I am running an iptables firewall on OpenSuSE 11.3 –recently I became interested in traffic monitoring and accounting, and to this end installed iptables_netflow module on the firewall and WANGuard Platform on another server. The iptables_netflow module is built and installed and aggregating data; I can see the statistics change in /proc/slabinfo and /proc/net/stat/ipt_netflow. WANGuard is configured and working, as I had the WANGuard exporting netflow data into it for awhile to make sure it worked. However, I cannot get the netflow export from the firewall to the WANGuard server. Could my iptables configuration be blocking it? iptables_netflow exports on UDP port 2055. Output of iptables -L -n (on the firewall)
Chain INPUT (policy ACCEPT)
target prot opt source destination
NETFLOW all -- 0.0.0.0/0 0.0.0.0/0 NETFLOW
FW-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
NETFLOW all -- 0.0.0.0/0 0.0.0.0/0 NETFLOW
ACCEPT all -- 192.168.3.0/24 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
NETFLOW all -- 0.0.0.0/0 0.0.0.0/0 NETFLOW
Chain FW-1-INPUT (1 references)
target prot opt source destination
NETFLOW all -- 0.0.0.0/0 0.0.0.0/0 NETFLOW
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT udp -- 192.168.3.0/24 0.0.0.0/0 udp dpt:161
ACCEPT tcp -- 192.168.3.0/24 0.0.0.0/0 tcp dpt:161
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7788
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:694
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:68
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1194
ACCEPT tcp -- xx.xx.xx.xx 0.0.0.0/0 tcp dpt:5666
ACCEPT tcp -- xx.xx.xx.xx 0.0.0.0/0 tcp dpt:5666
ACCEPT udp -- xx.xx.xx.xx 0.0.0.0/0 udp dpt:123
ACCEPT udp -- xx.xx.xx.xx 0.0.0.0/0 udp dpt:123
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp multiport dports 4569,5060
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp multiport dports 4569,5060
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
I tried several rules in the OUTPUT table specifying the source/destination host & ports, but had no luck.
There are no iptables rules in place on the WANGuard server.
Using tcpdump on the firewall and grep'ing for the IP of the WANGuard server yields
openvpn01:/home/gjones # tcpdump -i eth0 |grep 192.168.3.194
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
13:27:57.103687 IP openvpn01.dev.59531 > 192.168.3.194.iop: UDP, length 1464
13:27:57.302686 IP openvpn01.dev.59531 > 192.168.3.194.iop: UDP, length 1464
13:27:57.802683 IP openvpn01.dev.59531 > 192.168.3.194.iop: UDP, length 1464
13:27:58.503707 IP openvpn01.dev.59531 > 192.168.3.194.iop: UDP, length 1464
13:27:59.103688 IP openvpn01.dev.59531 > 192.168.3.194.iop: UDP, length 1464
On the firewall I run "netstat -na" and look for "2055" (the netflow destination port)
udp 0 0 192.168.3.112:59531 192.168.3.194:2055 ESTABLISHED
On the WANGuard server, I do the same:
# netstat -na |grep 2055
udp 0 0 192.168.3.194:51139 192.168.3.194:2055 ESTABLISHED
udp 0 0 192.168.3.194:2055 0.0.0.0:*
Per request of Gaumire, here is also "netstat -uan"
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
udp 0 0 192.168.3.194:51139 192.168.3.194:2055 ESTABLISHED
udp 0 0 192.168.3.194:2055 0.0.0.0:*
udp 0 0 0.0.0.0:111 0.0.0.0:*
udp 0 0 192.168.3.194:123 0.0.0.0:*
udp 0 0 127.0.0.2:123 0.0.0.0:*
udp 0 0 127.0.0.1:123 0.0.0.0:*
udp 0 0 0.0.0.0:123 0.0.0.0:*
udp 0 0 0.0.0.0:161 0.0.0.0:*
udp 0 0 0.0.0.0:631 0.0.0.0:*
udp 0 0 0.0.0.0:851 0.0.0.0:*
udp 0 0 :::111 :::*
udp 0 0 ::1:123 :::*
udp 0 0 fe80::2a0:d1ff:fee1:123 :::*
udp 0 0 :::123 :::*
udp 0 0 :::851 :::*
Note that I have also configured a netflow exporter on the WANGuard server, which seems to work (I get data in WANGuard).
Checking the logs for WANGuard I see the error "Unexpected PDU: src_ip=192.168.3.112 not configured" Google does not turn up anything that I could find.
Can someone help me to figure out where the error lies?
Thanks,
Kendall
Best Answer
Is there anything between the openvpn01.dev and the host 192.168.3.194 a firewall or some such device may be ?? A diagram would help. If the iptables output is of your wanguard server Your policies are set to ACCEPT so they should not have been the issue.
Is the service that you mentioned running on the server. Please issue the below command as root.