Netfilter
From Segfault
IP Accounting
TBD
Nftables
Adding rules on the fly:
$ nft list ruleset -a | grep -C1 8080 tcp dport 8008 ip saddr 192.168.0.0/24 accept # handle 17 tcp dport 8080 ip saddr 192.168.0.0/24 accept # handle 18 tcp dport 8001 accept # handle 19 $ nft add rule inet filter input position 18 tcp dport 1234 ip saddr 192.168.0.0/24 accept $ nft add rule inet filter input position 18 ip saddr 1.2.3.4 drop
The new rule will appear after our #18, but with a new handle:
$ nft list ruleset -a | grep -A2 8080
tcp dport 8080 ip saddr 192.168.0.0/24 accept # handle 18
tcp dport 1234 ip saddr 192.168.0.0/24 accept # handle 45
tcp dport 8001 accept # handle 19
Remove it again with:
$ nft delete rule inet filter input handle 45
| | |
| | |-- chain
| |--------- chain type
|-------------- table
NFLOG
In the beginning, there was LOG[1]:
> Turn on kernel logging of matching packets. When this option is set > for a rule, the Linux kernel will print some information on all > matching packets (like most IP/IPv6 header fields) via the kernel log > (where it can be read with dmesg(1) or read in the syslog).
After that came ULOG[1], but it's already deprecated:
> This is the deprecated ipv4-only predecessor of the NFLOG target. It > provides userspace logging of matching packets. When this target is > set for a rule, the Linux kernel will multicast this packet through a > netlink socket. One or more userspace processes may then subscribe to > various multicast groups and receive the packets.
The current way to log messages is NFLOG[1]:
> This target provides logging of matching packets. When this target is > set for a rule, the Linux kernel will pass the packet to the loaded > logging backend to log the packet. This is usually used in combination > with nfnetlink_log as logging backend, which will multicast the packet > through a netlink socket to the specified multicast group. One or more > userspace processes may subscribe to the group to receive the packets.
ulogd2 will be able to receive those messages and should be available in all major distributions. But if it's too outdated, we have to build it outselves. We'll have to build the dependencies first, so this may get messy:
for r in libnfnetlink libmnl libnetfilter_log libnetfilter_conntrack libnetfilter_acct ulogd2; do git clone git://git.netfilter.org/${r} ${r}-git done
cd libnfnetlink-git ./autogen.sh && ./configure --prefix=/opt/libnfnetlink && make && sudo make install cd ../libmnl-git/ ./autogen.sh && ./configure --prefix=/opt/libmnl && make && sudo make install cd ../libnetfilter_log-git/ ./autogen.sh && LIBNFNETLINK_CFLAGS="-I/opt/libnfnetlink/include" LIBNFNETLINK_LIBS="-L/opt/libnfnetlink/lib" LIBMNL_CFLAGS="-I/opt/libmnl/include" LIBMNL_LIBS="-L/opt/libmnl/lib" ./configure --prefix=/opt/libnetfilter_log && make && sudo make install cd ../libnetfilter_conntrack-git/ ./autogen.sh && LIBNFNETLINK_CFLAGS="-I/opt/libnfnetlink/include" LIBNFNETLINK_LIBS="-L/opt/libnfnetlink/lib" LIBMNL_CFLAGS="-I/opt/libmnl/include" LIBMNL_LIBS="-L/opt/libmnl/lib" ./configure --prefix=/opt/libnetfilter_conntrack && make && sudo make install cd ../libnetfilter_acct-git/ autoreconf -fi && LIBMNL_CFLAGS="-I/opt/libmnl/include" LIBMNL_LIBS="-L/opt/libmnl/lib" ./configure --prefix=/opt/libnetfilter_acct && make && sudo make install
Once this is done, we can finally compile ulogd:
cd ../ulogd2-git/ ./autogen.sh && \ LIBNFNETLINK_CFLAGS="-I/opt/libnfnetlink/include" \ LIBNFNETLINK_LIBS="-L/opt/libnfnetlink/lib" LIBMNL_CFLAGS="-I/opt/libmnl/include" \ LIBMNL_LIBS="-L/opt/libmnl/lib" \ LIBNETFILTER_LOG_CFLAGS="-I/opt/libnetfilter_log/include" \ LIBNETFILTER_LOG_LIBS="-L/opt/libnetfilter_log/lib" \ LIBNETFILTER_CONNTRACK_CFLAGS="-I/opt/libnetfilter_conntrack/include" \ LIBNETFILTER_CONNTRACK_LIBS="-L/opt/libnetfilter_conntrack/lib" \ LIBNETFILTER_ACCT_CFLAGS="-I/opt/libnetfilter_acct/include" \ LIBNETFILTER_ACCT_LIBS="-L/opt/libnetfilter_acct/lib" \ CFLAGS="-I/opt/libnfnetlink/include" LDFLAGS="-L/opt/libnfnetlink/lib" \ ./configure --prefix=/opt/ulogd2 && make && sudo make install
Note: for some reason we have to point CFLAGS and LDFLAGS to our libnfnetlink installation, otherwise the compilation will fail:
CC ulogd_inppkt_NFLOG.lo ulogd_inppkt_NFLOG.c:13:39: fatal error: libnfnetlink/libnfnetlink.h: No such file or directory
Links
- Ulogd2
- How to: Linux Iptables block common attacks (2005-07-06)
- TCP SYN Cookies – DDoS Defence (2008-09-12)
- TCP: drop open request from (2010-01-08)
- Linux Network IP Accounting (2014-09-09)
- What comes after 'iptables'? Its successor, of course: `nftables` (2016-10-28)
- Benchmarking nftables (2017-04-11)