Overblog Suivre ce blog
Editer l'article Administration Créer mon blog
12 avril 2014 6 12 /04 /avril /2014 10:00

We'll see here the logging function of nftables : NFLOG.


NFLOG allows to place a log hook in the NFtables, allowing to set monitoring points in the chains : As an exemple, logging allowed IN packets vs dropped IN packets, etc ...
It allows for Firewall monitoring, as well as subtler troubleshooting.

 

We'll be using our Part 6 : NFtables Linux Internet Gateway here and see how to set monitoring points :
 
NF5d

To be noted is that NFLOG is also used by IPTables.

 

 

 

1. The Netfilter Logging Framework


Since Linux 2.6.14 it's possible to pass via userspace packets that have been logged by the kernel packet filter.

There are two tools :

QUEUE et NFQUEUE                 : used by external application for decisions ( SNORT IDS/IPS, NuFW, ulogd, ... )
LOG et NFLOG                             : used for external logging ( Wireshark, Syslog, ... )

NFlog is a new target for iptables and Nftables to log packet via a virtual device.
The NFLOG target copies packets and send them to a specified netlink socket.

 

 

 

2. NFlog


Nflog needs to be enabled on a protocol basis. To verify what is loaded :

 

cat /proc/net/netfilter/nf_log

 

you might get this :

# cat /proc/net/netfilter/nf_log
 0 NONE (nfnetlink_log)
 1 NONE (nfnetlink_log)
 2 nfnetlink_log (nfnetlink_log)
 3 NONE (nfnetlink_log)
 4 NONE (nfnetlink_log)
 5 NONE (nfnetlink_log)
 6 NONE (nfnetlink_log)
 7 NONE (nfnetlink_log)
 8 NONE (nfnetlink_log)
 9 NONE (nfnetlink_log)
10 NONE (nfnetlink_log)
11 NONE (nfnetlink_log)
12 NONE (nfnetlink_log)
#

Let's see this. The line number is the protocol.

2=IPv4, 4=Novell IPX, 10=IPv6, ...

The syntax is Protocol Number / Active Module ( Available Modules ).

So here we have nfnetlink active for IPv4 only.

( line 10 is : '10 NONE (nfnetlink_log)' )

we need to enable IPv6 nfnetlink_log :

echo "nfnetlink_log" > /proc/sys/net/netfilter/nf_log/10

we should get this :

# cat /proc/net/netfilter/nf_log
 0 NONE (nfnetlink_log)
 1 NONE (nfnetlink_log)
 2 nfnetlink_log (nfnetlink_log)
 3 NONE (nfnetlink_log)
 4 NONE (nfnetlink_log)
 5 NONE (nfnetlink_log)
 6 NONE (nfnetlink_log)
 7 NONE (nfnetlink_log)
 8 NONE (nfnetlink_log)
 9 NONE (nfnetlink_log)
10 nfnetlink_log (nfnetlink_log)
11 NONE (nfnetlink_log)
12 NONE (nfnetlink_log)
#


So line 2 is for IPv4, line 10 is for IPv6

 

To enable Nflog for IPv4 :
echo "nfnetlink_log" > /proc/sys/net/netfilter/nf_log/2

 

To enable Nflog for IPv6 :
echo "nfnetlink_log" > /proc/sys/net/netfilter/nf_log/10

Note : this is not persistent through a reboot. And oddly, even a boot bash gets overriden. As there isn't a way I did find yet  to use a /etc/systcl.conf or alike, I end up using a 1 minute cron job :

 

sudo crontab -e

 

add this :
* * * * * sh /etc/init.d/fwlog.sh

 

the cron job uses this bash file :

 

gedit fwlog.sh
-------------------------------------------------------------------------------------
#!/bin/bash
echo "nfnetlink_log" > /proc/sys/net/netfilter/nf_log/2
echo "nfnetlink_log" > /proc/sys/net/netfilter/nf_log/10
exit 0
---------------------------------------------------------------------------------------

 

sudo chmod +x /etc/init.d/fwlog.sh

 

 

 

3. Simple NFTABLES LOG

 

Let's see the most simple log syntax :
nft add rule filter output log


This will log all output packets to the default NFLOG socket ( ie NFLOG:0 ).  This is the NFLOG interface that do appear in Wireshark.


