nProbe
nProbe copied to clipboard
ntop
nProbe IPS: block traffic by FQDN
Hello ,
Is it possible to block traffic for specific fqdn's with nprobe in traffic policies? We tried to do it in "Host Rules" but it doesn't work.
Br ,
Dima Lev.
ntopng seems to propagate the policy to nProbe as expected:
{"policy":{"id":3,"default_marker":"pass","markers":{"continents":[],"categories":[],"countries":[],"hostnames":{"test.com":"drop"},"protocols":[]},"name":"Pool 2 rules","flow_risk":{"marker":"drop","bitmap":0},"root":0}}
we need to check on the nProbe side if this is honoured
@dimalev01 sure this is in queue, I will update you as soon as we complete the tests
Can you please report your netfilter configuration? I would like to check whether the problem is due to netflter or nprobe.
Hello Luca,
Netfillter file attached.
From: Luca Deri @.> Date: Friday, 24 November 2023 at 19:34 To: ntop/nProbe @.> Cc: Dima Lev @.>, Mention @.> Subject: Re: [ntop/nProbe] nProbe IPS: block traffic by FQDN (Issue #587)
Can you please report your netfilter configuration? I would like to check whether the problem is due to netflter or nprobe.
— Reply to this email directly, view it on GitHubhttps://github.com/ntop/nProbe/issues/587#issuecomment-1825948091, or unsubscribehttps://github.com/notifications/unsubscribe-auth/BDX7YAVGG4VWPHMGVDOXVFTYGDLBFAVCNFSM6AAAAAA7JBPN7CVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRVHE2DQMBZGE. You are receiving this because you were mentioned.Message ID: @.***> זהירות: מקור הדואל הזה הוא מחוץ למטריקס. חל איסור ללחוץ על קישורים או לפתוח קבצים מצורפים אלא אם כן השולח מוכר והתוכן בטוח Caution: The source of this email is from outside Matrix. it is forbidden to click on links or open attachments unless you recognize the sender and know the content is safe.
Can you please try again as see no netfilter configuration (please also add the ifconfig configuration and explain what interface does what)
Hello Luca,
- About netfilter configurations , do you mean this “policy_and_bridge_simple.sh” ? (this is the file I attached last time). @.***:/home/mor# cat policy_and_bridge_simple.sh #!/usr/bin/env bash #################
CONFIGURATION
#################
Interfaces
LAN=""
WAN=""
BRIDGE="br1t2"
ENABLE_OFFLOAD_MARKED_PACKETS=true
MARK_DROP="0x2
while getopts l:w:b:h flag
do
case "${flag}" in
l) LAN=${OPTARG};;
w) WAN=${OPTARG};;
b) BRIDGE=${OPTARG};;
h) ;;
esac
done
if [ -z "$LAN" ] || [ -z "$WAN" ] || [ -z "$BRIDGE" ]; then
echo "This is script will create a bridge with the provided lan/wan interfaces."
