Build, configure and run ipt-netflow on Debian Linux
General information
- ipt-netflow is the fastest netflow-sensor (counter) for Linux.
- It consists of two modules: for the kernel and for iptables.
- It is not yet included in the standard kernel and iptables - it requires building from source!
- Debian inclusion is discussed - see lists.debian.org/debian-mentors/2011/04/msg00070.html and bugs.debian.org/cgi-bin/bugreport.cgi?bug=620511
System
- Debian Squeeze (6.0.3) amd64
- Kernel 2.6.38 from backports (at the time of preparation of this documentation - the latest)
Build on a test system
- Install the necessary packages:
apt-get install -t squeeze-backports linux-headers-2.6.38-bpo.2-amd64 apt-get install -t squeeze-backports quilt debhelper autotools-dev iptables-dev dkms pkg-config
- Download and unpack sourceforge.net/projects/ipt-netflow/files/ipt-netflow
- We compile and install in the assembly system:
cd ./ipt_netflow-* ./configure make all make install depmod
- We make an archive for installation on the gateway:
find / lib -name "* NETFLOW *" | xargs tar czf \ / tmp / ipt_netflow - $ (modinfo -F version ipt_NETFLOW) - $ (uname -r) .tar.gz
Installation on a production system
- Expand from archive
tar xzf /tmp/ipt_netflow-*-*.tar.gz -C / depmod
- Configure boot options (full list of options):
echo options ipt_NETFLOW destination = 127.0.0.1: 9996> /etc/modprobe.d/netflow.conf
- Download and check the status:
modprobe ipt_NETFLOW sysctl -a | grep net.netflow
- We start traffic through the sensor:
iptables -A FORWARD -j NETFLOW
- Check the count:
iptables -nvL FORWARD | grep NETFLOW tcpdump -c5 -npi lo port 9996
- Turn on startup:
echo ipt_NETFLOW >> / etc / modules
- Disable kernel update:
echo linux-image-2.6.38-bpo.2-amd64 hold | dpkg --set-selections
- If the collector is on another computer, then. at the time of loading the module, the interfaces and routing are not yet configured, the connection with the collector may fail with a kernel error 101 (“destination unreached”). To get around it, re-establish the connection from /etc/rc.local:
f = "/ proc / sys / net / netflow / destination" test -e "$ f" && d = "$ (cat $ f)" && echo "$ d"> "$ f"