Giter Site home page Giter Site logo

Comments (11)

elico avatar elico commented on August 16, 2024 1

@androuxx it appears that some of my assumptions was wrong since I'm used to squid way of handling things.
I have tested the next script\settings with nDPI version 2.0.0 and it should work with any other version:

#!/usr/bin/env bash

# Related docs
# http://manpages.ubuntu.com/manpages/zesty/man5/sysctl.d.5.html
# http://ebtables.netfilter.org/br_fw_ia/br_fw_ia.html
# http://ebtables.netfilter.org/misc/ebtables-faq.html

INT_IN=ens4
INT_OUT=ens5

brctl addbr br0
brctl addif br0 $INT_IN
brctl addif br0 $INT_OUT

ip link set up br0
ip link set up $INT_IN
ip link set up $INT_OUT

# Load the bridge+netfilter interaction module
modprobe ebtables ebtable_broute ebtable_filter 
modprobe br_netfilter

# Load iptables module of physdev
# modprove xt_physdev

# Load the ndpi module
modprobe xt_ndpi

#cat /proc/sys/net/bridge/bridge-nf-call-ip6tables
#cat /proc/sys/net/bridge/bridge-nf-call-iptables

# Make sure that the bridge is allowed to communicate iptables
sysctl net.bridge.bridge-nf-call-arptables=1
sysctl net.bridge.bridge-nf-call-ip6tables=1
sysctl net.bridge.bridge-nf-call-iptables=1

# Mangle part to match all traffic of the bridge
iptables -t mangle -N BRIDGE-IN
iptables -t mangle -N BRIDGE-OUT
iptables -t mangle -A BRIDGE-IN -m physdev --physdev-in $INT_IN -m ndpi --all 
iptables -t mangle -A BRIDGE-OUT -m physdev --physdev-in $INT_OUT -m ndpi --all 
iptables -t mangle -A PREROUTING -m physdev --physdev-in $INT_OUT -j BRIDGE-OUT
iptables -t mangle -A PREROUTING -m physdev --physdev-in $INT_IN -j BRIDGE-IN
iptables -t mangle -A FORWARD -m physdev --physdev-in $INT_OUT -j BRIDGE-OUT
iptables -t mangle -A FORWARD -m physdev --physdev-in $INT_IN -j BRIDGE-IN
iptables -t mangle -A POSTROUTING -m physdev --physdev-in $INT_OUT -j BRIDGE-OUT
iptables -t mangle -A POSTROUTING -m physdev --physdev-in $INT_IN -j BRIDGE-IN

# Filter part to filter traffic on the bridge
iptables -N BRIDGE-IN
iptables -N BRIDGE-OUT
iptables -A FORWARD -m physdev --physdev-in $INT_OUT -j BRIDGE-OUT
iptables -A FORWARD -m physdev --physdev-in $INT_IN -j BRIDGE-IN

# Add some nDPI filter rules
iptables -A BRIDGE-IN -m ndpi --youtube -j REJECT --reject-with icmp-port-unreachable
iptables -A BRIDGE-OUT -m ndpi --youtube -j REJECT --reject-with icmp-port-unreachable

# Sbang rule to kick the connection tracing on for all routed\forwarded traffic
# Even the first rule will do the job but I added couple to the mangle just in case..
iptables -I FORWARD -m state --state INVALID -j DROP
iptables -t mangle -I FORWARD -m state --state INVALID -j DROP
iptables -t mangle -I PREROUTING -m state --state INVALID -j DROP
iptables -t mangle -I POSTROUTING -m state --state INVALID -j DROP

# Run the next commands to see how packets flows...
# watch -d -n1 iptables -t mangle -L -nv
# watch -d -n1 iptables -L -nv

And some stats:

# iptables  -L -nv
Chain INPUT (policy ACCEPT 2318 packets, 184K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 1787 packets, 181K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
 1087  123K BRIDGE-OUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in ens5
  703 58802 BRIDGE-IN  all  --  *      *       0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in ens4

