OpenDPI (traffic type detection) + iptables
OpenDPI is a library for classifying traffic based on the technology of deep packet analysis (DPI - Deep Packet Inspection). The IPP2P project is no longer supported, and, as a replacement, suggests using OpenDPI specifically. Unlike IPP2P, the main purpose of which is to determine exactly p2p traffic, OpenDPI supports a wide range of different protocols. OpenDPI was originally designed for a very low false positive rate. Unlike L7-filter, it does not require patches on iptables and the kernel; works as a kernel module and xtables library. Also, protocol definitions are not a list of regexps, but C modules, which improves performance. Recently, iptables support has been implemented for this library.
Now let's try using OpenDPI in practice.
We go to the Downloads section of the project website. Download the opendpi-1.2.0.tar.gz and opendpi-netfilter-wrapper-1.1.tar.gz files (these versions are relevant at the time of writing). If you want to play around , study the contents of opendpi-1.2.0.tar.gz , try to compile in the usual way (
Let's start building the iptables module. You will need kernel headers and iptables. It is also necessary that certain options are set in the kernel:
Unpack opendpi-netfilter-wrapper-1.1.tar.gz and go to the opendpi-netfilter-wrapper-1.1 directory . This extract opendpi-1.2.0.tar.gz . Those. the directory opendpi-netfilter-wrapper-1.1 should contain the README , ipq _ *. diff files , the wrapper directory, and the opendpi-1.2.0 directory . In the opendpi-1.2.0 directory, respectively, the OpenDPI sources. Below are all the described actions in the form of commands:
Now go to the opendpi-1.2.0 directory:
and apply patches:
After that, you need to set the environment variable:
and go to the wrapper directory:
Now patch the kernel support 2.6.35 (support for old kernels will not be broken). The patch was written by comparing the sources of netfilter in 2.6.34 and 2.6.35. The patch has already been sent to the developers, you can download it in this discussion thread on the offsite. Put the patch on one level with the opendpi-netfilter-wrapper-1.1 directory and use it with the command:
Then you need to do:
Now you can use the module:
Explore the options available:
Try it in action:
Possible assembly errors:
it means you did not set the correct options in the kernel (see above)
then you are most likely using a kernel 2.6.35 or higher. You must apply the patch specified in the article above.
Ebuild for Gentoo posted here .
UPD: Declared list of supported protocols:
Now let's try using OpenDPI in practice.
We go to the Downloads section of the project website. Download the opendpi-1.2.0.tar.gz and opendpi-netfilter-wrapper-1.1.tar.gz files (these versions are relevant at the time of writing). If you want to play around , study the contents of opendpi-1.2.0.tar.gz , try to compile in the usual way (
./configure && make && make install), experiment with feeding various pcap files to the OpenDPI_demo demo application. Let's start building the iptables module. You will need kernel headers and iptables. It is also necessary that certain options are set in the kernel:
- The Connection tracking events option should be enabled:
Connection tracking events
Symbol: NF_CONNTRACK_EVENTS
Location:
-> Networking support
-> Networking options
-> Network packet filtering framework (Netfilter)
-> Core Netfilter Configuration
-> Netfilter connection tracking support- Опция Connection tracking netlink interface должна быть отключена:
Connection tracking netlink interface
Symbol: NF_CT_NETLINK
Location:
-> Networking support
-> Networking options
-> Network packet filtering framework (Netfilter)
-> Core Netfilter Configuration
-> Netfilter connection tracking supportUnpack opendpi-netfilter-wrapper-1.1.tar.gz and go to the opendpi-netfilter-wrapper-1.1 directory . This extract opendpi-1.2.0.tar.gz . Those. the directory opendpi-netfilter-wrapper-1.1 should contain the README , ipq _ *. diff files , the wrapper directory, and the opendpi-1.2.0 directory . In the opendpi-1.2.0 directory, respectively, the OpenDPI sources. Below are all the described actions in the form of commands:
$ ls opendpi-1.2.0.tar.gz opendpi-netfilter-wrapper-1.1.tar.gz $ tar -xzf opendpi-netfilter-wrapper-1.1.tar.gz $ cd opendpi-netfilter-wrapper-1.1 $ tar -xzf ../opendpi-1.2.0.tar.gz
Now go to the opendpi-1.2.0 directory:
$ cd opendpi-1.2.0
and apply patches:
$ patch -p0 <../ipq_main.h.diff $ patch -p0 <../ipq_protocols.h.diff
After that, you need to set the environment variable:
$ export OPENDPI_PATH = $ (pwd)
and go to the wrapper directory:
$ cd ../wrapper
Now patch the kernel support 2.6.35 (support for old kernels will not be broken). The patch was written by comparing the sources of netfilter in 2.6.34 and 2.6.35. The patch has already been sent to the developers, you can download it in this discussion thread on the offsite. Put the patch on one level with the opendpi-netfilter-wrapper-1.1 directory and use it with the command:
patch -p3 <../../opendpi-netfilter-wrapper-1.1_2.6.35_v2.patch
Then you need to do:
$ make # make modules_install # cp ipt / libxt_opendpi.so / lib / xtables
Now you can use the module:
# modprobe xt_opendpi
Explore the options available:
# iptables -m opendpi --help
Try it in action:
# iptables -A OUTPUT -m opendpi --http -j DROP # wget http://ya.ru/ --2010-11-12 20: 57: 41-- http://ya.ru/ Connecting to 213.180.204.3:80 ... connected. HTTP request sent, awaiting response ... ^ C
Possible assembly errors:
- If the compiler complains that it cannot find the generated / *. H files, then you do not have kernel headers. It is also possible what you did
make cleanin the directory with the kernel sources. - If you get an error with modprobe
FATAL: Error inserting xt_opendpi (/lib/modules/2.6.34-gentoo-r12/extra/xt_opendpi.ko): Device or resource busy
it means you did not set the correct options in the kernel (see above)
- If you get an error
/opendpi/opendpi-netfilter-wrapper-1.1/wrapper/src/main.c:466: error: dereferencing pointer to incomplete type
then you are most likely using a kernel 2.6.35 or higher. You must apply the patch specified in the article above.
