Setup nDPI-netfilter inline mode

[androuxx]

i install nDPI-netfilter module to my ubuntu 16.04 LTC and i need to setup my machine to work inline-mode between the gateway and my network.
i have 3 network interface on my machine, one for control the machine and two for forward and control the traffic between the internet and the network.

how i can setup ndpi-netfiler iptables for controlling the traffic without NAT rules (without setting ip addresses for eth0 and eth1)?
what iptables rules i need to set for forward and control the traffic with iptables and tc ?

[vel21ripn]

See example in ndpi-netfilter/INSTALL.

[elico]

@vel21ripn there is nothing mentioned in the INSTALL file about a bridge setup that he needs\requires.(as far as my knowledge goes)
I believe that the next article might help a bit:
https://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxBridge

Basically @androuxx to make it work you will need to setup a bridge over eth0+eth1 and using bridge tables you will need to "divert" or "drop" the packets from the bridge level to the firewall\iptables level.
What OS are you using? did you compiled and installed something\anything already?

[vel21ripn]

nDPI not known about layer 2. Use (filter|mangle)/FORWARD for control traffic betweent physical interfaces of bridged interface.

[androuxx]

what is the best way to setup ndpi-netfilter to control network traffic between internet and network?
@vel21ripn ndpi-netfilter/INSTALL is not clearly, it's not include setup configuration for network , it's include iptables setup for single machine
so how i can setup ndpi-netfilter to my network and pass my network traffic my ndpi-netfilter machine ?

[elico]

@androuxx for your case you will need to go one step at a time.
The first step would be to install all basic bridge utilities such as brctl, bridge-tables which are used by ebtables.
Then setup a basic bridge between eth0 to eth1 and make sure that the traffic is flowing as expected and the network(use it on a single testing client) access is working.
Then the next step would be to force all bridged traffic into the iptables mangle+filter forward tables.
Once you will be able to use\apply basic firewall rules on the bridged traffic such as "reject all port 80 traffic" using something like:

iptables -A FORWARD -p tcp --dport 80 -j REJECT

You will be able to start playing with DPI.

To allow iptables inspect the bridge traffic the next might help you:

## interface facing clients
CLIENT_IFACE=eth1

## interface facing Internet
INET_IFACE=eth0

ebtables -t broute -A BROUTING -i $CLIENT_IFACE -p ipv6 -j redirect --redirect-target DROP
ebtables -t broute -A BROUTING -i $CLIENT_IFACE -p ipv4 -j redirect --redirect-target DROP

ebtables -t broute -A BROUTING -i $INET_IFACE -p ipv6 -j redirect --redirect-target DROP
ebtables -t broute -A BROUTING -i $INET_IFACE -p ipv4 -j redirect --redirect-target DROP

if test -d /proc/sys/net/bridge/ ; then
  for i in /proc/sys/net/bridge/*
  do
    echo 0 > $i
  done
  unset i
fi

Notice to first make sure it works on a single client and them move forward to more machines.
Also depends on the middle machine specs and the amount of clients you might need to tweak couple things in iptables.

Let me know if it helps.

[androuxx]

@elico
i setup basic bridge using the following:

brctl addbr br0
brctl stp br0 off
ifconfig eth0 0.0.0.0 down
ifconfig eth1 0.0.0.0 down
brctl addif br0 eth0
brctl addif br0 eth1
ifconfig eth0 up
ifconfig eth1 up
ifconfig br0 up

then the traffic is flowing as expected and accessing the network is working.
when i setup the bridge-tables using your command i can't access the network !!

[elico]

@androuxx I will try to test it on the next days\week.