Chain OUTPUT (policy ACCEPT 1368 packets, 252K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain BRIDGE-IN (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    3   171 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ndpi protocol youtube reject-with icmp-port-unreachable

Chain BRIDGE-OUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ndpi protocol youtube reject-with icmp-port-unreachable

from ndpi.

vel21ripn avatar vel21ripn commented on August 16, 2024

See example in ndpi-netfilter/INSTALL.

from ndpi.

elico avatar elico commented on August 16, 2024

@vel21ripn there is nothing mentioned in the INSTALL file about a bridge setup that he needs\requires.(as far as my knowledge goes)
I believe that the next article might help a bit:
https://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxBridge

Basically @androuxx to make it work you will need to setup a bridge over eth0+eth1 and using bridge tables you will need to "divert" or "drop" the packets from the bridge level to the firewall\iptables level.
What OS are you using? did you compiled and installed something\anything already?

from ndpi.

vel21ripn avatar vel21ripn commented on August 16, 2024

nDPI not known about layer 2. Use (filter|mangle)/FORWARD for control traffic betweent physical interfaces of bridged interface.

from ndpi.

androuxx avatar androuxx commented on August 16, 2024

what is the best way to setup ndpi-netfilter to control network traffic between internet and network?
@vel21ripn ndpi-netfilter/INSTALL is not clearly, it's not include setup configuration for network , it's include iptables setup for single machine
so how i can setup ndpi-netfilter to my network and pass my network traffic my ndpi-netfilter machine ?

from ndpi.

elico avatar elico commented on August 16, 2024

@androuxx for your case you will need to go one step at a time.
The first step would be to install all basic bridge utilities such as brctl, bridge-tables which are used by ebtables.
Then setup a basic bridge between eth0 to eth1 and make sure that the traffic is flowing as expected and the network(use it on a single testing client) access is working.
Then the next step would be to force all bridged traffic into the iptables mangle+filter forward tables.
Once you will be able to use\apply basic firewall rules on the bridged traffic such as "reject all port 80 traffic" using something like:

iptables -A FORWARD -p tcp --dport 80 -j REJECT

You will be able to start playing with DPI.

To allow iptables inspect the bridge traffic the next might help you:

## interface facing clients
CLIENT_IFACE=eth1

## interface facing Internet
INET_IFACE=eth0

ebtables -t broute -A BROUTING -i $CLIENT_IFACE -p ipv6 -j redirect --redirect-target DROP
ebtables -t broute -A BROUTING -i $CLIENT_IFACE -p ipv4 -j redirect --redirect-target DROP

ebtables -t broute -A BROUTING -i $INET_IFACE -p ipv6 -j redirect --redirect-target DROP
ebtables -t broute -A BROUTING -i $INET_IFACE -p ipv4 -j redirect --redirect-target DROP

if test -d /proc/sys/net/bridge/ ; then
  for i in /proc/sys/net/bridge/*
  do
    echo 0 > $i
  done
  unset i
fi

Notice to first make sure it works on a single client and them move forward to more machines.
Also depends on the middle machine specs and the amount of clients you might need to tweak couple things in iptables.

Let me know if it helps.

from ndpi.

androuxx avatar androuxx commented on August 16, 2024

@elico
i setup basic bridge using the following:

brctl addbr br0
brctl stp br0 off
ifconfig eth0 0.0.0.0 down
ifconfig eth1 0.0.0.0 down
brctl addif br0 eth0
brctl addif br0 eth1
ifconfig eth0 up
ifconfig eth1 up
ifconfig br0 up

then the traffic is flowing as expected and accessing the network is working.
when i setup the bridge-tables using your command i can't access the network !!

from ndpi.

elico avatar elico commented on August 16, 2024

@androuxx I will try to test it on the next days\week.

from ndpi.

elico avatar elico commented on August 16, 2024

@androuxx what is the output of:

cat /proc/sys/net/ipv4/ip_forward

from ndpi.

androuxx avatar androuxx commented on August 16, 2024

a lot of thanks @elico
i will try and give you feedback

from ndpi.

elico avatar elico commented on August 16, 2024

@androuxx any news?

from ndpi.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.