Ebuild for Gentoo posted here .
UPD: Declared list of supported protocols:
opendpi match options:
--ftp Match for FTP protocol packets.
--pop Match for Mail_POP protocol packets.
--smtp Match for Mail_SMTP protocol packets.
--imap Match for Mail_IMAP protocol packets.
--dns Match for DNS protocol packets.
--ipp Match for IPP protocol packets.
--http Match for HTTP protocol packets.
--mdns Match for MDNS protocol packets.
--ntp Match for NTP protocol packets.
--netbios Match for NETBIOS protocol packets.
--nfs Match for NFS protocol packets.
--ssdp Match for SSDP protocol packets.
--bgp Match for BGP protocol packets.
--snmp Match for SNMP protocol packets.
--xdmcp Match for XDMCP protocol packets.
--smb Match for SMB protocol packets.
--syslog Match for SYSLOG protocol packets.
--dhcp Match for DHCP protocol packets.
--postgres Match for PostgreSQL protocol packets.
--mysql Match for MySQL protocol packets.
--tds Match for TDS protocol packets.
--ddl Match for DirectDownloadLink protocol packets.
--i23v5 Match for I23V5 protocol packets.
--apple Match for AppleJuice protocol packets.
--directconnect Match for DirectConnect protocol packets.
--socrates Match for Socrates protocol packets.
--winmx Match for WinMX protocol packets.
--manolito Match for MANOLITO protocol packets.
--pando Match for PANDO protocol packets.
--filetopia Match for Filetopia protocol packets.
--iMESH Match for iMESH protocol packets.
--kontiki Match for Kontiki protocol packets.
--openft Match for OpenFT protocol packets.
--fasttrack Match for Kazaa/Fasttrack protocol packets.
--gnutella Match for Gnutella protocol packets.
--edonkey Match for eDonkey protocol packets.
--bittorrent Match for Bittorrent protocol packets.
--off Match for OFF protocol packets.
--avi Match for AVI protocol packets.
--flash Match for Flash protocol packets.
--ogg Match for OGG protocol packets.
--mpeg Match for MPEG protocol packets.
--quicktime Match for QuickTime protocol packets.
--realmedia Match for RealMedia protocol packets.
--windowsmedia Match for Windowsmedia protocol packets.
--mms Match for MMS protocol packets.
--xbox Match for XBOX protocol packets.
--qq Match for QQ protocol packets.
--move Match for MOVE protocol packets.
--rtsp Match for RTSP protocol packets.
--feidian Match for Feidian protocol packets.
--icecast Match for Icecast protocol packets.
--pplive Match for PPLive protocol packets.
--ppstream Match for PPStream protocol packets.
--zattoo Match for Zattoo protocol packets.
--shoutcast Match for SHOUTCast protocol packets.
--sopcast Match for SopCast protocol packets.
--tvants Match for TVAnts protocol packets.
--tvuplayer Match for TVUplayer protocol packets.
--veohtv Match for VeohTV protocol packets.
--qqlive Match for QQLive protocol packets.
--thunder Match for Thunder/Webthunder protocol packets.
--soulseek Match for Soulseek protocol packets.
--gadugadu Match for GaduGadu protocol packets.
--irc Match for IRC protocol packets.
--popo Match for Popo protocol packets.
--jabber Match for Jabber protocol packets.
--msn Match for MSN protocol packets.
--oscar Match for Oscar protocol packets.
--yahoo Match for Yahoo protocol packets.
--battlefield Match for Battlefield protocol packets.
--quake Match for Quake protocol packets.
--secondlife Match for Second Life protocol packets.
--steam Match for Steam protocol packets.
--hl2 Match for Halflife2 protocol packets.
--worldofwarcraft Match for World of Warcraft protocol packets.
--telnet Match for Telnet protocol packets.
--stun Match for STUN protocol packets.
--ipsec Match for IPSEC protocol packets.
--gre Match for GRE protocol packets.
--icmp Match for ICMP protocol packets.
--igmp Match for IGMP protocol packets.
--egp Match for EGP protocol packets.
--sctp Match for SCTP protocol packets.
--ospf Match for OSPF protocol packets.
--ipip Match for IP in IP protocol packets.
--rtp Match for RTP protocol packets.
--rdp Match for RDP protocol packets.
--vnc Match for VNC protocol packets.
--pcanywhere Match for PCAnywhere protocol packets.
--ssl Match for SSL protocol packets.
--ssh Match for SSH protocol packets.
--usenet Match for USENET protocol packets.
--mgcp Match for MGCP protocol packets.
--iax Match for IAX protocol packets.
--tftp Match for TFTP protocol packets.
--afp Match for AFP protocol packets.
--stealthnet Match for StealthNet protocol packets.
--aimini Match for Aimini protocol packets.
--sip Match for SIP protocol packets.
--truphone Match for Truphone protocol packets.