Another option is to use the command line to get the capture, and open later the capture using wireshark :

 

dumpcap -i nflog -w nflog.pcap                                                        ( nb : does not work as root )
wireshark -r nflog.pcap

 

 

 

4. NFTABLES LOG with Prefixes


A little more sophisticated syntax is to use prefixes, to tag different log points. Ex :
sudo nft add rule filter input counter log prefix "INPUT"
sudo nft add rule filter output ct state new counter log prefix "OUTPUT" accept

This will add a different 'tag' to the logged packets, still logging to the default NFLOG socket ( NFLOG:0 ).

The display can be filtered in Wireshark, using these filters :

 

nflog.prefix == "INPUT"
nflog.prefix == "OUTPUT"

NB : the prefix must use no space, ie use  : "ALLOWED_OUT"

Furthermore, a special Prefix collum can be created in Wireshark to display these prefixes Live :

 

NF7c

 

  To do so, do a NEW COLLUMN :

 

NF7e

 

    field type : custom
    field name : nflog.prefix
    tick 'displayed'
 


The capture can still be performed using the command line :


dumpcap -i nflog -w nflog.pcap
wireshark -r nflog.pcap

 

 

 

5. Nftables LOG using groups

A more sophisticated approach is to use 'GROUPS', ie different netlink sockets, for different log points or zones.


The netlink group is a netlink multicast group to which packets are sent. The default value is 0. Its value is 0-36 635 ( 2^16-1 ).

 

As an example, all dropped incomming packets ( INPUT and FORWARDING IN ) could be set to a group, and all outgoing packets ( OUTPUT and FORWARDING OUT ) to another,  or groups could be used to part different destinations IPs... Here is an exemple :

 

nft add rule filter forward ip daddr 192.168.2.10 log group 10
nft add rule filter forward ip daddr 192.168.2.34 log group 34

 

This will log to the NFLOG sockets NFLOG:10 and NFLOG:34

 

Wireshark doesn't seem to have a GUI way to select these sockets. The only way I know to display these sockets is to launch Wireshark using the command line :

 

wireshark -i nflog:34 -i nflog:10 -k

we can try pinging 192.168.2.10 and 192.168.2.34 from the 192.168.1.0/24 network, and see the live nflog messages in wireshark :

 

NF7d 

The GROUP is named ' Ressource ID ' in wireshark. Here are the wireshark display filters :

 

nflog.res_id == 34
nflog.res_id == 10

More, a custom GROUP collumn can be created for live capture display :

 

NF7a

 

NEW COLLUMN :

 

NF7f

 

    field type : custom
    field name : nflog.res_id

    tick 'displayed'
 

The command line capture syntax is :

 

dumpcap -i nflog:10 -i nflog:34 -w nflog.pcap
wireshark -r nflog.pcap

quote " The resource ID is in network byte order (big-endian). On one netlink socket it's possible to listen to several nflog groups; the resource ID is the nflog group for the packet "
source : http://www.tcpdump.org/linktypes/LINKTYPE_NFLOG.html

 

 

 

6. Basic FW example using Prefixes and Groups

 

Here is our Internet Gateway ruleset, with NFlog logging :

 

NF5d

 

The main ideas are :

 

. enable comprehensive NFlog prefixes
. use group 1 for Linux Host firewal itself ( INPUT and OUTPUT chains )
. use group 2 for network forwarding ( FORWARD chains )
. the ICMP policies tries to be RFC compliant

-------------------------------------------------------------------------------------------------------------------------------------------------------------------
flush table filter
flush table ip6 filter

add rule filter input ct state established accept
add rule filter input ct state related accept
add rule filter input iif lo accept
add rule filter input icmp type echo-request counter log prefix "IPv4_PING_IN" group 1 accept
add rule filter input tcp dport ssh counter log prefix "IPv4_SSH_IN" group 1 accept
add rule filter input iif eth0 udp dport 67 counter log prefix "IPv4_DHCP_LAN_IN" group 1 accept
add rule filter input counter log prefix "IPv4_IN_DROPPED" group 1 drop

