NETFILTERD

netfilterd is a GNU/Linux daemon designed to listen on an iptables NFQUEUE with the aim of deciding in userspace whether a packet should be accepted or rejected in the current rule chain.

A list of ip addresses (/var/cache/netfilterd/drop_ips) is created by an external agent that scan logs (mail, dns etc) looking for spurious activity. The ip addresses found by the agent are then stored into the drop list.

netfilterd reads the drop list when it starts and then again whenever it receives a HUP signal. A cron job can periodically send a HUP to netfilterd to cause it to reload the list.

The addresses are (optionally) modified by a network mask, on the assumption that if there is one 'bad' host on a network, then there are probably many others. The length of the network mask can be set at netfilterd startup.

When netfilterd receives a packet from iptables, it will inspect the source and destination addresses of the packet. If the packet is inbound on the interface, the source address is checked and the packet will be dropped if it is in the set of 'bad' networks. Conversely, for outgoing packets, the destination ip address is checked.

All of this could be done directly in iptables rules with no need for an NFQUEUE target if there were only a few bad addresses/networks to consider. However, if we wish to target more specific networks, then there are potentially thousands of entries in the rules set, taking many minutes to load each time a new set is added. netfilterd provides a simple solution for this, loading 6000 networks in less than 1 second.

There is of course a penalty - all traffic on the monitored interface is routed to userspace, with associated overheads in context switching. Performance on high capacity networks has not been tested.

There is always the danger of false positives in identifying malicious network behaviour. netfilterd makes no allowances for this, and it is up to the external agent to decide what is good and what is not when it scans logs.

If you install this software, I hope it is helpful to you. Please let me know of any bugs, anomalous behavior or improvements you would like to see in the software.

netfilterd is free software, made available inder the GPLV3 software license and is copyright to Bryan Christianson.

Bryan Christianson (bryan at whatroute.net)
July 2009

Download

10 August 2009netfilterd-1.0.1.tar.gz
27 July 2009netfilterd-1.0.0.tar.gz

Changelog

netfilterd-1.0.1
  • Terminate when TERM and HUP signals are received.
  • Sleep 2 seconds and retry when an error is received reading a packet.
netfilterd-1.0.0
  • First release.