ipt-netflow-2.3/2.5.1 for OpenWrt 18.06.1/18.06.2/19.07.2/19.07.3!

Some people were asking about compiled version of ipt-netflow for openwrt. So here it is compiled version of ipt-netflow 2.3 for OpenWrt 18.06.1/18.06.2/19.07.2/19.07.3 klik here

To install and use ipt-netflow-2.5 on your router you have to download 3 files from my site. For exemple for architecture ath79-generic you have to download 3 files:

19.07.2/ath79-generic/iptables-mod-netflow_2.5-2_mips_24kc.ipk
19.07.2/ath79-generic/kmod-ipt-netflow_4.14.171+2.5-2_mips_24kc.ipk
19.07.2/ath79-generic/nfdump_1.6.18-2_mips_24kc.ipk

Theese files are of course dedicated to stable version of OpenWrt 19.07.2.
To install them you have to download them on your local disc and do transfer on your router using scp. In Windows operating system you can do this using WinSCP and instead of selecting SFTP select SCP from combo box from connection window.

Then you have to log in to your router using ssh (Putty in Windows) on root account and execute following commands inside the directory where you uploaded ipk files:

opkg update
opkg install libbz2
opkg install musl-fts
opkg install iptables-mod-netflow_2.5-2_mips_24kc.ipk
opkg install kmod-ipt-netflow_4.14.171+2.5-2_mips_24kc.ipk
opkg install nfdump_1.6.18-2_mips_24kc.ipk

Unfortunately ipt-netflow does not work out of the box and requires additional steps to verify and run. Ipk files install libraries in wrong directory in /usr/lib/x86_64-linux-gnu/xtables so we have to create two symbolic links using following commands:

ln -s /usr/lib/x86_64-linux-gnu/xtables/libip6t_NETFLOW.so /usr/lib/iptables/libip6t_NETFLOW.so
ln -s /usr/lib/x86_64-linux-gnu/xtables/libipt_NETFLOW.so /usr/lib/iptables/libipt_NETFLOW.so

After these operations iptables command should be ready for operations with ipt-netflow kernel module, so we can execute following commands to enable netflow logging in our router, please execute folowing commands

iptables -I INPUT 1 -j NETFLOW
iptables -I OUTPUT 1 -j NETFLOW
iptables -I FORWARD 1 - j NETFLOW

These commands configure ipt-netflow kernel module for sending statistics on UDP port 2055 on localhost but we do not have yet netflow collector started on our router. In this moment we need nfdump and its nfcapd deamon, so we need to execute the following:

nfcapd -P /root/nfcapd.pid -D -z -w -S 2 -l /root -p 2055

this will start nfcapd deamon on port 2055 and will turn on storing statistics inside /root directory so it may be used only for testing. To verify what was collected inside /root directory we have to execute nfdump. I wrote this post 2020-05-05 20:10 so nfcapd created following directory structure:

/root/2020/05/05/20

and inside this folder I can find following file:

nfcapd.202005052000

To verify what is in this file we have to execute following command:

nfdump -r nfcapd.202005052000 -o extended

It is important to hightlight that nfdump does not capture all network traffic but the aggregated information regarding connections so it can be applied to router with heavy hetwork traffic and not generating much output/nfcapd files, so when you install USB pen drive in your router and mount it somewhere in file system and then in nfcapd configuration give this mounted directory you will have Cisco like high quality logs for free.
Please remember to reboot your router after you test ipt-netflow, according this instruction, on it because 8MB or 32MB internal router memory is not good for storing network logs, but for example 16GB USB pen drive will be sufficient for few years of heavy network traffic. After reboot ipt-netflow logging and nfcapd daemom will be turned off.

Warning: version 2.5 of ipt-netflow has serius bug!

Attacker from the internet can cause deadlock in the kernel causing hangs of the router so plaese do not use version 2.5 and upgrade to 2.5.1 imediately for your own safety.