add rule filter output ct state established accept
add rule filter output ct state related accept
add rule filter output oif lo accept
add rule filter output ct state new counter log prefix "IPv4_OUT" group 1 accept

add rule filter forward iif eth1 oif eth0 ct state established accept
add rule filter forward iif eth1 oif eth0 ct state related accept
add rule filter forward iif eth1 oif eth0 icmp type echo-request counter log prefix "IPv4_PING_FORWARD_IN_DROPPED" group 2 drop

add rule filter forward iif eth0 oif eth1 ct state established accept
add rule filter forward iif eth0 oif eth1 ct state related accept

add rule filter forward iif eth0 oif eth1 ct state new counter log prefix "IPv4_FORWARD_OUT" group 2 accept
add rule filter forward iif eth1 oif eth0 counter log prefix "IPv4_FORWARD_IN_DROPPED" group 2 drop

add rule ip6 filter input ct state established accept
add rule ip6 filter input ct state related accept
add rule ip6 filter input iif lo accept
add rule ip6 filter input tcp dport ssh counter log prefix "IPv6_SSH_IN" group 1 accept
add rule ip6 filter input iif eth0 udp dport 547 counter log prefix "IPv6_DHCP_LAN_IN" group 1 accept

add rule ip6 filter input icmpv6 type nd-neighbor-solicit accept
add rule ip6 filter input icmpv6 type echo-request counter log prefix "IPv6_PING_IN" group 1 accept
add rule ip6 filter input icmpv6 type nd-router-advert accept
add rule ip6 filter input icmpv6 type nd-neighbor-advert accept

add rule ip6 filter input counter log prefix "IPv6_IN_DROPPED" group 1 drop

add rule ip6 filter output ct state established accept
add rule ip6 filter output ct state related accept
add rule ip6 filter output oif lo accept
add rule ip6 filter output ct state new counter log prefix "IPv6_OUT" group 1 accept

add rule ip6 filter forward iif eth1 oif eth0 ct state established accept
add rule ip6 filter forward iif eth1 oif eth0 ct state related accept
add rule ip6 filter forward iif eth1 oif eth0 icmpv6 type echo-request counter log prefix "IPv6_PING_FORWARD_IN_ACCEPTED" group 2 accept

add rule ip6 filter forward iif eth0 oif eth1 ct state established accept
add rule ip6 filter forward iif eth0 oif eth1 ct state related accept

add rule ip6 filter forward iif eth0 oif eth1 ct state new counter log prefix "IPv6_FORWARD_OUT" group 2 accept
add rule ip6 filter forward iif eth1 oif eth0 counter log prefix "IPv6_FORWARD_IN_DROPPED" group 2 drop

add table nat
flush table nat
add chain nat post { type nat hook postrouting priority 0 ; }
add chain nat pre { type nat hook prerouting priority 0 ; }

add rule nat post ip saddr 192.168.2.100 oif eth1 snat 192.168.1.220
add rule nat pre udp dport 53 ip saddr 192.168.2.0/24 dnat 8.8.8.8:53

add table ip6 nat
add chain ip6 nat postrouting { type nat hook postrouting priority 0 ; }
add chain ip6 nat pre { type nat hook prerouting priority 0 ; }

add rule ip6 nat pre udp dport 53 ip6 saddr 2001:470:c82c:2::/64 dnat 2001:4860:4860:0:0:0:0:8888:53
----------------------------------------------------------------------------------------------------------------------------------------------------------------


we can monitor the firewall using wireshark with this command line :
wireshark -i nflog:1 -i nflog:2 -k
 
NF7b



7. Notes

 

IPTABLES syntaxes :

 

As Nflog is used by IPTables too, here are the IPTables syntaxes, which are handy for quick debugging :

 

iptables -A OUTPUT -j NFLOG

iptables -A INPUT -j NFLOG --nflog-group 10

iptables -A OUTPUT -j NFLOG --nflog-prefix  TEST1


Partager cet article

Repost 0
Published by computer outlines - dans Nftables
commenter cet article

commentaires

Présentation

  • : Computer Outlines Blog
  • : Blog mainly focused over IPv6, Windows Server, and Networking in general.
  • Contact

Recherche

Liens