter
---------------
If you use ntopng over netfilter you need to:
# 1 - Create a queueId and divert traffic to it.
Following is an example to create a net filter queue with queueId equal to 0:
# iptables -A FORWARD -i eth1 -j NFQUEUE --queue-num 0
With this rule all incoming traffic on eth1 interface in the forwarding phase will go to
the netfilter queue 0.
# 2 - start ntopng on device nf:X
# ntopng -i nf:0
For example, if you run ntopng with -i nf:0 parameter, it will be able to get traffic from
netfilter queue 0 and to decide whether to drop or accept it.
Use Case
---------------
A typical use case of ntopng over netfilter is when you have set the NAT ip forwarding
between two interfaces (lets say eth1 and eth2) and you want to monitor and
policy the traffic via ntopng during the forwarding phase (monitoring interface eth0).
The use case can be graphically illustrated as:
Linux NAT
<----------------------->
Internet (default route) -------------------- Private Network
| |
(public ip) eth1--------| ntopng |-------eth2 (private network)
| |
--------------------
/ \
|
|
| eth0 (monitoring interface)
For example:
The configuration needed is:
# 1 - Enable forwarding and NAT (for example private network: 192.168.1.0/24):
# echo 1 > /proc/sys/net/ipv4/ip_forward
# iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
Attention: before going ahead, make sure you are able to go out to Internet
# 2 - Set netfilter queue rules:
# iptables -A FORWARD -i eth1 -j NFQUEUE --queue-num 0
# iptables -A FORWARD -i eth2 -j NFQUEUE --queue-num 0
# 3 - Run ntopng:
# ntopng -i nf:0
Now you have two possibilities:
1) Go in ntopng and filter/shaping the traffic
2) Permit all the traffic in ntopng (ntopng will marks the traffic) and control it via iptables rules.
For example:
- to drop skype (id 125) add:
iptables -t mangle -A POSTROUTING -m mark --mark 125 -j DROP
- to drop facebook (id 119) add:
iptables -t mangle -A POSTROUTING -m mark --mark 119 -j DROP
The configuration above works and was tested on ubuntu 14.04 and 16.04. Commands may slightly change on
other distributions.
NOTE
----
When you send traffic to NFQUEUE if ntopng is NOT running, packets will be
blocked in the IP stack as they dont get processed. So make sure ntopng
is running all the time before using this mechanism.
Reference in a new issue View git blame Copy permalink