Implement NetFlow on CentOS 6 (el6) and SElinux
Note that ipt-netflow produces netflow v5 packets; it does not produce v9 or IPFIX compliant netflow packets. If anyone has these mystery patches, please feel free to share a link in the comments below.
The goal is to set up a netflow generator and sensor on a single CentOS box for session monitoring over time. Due to lack of hardware, I am using a box with a single NIC, and will be configuring a switch to mirror traffic on a port destined for the site firewall to the NIC. This will affect the configuration only that I will chose to exclude packets to or from the host specifically while configuring the ipt_netflow module rule set in iptables.
This post references the README file included with the source as well as, some information from the NST project’s docs.
yum -y install iptables-devel gcc kernel-headers kernel-devel gcc-c++ make wget
You can choose to upgrade the kernel by also installing the package kernel. Note the compatibility which is explained on the project page before deciding this. If you do this, you should reboot before continuing, and boot into this newer kernel version (this is standard unless you have multiple kernels installed).
Download, decompress, build and install ipt_netflow:
cd wget http://sourceforge.net/projects/ipt-netflow/files/latest/download tar -zxvf ipt_netflow*.tgz cd ipt_netflow* ./configure make all install; depmon ls -al /root/ipt_netflow-*/ipt_NETFLOW.ko #it really does exist ls -al /lib/modules/$(uname -r)/extra/ipt_NETFLOW.ko #and it really does exist here too
Set default config for ipt_NETFLOW:
The following configures the destination of netflow packets to be bound ip address of interface, port 2055:
vim /etc/modprobe.d/ipt_netflow.conf options ipt_NETFLOW destination=[bound ip address of interface, i mean write it here, not this string and definitely not the brackets]:2055
Configure the ipt_NETFLOW module to load on system boot:
Verify that iptables will start at the runlevels you wish:
chkconfig --list | grep iptables #should list the runlevels that iptables is configured to start
Add the module to the iptables startup config:
This should, in turn, start the ipt_NETFLOW module, you have to edit the iptables module config:
vim /etc/sysconfig/iptables-config #make sure that at least the ipt_NETFLOW is listed in the IPTABLES_MODULES option IPTABLES_MODULES="ipt_NETFLOW"
Want to know more? Check out Quick Primer: linux kernel module loading.
Relabel the kernel module for SELinux
restorecon -v /lib/xtables/libipt_NETFLOW.so
service iptables restart
Check to make sure the ipt_NETFLOW module is loaded and revealed to the iptables module:
Check that it is loaded into memory:
grep ipt_netflow /proc/slabinfo
Check to see if it was loaded by iptables:
Add iptable rules to activate netflow:
cp /etc/sysconfig/iptables /etc/sysconfig/iptables.bak #alternative to iptables-save and iptables-restore command service iptables start iptables -A INPUT -j NETFLOW iptables -A OUTPUT -j NETFLOW iptables -A FORWARD -j NETFLOW service iptables save service iptables stop #stop it for now
Configure a dummy NIC and set up a network bridge
In order to configure a dummy NIC, you can follow another post.
Restart iptables again so that your rules are picked up:
service iptables start
Here are some extra things:
Make changes to the ipt_NETFLOW module at run time:
Use sysctl to configure ipt_NETFLOW during run time by accessing the namespace net.netflow.destination. Note that changes made during runtime are lost upon restart of the module, and are not explicitly “savable” to the run config.
List all available parameters that can be set in the name space:
sysctl -a | grep net.netflow
Write parameters using:
sysctl -w [parameter]="[double-quote nested list or info]"
Monitor statistics on the ipt_NETFLOW module
You can review/watch stats for the process via proc:
You can check to see if Netflow data is being passed by using iptables LOG module:
iptables -A OUTPUT -p udp --dport 2055 -j LOG #add the LOG rule tail -f /var/log/messages iptables -D OUTPUT -p udp --dport 2055 -j LOG #delete the LOG rule
NST’s wiki Dummy Interface.