ipt-netflow icon indicating copy to clipboard operation
ipt-netflow copied to clipboard

Published 20 hours ago verified publisher icon aabc

ignoring subnets

Open floren opened this issue 4 years ago • 3 comments

I'm using the standalone module on a Debian system, and while it's working great I'm seeing huge numbers of flows between my Docker containers, which are not especially useful to me. They're all on a particular subnet (192.168.10.0/16); is there any way to disable monitoring for flows between IPs in a subnet?

floren avatar Jun 12 '20 16:06 floren

It is iptables module. Just exclude subnets for beeing sent to it from iptables.

For example: you have

:INPUT ACCEPT [0:0] -A INPUT -j NETFLOW

Replace it with

:CUSTOM_NETFLOW - [0:0] -A CUSTOM_NETFLOW -d 192.168.0.0/24 -j RETURN -A CUSTOM_NETFLOW -d 192.168.1.0/24 -j RETURN -A CUSTOM_NETFLOW -j NETFLOW :INPUT ACCEPT [0:0] -A INPUT -j CUSTOM_NETFLOW

Traffic to destination subnets 192.168.0.0/24 and 192.168.1.0/24 would not be sent to collector.

Pinkbyte avatar Jun 14 '20 10:06 Pinkbyte

@floren There is no support for this, yes. But, lets discuss it. Do you really need filtering by CIDR or filtering by interface number would do it? For example to ignore all packets on lo interface.

aabc avatar Jun 15 '20 03:06 aabc

Filtering by CIDR would be great but I think if I could specify multiple interfaces to ignore, that would suit my particular purpose.

floren avatar Jun 16 '20 22:06 floren