[elico]

@androuxx what is the output of:

cat /proc/sys/net/ipv4/ip_forward

[elico]

@androuxx it appears that some of my assumptions was wrong since I'm used to squid way of handling things.
I have tested the next script\settings with nDPI version 2.0.0 and it should work with any other version:

#!/usr/bin/env bash

# Related docs
# http://manpages.ubuntu.com/manpages/zesty/man5/sysctl.d.5.html
# http://ebtables.netfilter.org/br_fw_ia/br_fw_ia.html
# http://ebtables.netfilter.org/misc/ebtables-faq.html

INT_IN=ens4
INT_OUT=ens5

brctl addbr br0
brctl addif br0 $INT_IN
brctl addif br0 $INT_OUT

ip link set up br0
ip link set up $INT_IN
ip link set up $INT_OUT

# Load the bridge+netfilter interaction module
modprobe ebtables ebtable_broute ebtable_filter 
modprobe br_netfilter

# Load iptables module of physdev
# modprove xt_physdev

# Load the ndpi module
modprobe xt_ndpi

#cat /proc/sys/net/bridge/bridge-nf-call-ip6tables
#cat /proc/sys/net/bridge/bridge-nf-call-iptables

# Make sure that the bridge is allowed to communicate iptables
sysctl net.bridge.bridge-nf-call-arptables=1
sysctl net.bridge.bridge-nf-call-ip6tables=1
sysctl net.bridge.bridge-nf-call-iptables=1

# Mangle part to match all traffic of the bridge
iptables -t mangle -N BRIDGE-IN
iptables -t mangle -N BRIDGE-OUT
iptables -t mangle -A BRIDGE-IN -m physdev --physdev-in $INT_IN -m ndpi --all 
iptables -t mangle -A BRIDGE-OUT -m physdev --physdev-in $INT_OUT -m ndpi --all 
iptables -t mangle -A PREROUTING -m physdev --physdev-in $INT_OUT -j BRIDGE-OUT
iptables -t mangle -A PREROUTING -m physdev --physdev-in $INT_IN -j BRIDGE-IN
iptables -t mangle -A FORWARD -m physdev --physdev-in $INT_OUT -j BRIDGE-OUT
iptables -t mangle -A FORWARD -m physdev --physdev-in $INT_IN -j BRIDGE-IN
iptables -t mangle -A POSTROUTING -m physdev --physdev-in $INT_OUT -j BRIDGE-OUT
iptables -t mangle -A POSTROUTING -m physdev --physdev-in $INT_IN -j BRIDGE-IN

# Filter part to filter traffic on the bridge
iptables -N BRIDGE-IN
iptables -N BRIDGE-OUT
iptables -A FORWARD -m physdev --physdev-in $INT_OUT -j BRIDGE-OUT
iptables -A FORWARD -m physdev --physdev-in $INT_IN -j BRIDGE-IN

# Add some nDPI filter rules
iptables -A BRIDGE-IN -m ndpi --youtube -j REJECT --reject-with icmp-port-unreachable
iptables -A BRIDGE-OUT -m ndpi --youtube -j REJECT --reject-with icmp-port-unreachable

# Sbang rule to kick the connection tracing on for all routed\forwarded traffic
# Even the first rule will do the job but I added couple to the mangle just in case..
iptables -I FORWARD -m state --state INVALID -j DROP
iptables -t mangle -I FORWARD -m state --state INVALID -j DROP
iptables -t mangle -I PREROUTING -m state --state INVALID -j DROP
iptables -t mangle -I POSTROUTING -m state --state INVALID -j DROP

# Run the next commands to see how packets flows...
# watch -d -n1 iptables -t mangle -L -nv
# watch -d -n1 iptables -L -nv

And some stats:

# iptables  -L -nv
Chain INPUT (policy ACCEPT 2318 packets, 184K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 1787 packets, 181K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
 1087  123K BRIDGE-OUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in ens5
  703 58802 BRIDGE-IN  all  --  *      *       0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in ens4

Chain OUTPUT (policy ACCEPT 1368 packets, 252K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain BRIDGE-IN (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    3   171 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ndpi protocol youtube reject-with icmp-port-unreachable

Chain BRIDGE-OUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ndpi protocol youtube reject-with icmp-port-unreachable

[androuxx]

a lot of thanks @elico
i will try and give you feedback

[elico]

@androuxx any news?