ipt_NETFLOW – fast NetFlow traffic sensor, consists of a kernel module and iptables, supports NetFlow v5, v9, v10(IPFIX).
ipt_NETFLOW is compiled from source codes, so when updating the kernel of the operating system, it must be rebuilt.
First of all, install the necessary components, for example for Ubuntu/Debian (I installed on Ubuntu Server 18.04, it didn’t install on 20.04 because it doesn’t have iptables-dev):
apt-get install module-assistant iptables-dev pkg-config
m-a prepare
For CentOS:
yum install kernel-devel iptables-devel pkgconfig
Download ipt_NETFLOW:
git clone git://github.com/aabc/ipt-netflow.git ipt-netflow
cd ipt-netflow
Let’s install:
./configure --help
./configure --enable-natevents
make all install
depmod
Or so:
./configure --disable-conntrack --disable-natevents
make all install
depmod
Specify the address of the collector:
echo options ipt_NETFLOW destination=192.168.2.2:2055 protocol=9 natevents=1 > /etc/modprobe.d/netflow.conf
We load the kernel module and see the parameters:
modprobe ipt_NETFLOW
sysctl -a | grep net.netflow
sysctl net.netflow
cat /proc/net/stat/ipt_netflow
Change the settings if something is possible like this (reset after a system restart):
sysctl net.netflow.hashsize=32768
Add any of the iptables rules, depending on what traffic you need to collect statistics, for example, the rule with “FORWARD” is enough on the access server:
iptables -I FORWARD -j NETFLOW
iptables -I INPUT -j NETFLOW
iptables -I OUTPUT -j NETFLOW
NETFLOW rules should be at the very beginning, so if there are other iptables rules, we will indicate the number when adding the rule, for example:
iptables -I FORWARD 1 -j NETFLOW
You can delete iptables rules like this:
iptables -D FORWARD -j NETFLOW
iptables -D INPUT -j NETFLOW
iptables -D OUTPUT -j NETFLOW
Make sure that the rule is added and the sensor is running:
iptables -nvL | grep NETFLOW
iptables -nvL FORWARD | grep NETFLOW
netstat -anpl | grep 2055
On a server with a collector, make sure that data comes from the ipt_NETFLOW sensor:
tcpdump -c5 -npi lo port 2055
tcpdump port 2055 -e -n
If everything is ok, add the module to the /etc/modules file so that it boots after the system restarts:
echo ipt_NETFLOW >> /etc/modules
Unload the module if possible like this:
iptables -D FORWARD -j NETFLOW
modprobe -r ipt_NETFLOW
In the test, I installed ipt_NETFLOW on a server that served 10,000 clients with 16 Gb/s traffic, there were no interruptions in communication during the installation of clients, the processor load did not change much (two CPUs Xeon Gold 6230R were installed).
If the parameters in the netflow.conf file were changed, then in order to apply them, you can unload and load the ipt_NETFLOW module on the go, I did this:
iptables -D FORWARD -j NETFLOW
modprobe -r ipt_NETFLOW
iptables -I FORWARD 1 -j NETFLOW
modprobe ipt_NETFLOW
You can disable/enable natevents without reloading the module (nf_conntrack_events must be enabled):
cat /proc/sys/net/netfilter/nf_conntrack_events
cat /proc/sys/net/netflow/natevents
sysctl net.netflow.natevents=0
sysctl net.netflow.natevents=1
See also my article:
Installing and using Nfdump