ntopng/doc/README.netfilter

Introduction
-------------
Netfilter support in ntopng is part of the packaged version available at http://packages.ntop.org.
If you have a pro license, you can drop/shape traffic from within ntopng or ntopng will
mark the traffic using the protocol identifier of the flow. The full list of protocol identifiers
can be obtained by running ntopng with the help flag -h. For example, Skype flows will be
marked with protocol identifier 125.

# ntopng -h|grep Skype
[125] Skype

You can leverage protocol identifiers to assign different QoS classes to your traffic
(e.g., shape, drop, etc). In essence you can implement an application-level firewall.

Using NetFilter
---------------

If you use ntopng over netfilter you need to:

# 1 - Create a queueId and divert traffic to it.

Following is an example to create a net filter queue with queueId equal to 0:
	# iptables -A FORWARD -i eth1 -j NFQUEUE --queue-num 0
	With this rule all incoming traffic on eth1 interface in the forwarding phase will go to
	the netfilter queue 0.


# 2 - start ntopng on device nf:X
	# ntopng -i nf:0

For example, if you run ntopng with -i nf:0 parameter, it will be able to get traffic from
netfilter queue 0 and to decide whether to drop or accept it.


Use Case
---------------
A typical use case of ntopng over netfilter is when you have set the NAT ip forwarding
between two interfaces (let’s say eth1 and eth2) and you want to monitor and
policy the traffic via ntopng during the forwarding phase (monitoring interface eth0).
The use case can be graphically illustrated as:


				       Linux NAT
			       <----------------------->
 Internet (default route)        --------------------                     Private Network
				 |                  |
	 (public ip) eth1--------|      ntopng      |-------eth2 (private network)
				 |                  |
				 --------------------
					 / \
					  |
					  |
					  | eth0 (monitoring interface)

For example:

The configuration needed is:

# 1 - Enable forwarding and NAT (for example private network: 192.168.1.0/24):
	# echo 1 > /proc/sys/net/ipv4/ip_forward
        # iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
  
      Attention: before going ahead, make sure you are able to go out to Internet

# 2 - Set netfilter queue rules:
	# iptables -A FORWARD -i eth1 -j NFQUEUE --queue-num 0
	# iptables -A FORWARD -i eth2 -j NFQUEUE --queue-num 0

# 3 - Run ntopng:
	# ntopng -i nf:0

Now you can to to ntopng and filter/shaping the traffic.
 
The configuration above works and was tested on ubuntu 14.04 and 16.04. Commands may slightly change on
other distributions.


Optimizing NetFilter Performance
--------------------------------
Instead of sending ntopng all packets, it is possible to tell netfilter NOT to send ntopng
packets once a pass/drop verdict is reached, thus increasing the performance. The script below
illlustrates how to do this (this is a simple example that analyzes only TCP port 80 traffic).

============
#!/bin/bash -x

iptables -F
iptables -t mangle -F

# Read CONNMARK and set it in mark
iptables -A OUTPUT -t mangle -j CONNMARK --restore-mark

# Set default actions for markers
iptables -A OUTPUT -t mangle -m mark --mark 1 -j ACCEPT
iptables -A OUTPUT -t mangle -m mark --mark 2 -j DROP

# Send traffic to ntopng. In this example only TCP/80 is analyzed.
iptables -A OUTPUT -t mangle -m mark --mark 0 -p tcp --destination-port 80 -j NFQUEUE --queue-num 0

# Save mark into CONNMARK
# NOTE: Use POSTROUTING instead of OUTPUT as explained
# in http://serverfault.com/questions/839132/how-to-pass-to-nfqueue-only-the-initial-connection-packets
iptables -A POSTROUTING -t mangle -j CONNMARK --save-mark
============



NOTE
----
When you send traffic to NFQUEUE if ntopng is NOT running, packets will be
blocked in the IP stack as they don't get processed. So make sure ntopng
is running all the time before using this mechanism.