1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
|
Using ipt_NETFLOW on Debian
===========================
These instructions assume that
* you have a separate interface which receives traffic from a mirror
port (SPAN port in Cisco slang) on some router.
* you use ifupdown for managing and controlling network interfaces.
Configure the according interface to listen in promiscuous mode
---------------------------------------------------------------
Add the interface (named enoEXAMPLE in this example) to
/etc/network/interfaces as follows to make it listen persistently in
promiscuous mode:
allow-hotplug enoEXAMPLE
iface enoEXAMPLE inet manual
up ip link set $IFACE up
up ip link set $IFACE promisc on
down ip link set $IFACE promisc off
down ip link set $IFACE down
Load the ipt_NETFLOW kernel module
----------------------------------
Create /etc/modprobe.d/ipt_NETFLOW.conf with contents similar to the
following, i.e. replace IP addresses with the IP addresses of your
netflow consumers:
options ipt_NETFLOW destination=127.0.0.1:2055,192.0.2.2:2055 promisc=1
If you just have created that file and haven't rebooted since then,
you can load the kernel module also by issuing a command similar to
this one:
modprobe ipt_NETFLOW destination=127.0.0.1:2055,192.0.2.2:2055 promisc=1
Configure the ipt_NETFLOW kernel module
---------------------------------------
To see the current configuration of the ipt_NETFLOW module, call this
command as root:
sysctl net.netflow
The output will look like this:
# sysctl net.netflow
net.netflow.active_timeout = 60
net.netflow.debug = 0
net.netflow.destination = 127.0.0.1:2055,192.0.2.2:2055
net.netflow.flush = 0
net.netflow.hashsize = 655360
net.netflow.inactive_timeout = 15
net.netflow.maxflows = 0
net.netflow.natevents = 0
net.netflow.promisc = 1
net.netflow.protocol = 10
net.netflow.refresh-rate = 20
net.netflow.sampler =
net.netflow.scan-min = 1
net.netflow.sndbuf = 212992
net.netflow.snmp-rules =
net.netflow.timeout-rate = 30
Probably most important besides net.netflow.destination is
net.netflow.protocol: By default, ipt_NETFLOW sends date in NetFlow
format version 5. Other supported format versions are 9 and 10. 10
means "send IPFIX format". If you plan to account IPv6 traffic you
should use protocol 9 or 10 (IPFIX), because NetFlow v5 isn't
compatible with IPv6.
See /usr/share/doc/iptables-netflow-dkms/README.gz for details about
the other options.
Using "sysctl -w" with the appropriate parameters you can fine tune
the ipt_NETFLOW parameters while running.
Once you're satisfied with the used parameters, you can add them to
the according line in /etc/modprobe.d/ipt_NETFLOW.conf, e.g. like
this:
options ipt_NETFLOW destination=127.0.0.1:2055,192.0.2.2:2055 promisc=1 protocol=10 maxflows=0 active_timeout=60
Configure iptables/netfilter
----------------------------
If you want to generate netflows for all (routable, i.e. IP) traffic
on a promiscuous interface, use these two commands to direct the
according traffic to the NETFLOW target:
iptables -t raw -i enoEXAMPLE -I PREROUTING -j NETFLOW
ip6tables -t raw -i enoEXAMPLE -I PREROUTING -j NETFLOW
In case you use a promiscuous interface, it's important to use the raw
table and the PREROUTING chain. See
/usr/share/doc/iptables-netflow-dkms/README.gz and
/usr/share/doc/iptables-netflow-dkms/README.promisc for details on why
this is necessary.
You might want to use tools like e.g. iptables-save and
iptables-restore (from the package "iptables") or a package like
iptables-persistent to make these rules persistent.
Check if everything works fine
------------------------------
Commands to check the state of your setup (irqtop comes from the
Debian package of the same name):
# irqtop
# cat /proc/net/stat/ipt_netflow
# iptables -t raw -v -L PREROUTING
# ip6tables -t raw -v -L PREROUTING
-- Axel Beckert <abe@debian.org>, Fri, 13 Apr 2018 17:59:19 +0200
|