echo "Usage:"
echo "$0 -l
INTERNAL CONFIGURATION
########################## NFQUEUE_NUM="0" ################
SYSTEM SETUP
################
ENABLE iptables over bridging
modprobe br_netfilter
Allow layer-2 bridge to do an upcall to iptables (as well as arptables or ip6tables) and have filtering travel from layer-2 (bridged frames) through layer 3
sysctl -w net.bridge.bridge-nf-call-iptables=1 > /dev/null
if [ "${ENABLE_OFFLOAD_MARKED_PACKETS}" = true ] ; then # Enable connection tracking in the kernel modprobe nf_conntrack # Enable accounting of conntrack entries sysctl -w net.netfilter.nf_conntrack_acct=1 > /dev/null # Reset all markers in the kernel connection table conntrack -U --mark 0 > /dev/null 2>&1 fi ##########
BRIDGE
##########
CREATE THE BRIDGE INTERFACE
Bridge creation
ip link delete ${BRIDGE} type bridge 2> /dev/null ip link add name ${BRIDGE} type bridge
Setup the bridge and bridged interfaces
ip link set ${BRIDGE} up ip link set ${LAN} up ip link set ${WAN} up
Associate the bridge with its bridged interfaces
ip link set ${LAN} master ${BRIDGE} ip link set ${WAN} master ${BRIDGE} ############
IPTABLES
############
CLEANUP ALL IPTABLES RULES
Set the default policies for each of the built-in chains
iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT
Flush all chains and tables
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
if [ "${ENABLE_OFFLOAD_MARKED_PACKETS}" = true ] ; then
# SAVE THE PACKET MARK INTO THE CONNECTION (SO IT CAN BE RESTORED FOR NEWLY ARRIVING PACKETS)
iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark
# READ THE MARK PREVIOUSLY SAVED INTO THE CONNECTION AND PUT IT BACK INTO THE PACKET OF THE CONNECTION
iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
# Marked packets with mark 2 are dropped
iptables -t mangle -A PREROUTING -m mark --mark ${MARK_DROP} -j DROP
# Marked packets leave the chain
iptables -t mangle -A FORWARD -m mark ! --mark 0 -j RETURN
-m comment --comment "Marked packets leave the chain and don't go to userspace via NFQUEUE"
fi
iptables -t mangle -A FORWARD -j NFQUEUE --queue-num ${NFQUEUE_NUM} --queue-bypass -m physdev --physdev-in ${LAN}
iptables -t mangle -A FORWARD -j NFQUEUE --queue-num ${NFQUEUE_NUM} --queue-bypass -m physdev --physdev-in ${WAN}
Print some info
bridge link show ${BRIDGE}
brctl showstp ${BRIDGE} # Make sure port state is 'forwarding'
iptables -nvL -t @.***:/home/mor#
- About ifconfig: This is our topology: @.***
We are using vlans as bridge interfaces between the ens ports for each service. Vlan 600 is our internet connectivity. As I mentions last time we tried to add host rules to block fqdn (this should be traffic over vlan 600).
This is the ifconfig:
TAMARES_600: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet6 fe80::4a8:e4ff:fe99:bb5f prefixlen 64 scopeid 0x20 ether f4:03:43:d8:7a:50 txqueuelen 1000 (Ethernet) RX packets 92595049 bytes 37637278805 (37.6 GB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 96041 bytes 7786182 (7.7 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
aws-403: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet6 fe80::90a2:1aff:fe71:71cf prefixlen 64 scopeid 0x20 ether f4:03:43:d8:7a:50 txqueuelen 1000 (Ethernet) RX packets 14163306 bytes 1273023744 (1.2 GB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 7446 bytes 521404 (521.4 KB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
azure-back-402: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet6 fe80::a4ef:27ff:fe4d:35a4 prefixlen 64 scopeid 0x20 ether f4:03:43:d8:7a:50 txqueuelen 1000 (Ethernet) RX packets 13511854 bytes 675501820 (675.5 MB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 7446 bytes 521404 (521.4 KB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
azure-prim-401: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet6 fe80::acb3:98ff:fe59:5542 prefixlen 64 scopeid 0x20 ether f4:03:43:d8:7a:50 txqueuelen 1000 (Ethernet) RX packets 13860555 bytes 917170413 (917.1 MB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 7443 bytes 521234 (521.2 KB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
br1t2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet6 fe80::e51c:1d50:e2ef:2873 prefixlen 64 scopeid 0x20 ether f4:03:43:d8:7a:50 txqueuelen 1000 (Ethernet) RX packets 7900164 bytes 387970945 (387.9 MB) RX errors 0 dropped 24 overruns 0 frame 0 TX packets 22 bytes 2244 (2.2 KB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eno1: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 ether 94:18:82:0b:67:80 txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 device interrupt 16
eno2: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 ether 94:18:82:0b:67:81 txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 device interrupt 17
eno3: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 ether 94:18:82:0b:67:82 txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 device interrupt 16
