Installing and using ipt_NETFLOW

ipt_NETFLOW – fast NetFlow traffic sensor, consists of a kernel module and iptables, supports NetFlow v5, v9, v10(IPFIX).

ipt_NETFLOW is compiled from source codes, so when updating the kernel of the operating system, it must be rebuilt.

First of all, install the necessary components, for example for Ubuntu/Debian (I installed on Ubuntu Server 18.04, it didn’t install on 20.04 because it doesn’t have iptables-dev):

apt-get install module-assistant iptables-dev pkg-config
m-a prepare

For CentOS:

yum install kernel-devel iptables-devel pkgconfig

Download ipt_NETFLOW:

git clone git:// ipt-netflow
cd ipt-netflow

Let’s install:

./configure --help
./configure --enable-natevents
make all install

Or so:

./configure --disable-conntrack --disable-natevents
make all install

Specify the address of the collector:

echo options ipt_NETFLOW destination= protocol=9 natevents=1 > /etc/modprobe.d/netflow.conf

We load the kernel module and see the parameters:

modprobe ipt_NETFLOW
sysctl -a | grep net.netflow
sysctl net.netflow
cat /proc/net/stat/ipt_netflow

Change the settings if something is possible like this (reset after a system restart):

sysctl net.netflow.hashsize=32768

Add any of the iptables rules, depending on what traffic you need to collect statistics, for example, the rule with “FORWARD” is enough on the access server:

iptables -I FORWARD -j NETFLOW
iptables -I INPUT -j NETFLOW
iptables -I OUTPUT -j NETFLOW

NETFLOW rules should be at the very beginning, so if there are other iptables rules, we will indicate the number when adding the rule, for example:

iptables -I FORWARD 1 -j NETFLOW

You can delete iptables rules like this:

iptables -D FORWARD -j NETFLOW
iptables -D INPUT -j NETFLOW
iptables -D OUTPUT -j NETFLOW

Make sure that the rule is added and the sensor is running:

iptables -nvL | grep NETFLOW
iptables -nvL FORWARD | grep NETFLOW
netstat -anpl | grep 2055

On a server with a collector, make sure that data comes from the ipt_NETFLOW sensor:

tcpdump -c5 -npi lo port 2055
tcpdump port 2055 -e -n

If everything is ok, add the module to the /etc/modules file so that it boots after the system restarts:

echo ipt_NETFLOW >> /etc/modules

Unload the module if possible like this:

iptables -D FORWARD -j NETFLOW
modprobe -r ipt_NETFLOW

In the test, I installed ipt_NETFLOW on a server that served 10,000 clients with 16 Gb/s traffic, there were no interruptions in communication during the installation of clients, the processor load did not change much (two CPUs Xeon Gold 6230R were installed).

If the parameters in the netflow.conf file were changed, then in order to apply them, you can unload and load the ipt_NETFLOW module on the go, I did this:

iptables -D FORWARD -j NETFLOW
modprobe -r ipt_NETFLOW

iptables -I FORWARD 1 -j NETFLOW
modprobe ipt_NETFLOW

You can disable/enable natevents without reloading the module (nf_conntrack_events must be enabled):

cat /proc/sys/net/netfilter/nf_conntrack_events
cat /proc/sys/net/netflow/natevents
sysctl net.netflow.natevents=0
sysctl net.netflow.natevents=1

See also my article:
Installing and using Nfdump

Leave a comment

Leave a Reply