Installing and using ipt_NETFLOW

ipt_NETFLOW – fast NetFlow traffic sensor, consists of a kernel module and iptables, supports NetFlow v5, v9, v10(IPFIX).

ipt_NETFLOW is compiled from source codes, so when updating the kernel of the operating system, it must be rebuilt.

First of all, install the necessary components, for example for Ubuntu/Debian:

apt-get install module-assistant iptables-dev pkg-config
m-a prepare

For CentOS:

yum install kernel-devel iptables-devel pkgconfig

Download ipt_NETFLOW:

git clone git:// ipt-netflow
cd ipt-netflow

Let’s install:

./configure --help
./configure --enable-natevents
make all install

Or so:

./configure --disable-conntrack --disable-natevents
make all install

Specify the address of the collector:

echo options ipt_NETFLOW destination= protocol=9 natevents=1 > /etc/modprobe.d/netflow.conf

We load the kernel module and see the parameters:

modprobe ipt_NETFLOW
sysctl -a | grep net.netflow
sysctl net.netflow
cat /proc/net/stat/ipt_netflow

Change the settings if something is possible like this (reset after a system restart):

sysctl net.netflow.hashsize=32768

Add any of the iptables rules, depending on what traffic you need to collect statistics, for example, the rule with “FORWARD” is enough on the access server:

iptables -I FORWARD -j NETFLOW
iptables -I INPUT -j NETFLOW
iptables -I OUTPUT -j NETFLOW

NETFLOW rules should be at the very beginning, so if there are other iptables rules, we will indicate the number when adding the rule, for example:

iptables -I FORWARD 1 -j NETFLOW

You can delete iptables rules like this:

iptables -D FORWARD -j NETFLOW
iptables -D INPUT -j NETFLOW
iptables -D OUTPUT -j NETFLOW

Make sure that the rule is added and the sensor is running:

iptables -nvL | grep NETFLOW
iptables -nvL FORWARD | grep NETFLOW
netstat -anpl | grep 2055

On a server with a collector, make sure that data comes from the ipt_NETFLOW sensor:

tcpdump -c5 -npi lo port 2055
tcpdump port 2055 -e -n

If everything is ok, add the module to the /etc/modules file so that it boots after the system restarts:

echo ipt_NETFLOW >> /etc/modules

Unload the module if possible like this:

iptables -D FORWARD -j NETFLOW
modprobe -r ipt_NETFLOW

In the test, I installed ipt_NETFLOW on a server that served 10,000 clients with 16 Gb/s traffic, there were no interruptions in communication during the installation of clients, the processor load did not change much (two CPUs e5-2690v2 were installed).

If the parameters in the netflow.conf file were changed, then in order to apply them, you can unload and load the ipt_NETFLOW module on the go, I did this:

iptables -D FORWARD -j NETFLOW
modprobe -r ipt_NETFLOW

iptables -I FORWARD 1 -j NETFLOW
modprobe ipt_NETFLOW

You can disable/enable natevents without reloading the module (nf_conntrack_events must be enabled):

cat /proc/sys/net/netfilter/nf_conntrack_events
cat /proc/sys/net/netflow/natevents
sysctl net.netflow.natevents=0
sysctl net.netflow.natevents=1

See also my article:
Installing and using Nfdump

Leave a comment

Leave a Reply