eno4: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 ether 94:18:82:0b:67:83 txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 device interrupt 17
ens1f0np0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 ether f4:03:43:d8:7a:50 txqueuelen 1000 (Ethernet) RX packets 1267758117379 bytes 1536660425083037 (1.5 PB) RX errors 0 dropped 27334105 overruns 0 frame 0 TX packets 783085282004 bytes 464679067232196 (464.6 TB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens1f0np0.401: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet6 fe80::f603:43ff:fed8:7a50 prefixlen 64 scopeid 0x20 ether f4:03:43:d8:7a:50 txqueuelen 1000 (Ethernet) RX packets 44656828764 bytes 34028535111277 (34.0 TB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 22815907673 bytes 28693053963595 (28.6 TB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens1f0np0.402: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet6 fe80::f603:43ff:fed8:7a50 prefixlen 64 scopeid 0x20 ether f4:03:43:d8:7a:50 txqueuelen 1000 (Ethernet) RX packets 13516806 bytes 675884406 (675.8 MB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 14884 bytes 1042140 (1.0 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens1f0np0.403: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet6 fe80::f603:43ff:fed8:7a50 prefixlen 64 scopeid 0x20 ether f4:03:43:d8:7a:50 txqueuelen 1000 (Ethernet) RX packets 72940465191 bytes 27186040381428 (27.1 TB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 145303501264 bytes 176731986950479 (176.7 TB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens1f0np0.404: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet6 fe80::f603:43ff:fed8:7a50 prefixlen 64 scopeid 0x20 ether f4:03:43:d8:7a:50 txqueuelen 1000 (Ethernet) RX packets 15087334 bytes 774069834 (774.0 MB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 14880 bytes 1041892 (1.0 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens1f0np0.406: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 ether f4:03:43:d8:7a:50 txqueuelen 1000 (Ethernet) RX packets 13521243 bytes 676092306 (676.0 MB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 7446 bytes 521384 (521.3 KB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens1f0np0.408: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 ether f4:03:43:d8:7a:50 txqueuelen 1000 (Ethernet) RX packets 11398038419 bytes 506271986241 (506.2 GB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 27626847039 bytes 41487607488582 (41.4 TB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens1f0np0.600: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet6 fe80::f603:43ff:fed8:7a50 prefixlen 64 scopeid 0x20 ether f4:03:43:d8:7a:50 txqueuelen 1000 (Ethernet) RX packets 1135932218453 bytes 1448711968099839 (1.4 PB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 586068407863 bytes 213945418671093 (213.9 TB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens1f1np1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.10.13 netmask 255.255.252.0 broadcast 192.168.11.255 inet6 fe80::f603:43ff:fed8:7a58 prefixlen 64 scopeid 0x20 ether f4:03:43:d8:7a:58 txqueuelen 1000 (Ethernet) RX packets 353970511 bytes 70137039035 (70.1 GB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 563968158 bytes 696543352948 (696.5 GB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens2f0np0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 ether f4:03:43:d8:f2:30 txqueuelen 1000 (Ethernet) RX packets 783332135114 bytes 465446516160501 (465.4 TB) RX errors 0 dropped 911132 overruns 0 frame 0 TX packets 1267232627710 bytes 1536097613825717 (1.5 PB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens2f0np0.401: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet6 fe80::f603:43ff:fed8:f230 prefixlen 64 scopeid 0x20 ether f4:03:43:d8:f2:30 txqueuelen 1000 (Ethernet) RX packets 22816942335 bytes 28377657356299 (28.3 TB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 44655818508 bytes 34642010346556 (34.6 TB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens2f0np0.402: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet6 fe80::f603:43ff:fed8:f230 prefixlen 64 scopeid 0x20 ether f4:03:43:d8:f2:30 txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 13531570 bytes 866148832 (866.1 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens2f0np0.403: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet6 fe80::f603:43ff:fed8:f230 prefixlen 64 scopeid 0x20 ether f4:03:43:d8:f2:30 txqueuelen 1000 (Ethernet) RX packets 145304482217 bytes 174722511816391 (174.7 TB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 72938982162 bytes 28138135521055 (28.1 TB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens2f0np0.404: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 