Comments (20)
Described many times - you need to pass all packets to ndpi. Please, read #17.
from ndpi.
iptables -t mangle -A PREROUTING -m ndpi --all
iptables -t mangle -A PREROUTING -p tcp --dport 80 -m ndpi --http -j DROP
iptables -t mangle -A PREROUTING -m ndpi --unknown
iptables -t mangle -A POSTROUTING -m ndpi --all
iptables -t mangle -A POSTROUTING -m ndpi --unknown
Then I just typed its ip and the site loaded fine and below is the iptables stats
iptables -vL -t mangle
Chain PREROUTING (policy ACCEPT 76 packets, 5085 bytes)
pkts bytes target prot opt in out source destination
0 0 all -- any any anywhere anywhere ndpi all protocols
0 0 DROP tcp -- any any anywhere anywhere tcp dpt:http ndpi protocol http
0 0 all -- any any anywhere anywhere ndpi protocol unknown
Chain INPUT (policy ACCEPT 76 packets, 5085 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 62 packets, 11725 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 62 packets, 11725 bytes)
pkts bytes target prot opt in out source destination
0 0 all -- any any anywhere anywhere ndpi all protocols
0 0 all -- any any anywhere anywhere ndpi protocol unknown
from ndpi.
figured it out needed to add in config for all the modules to load in the right order. as per #6
Since this load order is needed why isn't it part of the installation instructions?
from ndpi.
Because the module assumes the existence of certain knowledge on administrator, but this is not an excuse. Your contribution to documentation would be useful.
from ndpi.
from ndpi.
Now I'm running into an issue where it wont match http or rtmp on a non default port(port 81 in this example).
current rules
iptables -F -t mangle
iptables -F
iptables -t mangle -A PREROUTING -m ndpi --all
iptables -t mangle -A POSTROUTING -m ndpi --all
iptables -t mangle -A PREROUTING -m ndpi --unknown
iptables -t mangle -A POSTROUTING -m ndpi --unknown
iptables -t mangle -A PREROUTING -p tcp --dport 81 -m ndpi --http
iptables -t mangle -A PREROUTING -p tcp --dport 81 -m ndpi --rtmp
currently it seems like ndpi is only matching whatever is on the default port for a protocol. If I set it up to be on port 80 it would view everything as http if I set it up on 1935 it would match everything to rtmp. Since it is on port 81, it seems to just match unknown.
Any suggestions on debugging this issue?
from ndpi.
You don't need to specify any port (like 81
) or proto (like tcp
). unknown
should be the last in chain.
from ndpi.
except that I need to block only on certain ports not others. so I need a rule to match by port.
from ndpi.
if for example I have rtmp traffic coming in on port 80 it doesn't get matched to rtmp, it all matches http, if I have http come in on port 1935 then it all matches rtmp instead of http. Thus why I picked port 81 which isn't in the defaults for http or rtmp. It just ends up as unknown.
from ndpi.
What do you plan to do with the packages after matching?
from ndpi.
I have an issue with people hitting my rtmp port with http gets. I am trying to reject it so that only rtmp is hitting the port or at least as much as possible
the idea being for example
iptables -F -t mangle
iptables -F
iptables -t mangle -A PREROUTING -m ndpi --all
iptables -t mangle -A PREROUTING -m ndpi --unknown
iptables -t mangle -A POSTROUTING -m ndpi --all
iptables -t mangle -A POSTROUTING -m ndpi --unknown
iptables -A INPUT -p tcp --dport 81 -m ndpi --http -j REJECT
I am using rules like below just to get counters on when the rule matches.
iptables -A INPUT -p tcp --dport 81 -m ndpi --rtmp -j ACCEPT
from ndpi.
I found out that at least part of my issue was that I had the mtu set incorrectly since the aws ubuntu seems to have mtu of 9001. After changing the parameter for xt_ndpi module it now seems to be matching and working more like how I would expect.
from ndpi.
@orderedchaosdev where did you changed? the nic or the xt_ndpi module?
If it's on the module, where did you changed and what?
from ndpi.
Sorry for long delay the following is what I did.
echo 9001 > /sys/module/xt_ndpi/parameters/mtu
or make /etc/modules-load.d/98-ndpi.conf
xt_ndpi mtu=9001
from ndpi.
Just as a note installed conntrack via apt-get
Also I added files
/etc/modules-load.d/10-htb.conf
sch_htb
/etc/modules-load.d/20-conntrack.conf
nf_conntrack_netlink
nf_nat_ipv4
nf_nat
nf_reject_ipv4
nf_defrag_ipv4
nf_conntrack_ipv4
nf_conntrack_pptp
nf_conntrack_proto_gre
nfnetlink
from ndpi.
@vel21ripn @elico updated my old ticket just tagging you both for visibility.
from ndpi.
@orderedchaosdev This indeed a good thing to know.
I think that these details should be documented..
When VLAN is used I think that 9001 would be lower then required but i'm not sure what HW handles such packets, I have yet to grasp my hands on one of these.
from ndpi.
@elico all I can say for sure is at least on the aws ec2 instances I was working on I needed mtu 9001, and I'm not sure if having mtu 9001 would really hurt anything even if you had hardware 1500(or whatever the smaller default is)
from ndpi.
@orderedchaosdev MTU 9001 means many things in terms of memory use and I/O related actions.
For some systems it's nothing while for others it's doubles 6 in memory and CPU consumption so it's something to be tested per setup.(to my opinion)
from ndpi.
@elico Ah fair enough but for an ec2 instance unless you change the mtu settings on the system you have to change it for ndpi or it won't work.
from ndpi.
Related Issues (20)
- Typo in main.c (acctounting instead of accounting) HOT 1
- Linux 6.6: build errors HOT 10
- Kernel panic when syncing conntrack entries with conntrackd HOT 5
- All defined host protocols match risk id 27 (Risky Domain Name) HOT 7
- bittorrent.c: detected write beyond size of field HOT 1
- ndpi_network_list.c.inc can no longer be compiled after merge HOT 2
- Question about echo command HOT 1
- Seeking Advice on Updating nDPI on VPS Servers HOT 1
- unresolved symbol __aarch64_ldadd8_sync on aarch64 HOT 4
- Inconsistent BitTorrent Filtering with nDPI HOT 4
- Handling large host_proto lists HOT 2
- Linux 6.7: build error HOT 6
- Please help filter iptables DNAT traffic
- iptables 1.8.10 causes ksoftirqd 100% CPU HOT 5
- /root/nDPI/ndpi-netfilter/src/../../src/lib/ndpi_main.c:1040:5: error: �for� loop initial declarations are only allowed in C99 or C11 mode
- Error compiling kernel modules under arm32 bit HOT 5
- host_proto wildcard options. HOT 2
- Compile error message HOT 10
- Compile error about /src/lib/ndpi_network_list_compile.h HOT 1
- These are some protocols updated in the new version of ndpi_network_list_compile.h, please update them.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ndpi.