From 1ccb32694cb678b1b5d127dbc37425b8c9b57d45 Mon Sep 17 00:00:00 2001 From: bert hubert Date: Tue, 23 Aug 2022 10:25:40 +0200 Subject: [PATCH] and docs for better setup --- .gitignore | 1 + README.md | 47 ++++++++++++++++++++++++++++++++++++----------- ipset-setup.sh | 24 ++++++++++++++++++++++++ 3 files changed, 61 insertions(+), 11 deletions(-) create mode 100755 ipset-setup.sh diff --git a/.gitignore b/.gitignore index fcf426a..0bdafd7 100644 --- a/.gitignore +++ b/.gitignore @@ -37,3 +37,4 @@ CMakeCache.txt CMakeFiles Makefile cmake_install.cmake +*~ diff --git a/README.md b/README.md index 5436e26..aa3b58b 100644 --- a/README.md +++ b/README.md @@ -23,26 +23,51 @@ make ``` ## How to run +Google is so large its IPv4 and IPv6 footprint can't be handled by tcpdump, +or at least not efficiently. Therefore we need to define an ip(6)tables +`ipset`. This will first exclude Google Cloud, and then include all the +other Google IP addresses. + +Install iptables 'ipset', and run (as root) the `ipset-setup.sh` script, or +execute: ``` -sudo tcpdump -n -l dst net 192.0.2.1/32 $(for a in $(cat goog-prefixes.txt); do echo or dst net $a; done) | ./teller +ipset create google-services hash:net +for a in $(cat goog-cloud-prefixes.txt) +do +echo $a + ipset add google-services $a nomatch +done +for a in $(cat goog-prefixes.txt) +do + ipset add google-services $a +done + +ipset create google-services6 hash:net family inet6 +for a in $(cat goog-cloud-prefixes6.txt) +do + ipset add google-services6 $a nomatch +done + +for a in $(cat goog-prefixes6.txt) +do + ipset add google-services6 $a +done +iptables -I OUTPUT -m set --match-set google-services dst -j NFLOG --nflog-group 20 +ip6tables -I OUTPUT -m set --match-set google-services6 dst -j NFLOG --nflog-group 20 ``` -And then cry. - -## Problems - -If `tcpdump` complains about `Warning: Kernel filter failed: Cannot allocate memory`, try -this first: - +Then start as: ``` -sudo sysctl net.core.optmem_max=204800 +sudo tcpdump -i nflog:20 -ln | ./teller ``` +And cry. ## Data source - The list of Google services IP addresses can be found on [this Google support page](https://support.google.com/a/answer/10026322?hl=en). Note that this splits out Google services and Google cloud user IP -addresses. +addresses. However, it appears the Google services set includes the cloud IP +addresses, so you must check both sets before determining something is in +fact a Google service and not a Google customer. diff --git a/ipset-setup.sh b/ipset-setup.sh new file mode 100755 index 0000000..854b183 --- /dev/null +++ b/ipset-setup.sh @@ -0,0 +1,24 @@ +#!/bin/sh + +ipset create google-services hash:net +for a in $(cat goog-cloud-prefixes.txt) +do + ipset add google-services $a nomatch +done +for a in $(cat goog-prefixes.txt) +do + ipset add google-services $a +done + +ipset create google-services6 hash:net family inet6 +for a in $(cat goog-cloud-prefixes6.txt) +do + ipset add google-services6 $a nomatch +done +for a in $(cat goog-prefixes6.txt) +do + ipset add google-services6 $a +done +iptables -I OUTPUT -m set --match-set google-services dst -j NFLOG --nflog-group 20 +ip6tables -I OUTPUT -m set --match-set google-services6 dst -j NFLOG --nflog-group 20 +