Using ipt_NETFLOW on Debian =========================== These instructions assume that * you have a separate interface which receives traffic from a mirror port (SPAN port in Cisco slang) on some router. * you use ifupdown for managing and controlling network interfaces. Configure the according interface to listen in promiscuous mode --------------------------------------------------------------- Add the interface (named enoEXAMPLE in this example) to /etc/network/interfaces as follows to make it listen persistently in promiscuous mode: allow-hotplug enoEXAMPLE iface enoEXAMPLE inet manual up ip link set $IFACE up up ip link set $IFACE promisc on down ip link set $IFACE promisc off down ip link set $IFACE down Load the ipt_NETFLOW kernel module ---------------------------------- Create /etc/modprobe.d/ipt_NETFLOW.conf with contents similar to the following, i.e. replace IP addresses with the IP addresses of your netflow consumers: options ipt_NETFLOW destination=127.0.0.1:2055,192.0.2.2:2055 promisc=1 If you just have created that file and haven't rebooted since then, you can load the kernel module also by issuing a command similar to this one: modprobe ipt_NETFLOW destination=127.0.0.1:2055,192.0.2.2:2055 promisc=1 Configure the ipt_NETFLOW kernel module --------------------------------------- To see the current configuration of the ipt_NETFLOW module, call this command as root: sysctl net.netflow The output will look like this: # sysctl net.netflow net.netflow.active_timeout = 60 net.netflow.debug = 0 net.netflow.destination = 127.0.0.1:2055,192.0.2.2:2055 net.netflow.flush = 0 net.netflow.hashsize = 655360 net.netflow.inactive_timeout = 15 net.netflow.maxflows = 0 net.netflow.natevents = 0 net.netflow.promisc = 1 net.netflow.protocol = 10 net.netflow.refresh-rate = 20 net.netflow.sampler = net.netflow.scan-min = 1 net.netflow.sndbuf = 212992 net.netflow.snmp-rules = net.netflow.timeout-rate = 30 Probably most important besides net.netflow.destination is net.netflow.protocol: By default, ipt_NETFLOW sends date in NetFlow format version 5. Other supported format versions are 9 and 10. 10 means "send IPFIX format". If you plan to account IPv6 traffic you should use protocol 9 or 10 (IPFIX), because NetFlow v5 isn't compatible with IPv6. See /usr/share/doc/iptables-netflow-dkms/README.gz for details about the other options. Using "sysctl -w" with the appropriate parameters you can fine tune the ipt_NETFLOW parameters while running. Once you're satisfied with the used parameters, you can add them to the according line in /etc/modprobe.d/ipt_NETFLOW.conf, e.g. like this: options ipt_NETFLOW destination=127.0.0.1:2055,192.0.2.2:2055 promisc=1 protocol=10 maxflows=0 active_timeout=60 Configure iptables/netfilter ---------------------------- If you want to generate netflows for all (routable, i.e. IP) traffic on a promiscuous interface, use these two commands to direct the according traffic to the NETFLOW target: iptables -t raw -i enoEXAMPLE -I PREROUTING -j NETFLOW ip6tables -t raw -i enoEXAMPLE -I PREROUTING -j NETFLOW In case you use a promiscuous interface, it's important to use the raw table and the PREROUTING chain. See /usr/share/doc/iptables-netflow-dkms/README.gz and /usr/share/doc/iptables-netflow-dkms/README.promisc for details on why this is necessary. You might want to use tools like e.g. iptables-save and iptables-restore (from the package "iptables") or a package like iptables-persistent to make these rules persistent. Check if everything works fine ------------------------------ Commands to check the state of your setup (irqtop comes from the Debian package of the same name): # irqtop # cat /proc/net/stat/ipt_netflow # iptables -t raw -v -L PREROUTING # ip6tables -t raw -v -L PREROUTING -- Axel Beckert , Fri, 13 Apr 2018 17:59:19 +0200