iptables+iptables_netflow: iptables blocking netflow export?

Question

I am running an iptables firewall on OpenSuSE 11.3 --recently I became interested in traffic monitoring and accounting, and to this end installed iptables_netflow module on the firewall and WANGuard Platform on another server. The iptables_netflow module is built and installed and aggregating data; I can see the statistics change in /proc/slabinfo and /proc/net/stat/ipt_netflow. WANGuard is configured and working, as I had the WANGuard exporting netflow data into it for awhile to make sure it worked. However, I cannot get the netflow export from the firewall to the WANGuard server. Could my iptables configuration be blocking it? iptables_netflow exports on UDP port 2055. Output of iptables -L -n (on the firewall)

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
NETFLOW    all  --  0.0.0.0/0            0.0.0.0/0           NETFLOW 
FW-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
NETFLOW    all  --  0.0.0.0/0            0.0.0.0/0           NETFLOW 
ACCEPT     all  --  192.168.3.0/24       0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 255 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
NETFLOW    all  --  0.0.0.0/0            0.0.0.0/0           NETFLOW 

Chain FW-1-INPUT (1 references)
target     prot opt source               destination         
NETFLOW    all  --  0.0.0.0/0            0.0.0.0/0           NETFLOW 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     udp  --  192.168.3.0/24       0.0.0.0/0           udp dpt:161 
ACCEPT     tcp  --  192.168.3.0/24       0.0.0.0/0           tcp dpt:161 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 255 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:7788 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:694 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:53 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:53 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:53 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:53 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:53 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:53 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:67 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:68 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:1194 
ACCEPT     tcp  --  xx.xx.xx.xx        0.0.0.0/0           tcp dpt:5666 
ACCEPT     tcp  --  xx.xx.xx.xx        0.0.0.0/0           tcp dpt:5666 
ACCEPT     udp  --  xx.xx.xx.xx        0.0.0.0/0           udp dpt:123 
ACCEPT     udp  --  xx.xx.xx.xx        0.0.0.0/0           udp dpt:123 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp multiport dports 4569,5060 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp multiport dports 4569,5060 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

I tried several rules in the OUTPUT table specifying the source/destination host & ports, but had no luck.

There are no iptables rules in place on the WANGuard server.

Using tcpdump on the firewall and grep'ing for the IP of the WANGuard server yields

openvpn01:/home/gjones # tcpdump -i eth0 |grep 192.168.3.194
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
13:27:57.103687 IP openvpn01.dev.59531 > 192.168.3.194.iop: UDP, length 1464
13:27:57.302686 IP openvpn01.dev.59531 > 192.168.3.194.iop: UDP, length 1464
13:27:57.802683 IP openvpn01.dev.59531 > 192.168.3.194.iop: UDP, length 1464
13:27:58.503707 IP openvpn01.dev.59531 > 192.168.3.194.iop: UDP, length 1464
13:27:59.103688 IP openvpn01.dev.59531 > 192.168.3.194.iop: UDP, length 1464

On the firewall I run "netstat -na" and look for "2055" (the netflow destination port)

udp        0      0 192.168.3.112:59531     192.168.3.194:2055      ESTABLISHED

On the WANGuard server, I do the same:

# netstat -na |grep 2055
udp        0      0 192.168.3.194:51139     192.168.3.194:2055      ESTABLISHED 
udp        0      0 192.168.3.194:2055      0.0.0.0:*

Per request of Gaumire, here is also "netstat -uan"

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
udp        0      0 192.168.3.194:51139     192.168.3.194:2055      ESTABLISHED 
udp        0      0 192.168.3.194:2055      0.0.0.0:*                           
udp        0      0 0.0.0.0:111             0.0.0.0:*                           
udp        0      0 192.168.3.194:123       0.0.0.0:*                           
udp        0      0 127.0.0.2:123           0.0.0.0:*                           
udp        0      0 127.0.0.1:123           0.0.0.0:*                           
udp        0      0 0.0.0.0:123             0.0.0.0:*                           
udp        0      0 0.0.0.0:161             0.0.0.0:*                           
udp        0      0 0.0.0.0:631             0.0.0.0:*                           
udp        0      0 0.0.0.0:851             0.0.0.0:*                           
udp        0      0 :::111                  :::*                                
udp        0      0 ::1:123                 :::*                                
udp        0      0 fe80::2a0:d1ff:fee1:123 :::*                                
udp        0      0 :::123                  :::*                                
udp        0      0 :::851                  :::*

Note that I have also configured a netflow exporter on the WANGuard server, which seems to work (I get data in WANGuard).

Checking the logs for WANGuard I see the error "Unexpected PDU: src_ip=192.168.3.112 not configured" Google does not turn up anything that I could find.

Can someone help me to figure out where the error lies?

Thanks,

Kendall

`iptables -L -n ` is messy crap useful only for cluttering one's brain. Learn to use `iptables -S` or `iptables-save` instead. The latest is better since it shows the whole ruleset at once. — poige, Sep 10 '14 at 20:35

score 1 · Answer 1 · answered Nov 02 '11 at 16:35

1

Is there anything between the openvpn01.dev and the host 192.168.3.194 a firewall or some such device may be ?? A diagram would help. If the iptables output is of your wanguard server Your policies are set to ACCEPT so they should not have been the issue.

Is the service that you mentioned running on the server. Please issue the below command as root.

#netstat -tupan | grep 'LIST\|*'

answered Nov 02 '11 at 16:35

Gaumire

825
6
12

The only thing between openvpn01 and 192.168.3.194 is a network switch, no other firewalls or anything like that. The only firewall is on the openvpn01 server (whose ruleset is posted above). I updated the post to say the same, but there are no iptables rules in place on the WANGuard server. – Kendall Nov 02 '11 at 16:47
Also, I ran the netstat command you mentioned, but there was nothing that showed up on port 2055. However, "netstat -na" yields: udp 0 0 192.168.3.112:59531 192.168.3.194:2055 ESTABLISHED – Kendall Nov 02 '11 at 16:54
please post a ' netstat -uan | grep \* ' on the server 192.168.3.194 . 3.194 is your wanguard server if I am correct. – Gaumire Nov 02 '11 at 17:08
Yes, you are correct: 192.168.3.194 is the WANGuard server. I have updated the question with the output of "netstat -uan". Thanks. – Kendall Nov 02 '11 at 17:23
I don't see the service running on the WANGuard server, please make sure the service has started successfully, I don't see any service running on port 2055 on the WANGuard server. And so is why you are getting that ICMP udp port unreachable message in your tcpdump. – Gaumire Nov 02 '11 at 17:38
Please see re-vised post, some information has changed (notably the output of "netsat" on the WANGuard server, and the output of "tcpdump"). – Kendall Nov 02 '11 at 18:30
yes I do see the service has now started on the wanguard server and that your firewall is now sending flows to the wanguard, however the version of netflow that the wanguard is configured to receive is probably different than the one that iptables is sending out. You would need to set the exporter IP and the netflow protocol on wanguard. – Gaumire Nov 03 '11 at 03:14

catpnosis · Answer 2 · 2013-09-28T07:29:15.260

To check if iptables configuration is blocking it is generally advisable to temporary disable iptables (except for NETFLOW rules of course). Also check dmesg as there may be important kernel/module messages. Older version of NETFLOW module should have sysctl net.netflow.destination set after interfaces are UP. Try to set destination manually to check for that. Or try latest version of module from git repo (not from tar.gz). Check module statistics with cat /proc/net/stat/ipt_netflow for dropped flows or socket errors.

iptables+iptables_netflow: iptables blocking netflow export?

2 Answers2