Comments (16)
from ndpi-netfilter.
Going to try it out.
rigth now:
iptables -t filter -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
INPUT (default policy is allow):
-A INPUT -i lo -j ACCEPT
...
--> some allowing rules
...
-A INPUT -j DROP (on the end drop)
FORWARD (default policy is allow):
--> some allowing rules
...
-A FORWARD -j DROP (on the end drop)
OUTPUT (default policy is allow):
nothing here...
iptables -t mangle -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A PREROUTING -i lo -j ACCEPT
-A PREROUTING -m ndpi --dpi_check
-A POSTROUTING -o lo -j ACCEPT
-A POSTROUTING -m ndpi --dpi_check
from ndpi-netfilter.
@rightkick Alex, but the default policy is accept (the whole mangle table)
Also if i just had the ndpi on the production server (just counting the packets like this):
iptables -I FORWARD -m ndpi --applejuice --directconnect --gnutella --edonkey --bittorrent --soulseek -m comment --comment "ndpi checker"
The server also freezes ( the -m ndpi --dpi_check rules are not applied... just this one rule )
from ndpi-netfilter.
Ok, tried right now to speed it up:
added:
iptables -I FORWARD -m ndpi --youtube -j DROP
watched youtube maybe 2 minutes and the server crashes over ipmi the login screen was there, no response to keys, going to check the logs after the reboot...
It's the testing server 2 2 posts up are the iptables rules .... dpi_check applied, also the loopback allowed, but default policy on mangle is allow.
Only droping is happening on the FORWARD and INPUT chain in the filter table.
A.D.: Nothing in the logs
from ndpi-netfilter.
@melicherm This is the same issue I was having since I tried using this repo.
I tried to use i but everytime the machine froze so eventually I started other options.
from ndpi-netfilter.
@elico - what were your other options? Curious about it.
from ndpi-netfilter.
@melicherm zeroshell FW, Ubiquiti EdgeMAX router, and https://github.com/vel21ripn/nDPI.
All of the options are not perfect but I didn't managed to make the server iresponsive.
I have also seen that ClearOS and\or NethServer have nDPI support but yet to try it.
from ndpi-netfilter.
from ndpi-netfilter.
What do you mean with that line:
Amend mangle chains to exlude that traffic from ndpi checks. I had encountered similar freezes and was able to resolve them with checking only forwarded traffic.
what i want to have in the -t filter table in the FORWARD chain this rule:
iptables -I FORWARD -m ndpi --applejuice --directconnect --gnutella --edonkey --bittorrent --soulseek -m comment --comment "ndpi checker" -j DROP
That is my only wish :).. without freezes, what are you suggesting. Please be specific.
Thank you,
Markus.
from ndpi-netfilter.
from ndpi-netfilter.
New info...
tried right now:
@rightkick - separating rules like you wrote
-t filter
iptables -A FORWARD -s XXX.XXX.XXX.XXX/21 -j ndpi_filter
iptables -A FORWARD -d XXX.XXX.XXX.XXX/21 -j ndpi_filter
iptables -A FORWARD -s XXX.XXX.XXX.XXX/21 -j ndpi_dropper
iptables -A FORWARD -d XXX.XXX.XXX.XXX/21 -j ndpi_dropper
-A ndpi_dropper -m ndpi --gnutella -j DROP
-A ndpi_dropper -m ndpi --edonkey -j DROP
-A ndpi_dropper -m ndpi --bittorrent -j DROP
-A ndpi_filter -m ndpi --gnutella -j SET --add-set torrents src,dst --timeout 7200
-A ndpi_filter -m ndpi --edonkey -j SET --add-set torrents src,dst --timeout 7200
-A ndpi_filter -m ndpi --bittorrent -j SET --add-set torrents src,dst --timeout 7200
-t mangle
iptables -A PREROUTING -m ndpi --dpi_check
iptables -A POSTROUTING -m ndpi --dpi_check
also specifiying the network in the rules?:
iptables -A PREROUTING -s XXX.XXX.XXX.XXX/21 -m ndpi --dpi_check
iptables -A PREROUTING -d XXX.XXX.XXX.XXX/21 -m ndpi --dpi_check
iptables -A POSTROUTING -s XXX.XXX.XXX.XXX/21 -m ndpi --dpi_check
iptables -A POSTROUTING -d XXX.XXX.XXX.XXX/21 -m ndpi --dpi_check
tried every of this (with DROPing or just counting), also separating the rules like only the FB rule nothing more, only YT, only bittorent, only edonkey, etc...
-A ndpi_dropper -m ndpi --gnutella -j DROP
-A ndpi_dropper -m ndpi --edonkey -j DROP
-A ndpi_dropper -m ndpi --bittorrent -j DROP
-A ndpi_dropper -m ndpi --facebook -j DROP
-A ndpi_dropper -m ndpi --youtube -j DROP
freezes just with facebook && youtube && ndpi_check in mangle
also tried none of the rules, so just the -m ndpi --dpi_check in the mangle table...
Something with the module & kernel somewhere...
the server freezes... @betolj any help from you?
from ndpi-netfilter.
from ndpi-netfilter.
server 1:
debian jessie 8.6 - kernel 3.16.0-4-amd64
server 2: the main tests are done here, the first one is the production one
debian stretch 9.0 - kernel 4.8.0-1-amd64
The server should handle up to 1Gbps traffic, but the 5min average right now is 250Mbps
from ndpi-netfilter.
from ndpi-netfilter.
On the production one i tested:
only filter table, forward chain, 1 rule... no mangle
iptables -I FORWARD -m ndpi --applejuice --directconnect --gnutella --edonkey --bittorrent --soulseek -m comment --comment "ndpi checker"
Just counting, not dropping or anything -> server freezes 3.16 kernel
applied rule on 20.00 server dead on 04:00 ca, after that i don't do any tests on the production one :D
Will try on the test one different kernel then.
from ndpi-netfilter.
After testing with persistent high traffic (~ 100Mbit/s) I also encountered kernel panic with 3.18.36.
Using https://github.com/vel21ripn/nDPI/tree/netfilter for 30+hours with same traffic did not panic.
from ndpi-netfilter.
Related Issues (20)
- Bandwidth Control on Microsoft Edge for Youtube
- Kernel Panic when you have high traffic volume. HOT 5
- Kernel Panic in high traffic volume.
- stdio.h: No such file or directory
- nf_ct_is_untracked HOT 6
- How to accept specific protocol and drop the other HOT 10
- Potential access to invalid nf_conn memory HOT 1
- Compatible with nDPI 2.4 ? HOT 2
- Problem with Ubuntu 18 HOT 6
- Cannot copy libxt_ndpi.so to /lib/xtables/ and gives an error "cp: cannot create regular file '/lib/xtables/': Not a directory" HOT 8
- Alpine Linux HOT 1
- Unable to install ndpi in debian 8 as well as no iptables rules are applied, giving an error such as iptables: No chain/target/match by that name. HOT 3
- Unknown Symbol when trying to insert the module HOT 1
- error running this cmnd sudo NDPI_PATH=/usr/src/ndpi-netfilter-master/nDPI make HOT 6
- ndpi-netfilter
- can not install the nDPI module for the given Linux kernel HOT 1
- Feature request: support nftables
- Drop a protocol/application for a specific mac address
- Facebook, Youtube and other protocols are not always detected
- not work on bridge
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ndpi-netfilter.