search

aabc / ipt-netflow

Netflow iptables module for Linux kernel (official)
https://github.com/aabc/ipt-netflow
506 stars 129 forks source link

ignoring subnets #140

Open floren opened 4 years ago

floren commented 4 years ago

I'm using the standalone module on a Debian system, and while it's working great I'm seeing huge numbers of flows between my Docker containers, which are not especially useful to me. They're all on a particular subnet (192.168.10.0/16); is there any way to disable monitoring for flows between IPs in a subnet?

Pinkbyte commented 4 years ago

It is iptables module. Just exclude subnets for beeing sent to it from iptables.

For example: you have

:INPUT ACCEPT [0:0] -A INPUT -j NETFLOW

Replace it with

:CUSTOM_NETFLOW - [0:0] -A CUSTOM_NETFLOW -d 192.168.0.0/24 -j RETURN -A CUSTOM_NETFLOW -d 192.168.1.0/24 -j RETURN -A CUSTOM_NETFLOW -j NETFLOW :INPUT ACCEPT [0:0] -A INPUT -j CUSTOM_NETFLOW

Traffic to destination subnets 192.168.0.0/24 and 192.168.1.0/24 would not be sent to collector.

aabc commented 4 years ago

@floren There is no support for this, yes. But, lets discuss it. Do you really need filtering by CIDR or filtering by interface number would do it? For example to ignore all packets on lo interface.

floren commented 4 years ago

Filtering by CIDR would be great but I think if I could specify multiple interfaces to ignore, that would suit my particular purpose.