IP Accounting

TBD

Nftables

Adding rules on the fly:

$ nft list ruleset -a | grep -C1 8080
   tcp dport 8008 ip saddr 192.168.0.0/24 accept # handle 17
   tcp dport 8080 ip saddr 192.168.0.0/24 accept # handle 18
   tcp dport 8001 accept # handle 19

$ nft add rule inet filter input position 18 tcp dport 1234 ip saddr 192.168.0.0/24 accept
$ nft add rule inet filter input position 18  ip saddr 1.2.3.4 drop

The new rule will appear after our #18, but with a new handle:

$ nft list ruleset -a | grep -A2 8080
   tcp dport 8080 ip saddr 192.168.0.0/24 accept # handle 18
   tcp dport 1234 ip saddr 192.168.0.0/24 accept # handle 45
   tcp dport 8001 accept # handle 19

Remove it again with:

$ nft delete rule inet filter input handle 45
                   |    |      |
                   |    |      |-- chain
                   |    |--------- chain type
                   |-------------- table

NFLOG

In the beginning, there was LOG^[1]:

> Turn on kernel logging of matching packets.  When this  option  is  set
> for  a  rule,  the  Linux  kernel  will  print  some information on all
> matching packets (like most IP/IPv6 header fields) via the  kernel  log
> (where it can be read with dmesg(1) or read in the syslog).

After that came ULOG^[1], but it's already deprecated:

> This is the deprecated ipv4-only predecessor of the NFLOG  target.   It
> provides  userspace  logging  of matching packets.  When this target is
> set for a rule, the Linux kernel will multicast this packet  through  a
> netlink  socket.  One or more userspace processes may then subscribe to
> various multicast groups and receive the packets.

The current way to log messages is NFLOG^[1]:

> This  target  provides logging of matching packets. When this target is
> set for a rule, the Linux kernel will pass the  packet  to  the  loaded
> logging  backend to log the packet. This is usually used in combination
> with nfnetlink_log as logging backend, which will multicast the  packet
> through  a netlink socket to the specified multicast group. One or more
> userspace processes may subscribe to the group to receive the  packets.

ulogd2 will be able to receive those messages and should be available in all major distributions. But if it's too outdated, we have to build it outselves. We'll have to build the dependencies first, so this may get messy:

for r in libnfnetlink libmnl libnetfilter_log libnetfilter_conntrack libnetfilter_acct ulogd2; do 
  git clone git://git.netfilter.org/${r} ${r}-git
done

cd libnfnetlink-git
./autogen.sh && ./configure --prefix=/opt/libnfnetlink && make && sudo make install

cd ../libmnl-git/
./autogen.sh && ./configure --prefix=/opt/libmnl && make && sudo make install

cd ../libnetfilter_log-git/
./autogen.sh && LIBNFNETLINK_CFLAGS="-I/opt/libnfnetlink/include" LIBNFNETLINK_LIBS="-L/opt/libnfnetlink/lib" LIBMNL_CFLAGS="-I/opt/libmnl/include" LIBMNL_LIBS="-L/opt/libmnl/lib" ./configure --prefix=/opt/libnetfilter_log && make && sudo make install

cd ../libnetfilter_conntrack-git/
./autogen.sh && LIBNFNETLINK_CFLAGS="-I/opt/libnfnetlink/include" LIBNFNETLINK_LIBS="-L/opt/libnfnetlink/lib" LIBMNL_CFLAGS="-I/opt/libmnl/include" LIBMNL_LIBS="-L/opt/libmnl/lib" ./configure --prefix=/opt/libnetfilter_conntrack && make && sudo make install

cd ../libnetfilter_acct-git/
autoreconf -fi && LIBMNL_CFLAGS="-I/opt/libmnl/include" LIBMNL_LIBS="-L/opt/libmnl/lib" ./configure --prefix=/opt/libnetfilter_acct && make && sudo make install

Once this is done, we can finally compile ulogd:

cd ../ulogd2-git/
./autogen.sh && \
  LIBNFNETLINK_CFLAGS="-I/opt/libnfnetlink/include" \
  LIBNFNETLINK_LIBS="-L/opt/libnfnetlink/lib" 
  LIBMNL_CFLAGS="-I/opt/libmnl/include" \
  LIBMNL_LIBS="-L/opt/libmnl/lib" \
  LIBNETFILTER_LOG_CFLAGS="-I/opt/libnetfilter_log/include" \
  LIBNETFILTER_LOG_LIBS="-L/opt/libnetfilter_log/lib" \
  LIBNETFILTER_CONNTRACK_CFLAGS="-I/opt/libnetfilter_conntrack/include" \
  LIBNETFILTER_CONNTRACK_LIBS="-L/opt/libnetfilter_conntrack/lib" \
  LIBNETFILTER_ACCT_CFLAGS="-I/opt/libnetfilter_acct/include" \
  LIBNETFILTER_ACCT_LIBS="-L/opt/libnetfilter_acct/lib" \
  CFLAGS="-I/opt/libnfnetlink/include" LDFLAGS="-L/opt/libnfnetlink/lib" \
./configure --prefix=/opt/ulogd2 && make && sudo make install

Note: for some reason we have to point CFLAGS and LDFLAGS to our libnfnetlink installation, otherwise the compilation will fail:

  CC       ulogd_inppkt_NFLOG.lo
ulogd_inppkt_NFLOG.c:13:39: fatal error: libnfnetlink/libnfnetlink.h: No such file or directory

Links

• Ulogd2
• How to: Linux Iptables block common attacks (2005-07-06)
• TCP SYN Cookies – DDoS Defence (2008-09-12)
• TCP: drop open request from (2010-01-08)
• Linux Network IP Accounting (2014-09-09)

---

• What comes after 'iptables'? Its successor, of course: `nftables` (2016-10-28)
• Benchmarking nftables (2017-04-11)

---

• Nftables port knocking
• Port knocking example

References