ether f4:03:43:d8:f2:30 txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 15094659 bytes 985804255 (985.8 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens2f0np0.406: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 ether f4:03:43:d8:f2:30 txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 13528683 bytes 865909647 (865.9 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens2f0np0.408: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 ether f4:03:43:d8:f2:30 txqueuelen 1000 (Ethernet) RX packets 27626839596 bytes 41100854986955 (41.1 TB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 11398045863 bytes 644629342656 (644.6 GB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens2f0np0.600: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet6 fe80::f603:43ff:fed8:f230 prefixlen 64 scopeid 0x20 ether f4:03:43:d8:f2:30 txqueuelen 1000 (Ethernet) RX packets 586312422940 bytes 206474521394432 (206.4 TB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 1135436740879 bytes 1464155818092789 (1.4 PB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens2f1np1: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 ether f4:03:43:d8:f2:38 txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10
maytronics_408: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> mtu 1500 inet6 fe80::8088:53ff:fe7f:217a prefixlen 64 scopeid 0x20 ether f4:03:43:d8:7a:50 txqueuelen 1000 (Ethernet) RX packets 39024877585 bytes 41585887487364 (41.5 TB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 7445 bytes 521374 (521.3 KB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
zerto_ep_404: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> mtu 1500 inet6 fe80::2831:50ff:fe84:8522 prefixlen 64 scopeid 0x20 ether f4:03:43:d8:7a:50 txqueuelen 1000 (Ethernet) RX packets 15087311 bytes 774067578 (774.0 MB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 7446 bytes 521444 (521.4 KB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
zerto_ep_406: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> mtu 1500 inet6 fe80::1ce1:4cff:feb3:958d prefixlen 64 scopeid 0x20 ether f4:03:43:d8:7a:50 txqueuelen 1000 (Ethernet) RX packets 13521243 bytes 676091246 (676.0 MB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 7449 bytes 521654 (521.6 KB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Please update if you need more information.
Br,
Dima Lev.
From: Luca Deri @.> Date: Tuesday, 28 November 2023 at 9:54 To: ntop/nProbe @.> Cc: Dima Lev @.>, Mention @.> Subject: Re: [ntop/nProbe] nProbe IPS: block traffic by FQDN (Issue #587)
Can you please try again as see no netfilter configuration (please also add the ifconfig configuration and explain what interface does what)
— Reply to this email directly, view it on GitHubhttps://github.com/ntop/nProbe/issues/587#issuecomment-1829281493, or unsubscribehttps://github.com/notifications/unsubscribe-auth/BDX7YASJMIRIP2WLYGSNNK3YGWKCFAVCNFSM6AAAAAA7JBPN7CVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRZGI4DCNBZGM. You are receiving this because you were mentioned.Message ID: @.***> זהירות: מקור הדואל הזה הוא מחוץ למטריקס. חל איסור ללחוץ על קישורים או לפתוח קבצים מצורפים אלא אם כן השולח מוכר והתוכן בטוח Caution: The source of this email is from outside Matrix. it is forbidden to click on links or open attachments unless you recognize the sender and know the content is safe.
ntopng seems to propagate the policy to nProbe as expected:
{"policy":{"id":3,"default_marker":"pass","markers":{"continents":[],"categories":[],"countries":[],"hostnames":{"test.com":"drop"},"protocols":[]},"name":"Pool 2 rules","flow_risk":{"marker":"drop","bitmap":0},"root":0}}
we need to check on the nProbe side if this is honoured
@cardigliano I know this is an old issue, so maybe this is already known.
It appears the output you put has improper nesting when compared to the documentation. The "hostnames" is outside of "markers" in the documentation. Maybe ntopng is pushing the policy to nprobe incorrectly. This worked for me once I moved that, though I noticed the matches are explicit (e.g. google.com would only block google.com, and not www.google.com; wildcards didn't work).
@l0crian1 hostnames should be inside markers, we just released an update that fixes this. As of the wildcards, they are not currently supported for hosts defined under "hostnames" (they are supported when using the protos or categories definitions), however we are working for supporting them, I will update the issue once ready.
Thanks @cardigliano! Quick question on both methods for host filter (definitions and rules syntax), is it just blocking DNS requests with those (sub)domains, or will it also block on the CN in a certificate?
It detects the hostname from any supported protocol, it includes DNS, HTTP, TLS CN