Skip to content

Commit

Permalink
and docs for better setup
Browse files Browse the repository at this point in the history
  • Loading branch information
@berthubert
berthubert committed Aug 23, 2022
1 parent c3c68c0 commit 1ccb326
Show file tree
Hide file tree
Showing 3 changed files with 61 additions and 11 deletions.
1 change: 1 addition & 0 deletions .gitignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,3 +37,4 @@ CMakeCache.txt
CMakeFiles
Makefile
cmake_install.cmake
*~
47 changes: 36 additions & 11 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,26 +23,51 @@ make
```

## How to run
Google is so large its IPv4 and IPv6 footprint can't be handled by tcpdump,
or at least not efficiently. Therefore we need to define an ip(6)tables
`ipset`. This will first exclude Google Cloud, and then include all the
other Google IP addresses.

Install iptables 'ipset', and run (as root) the `ipset-setup.sh` script, or
execute:

```
sudo tcpdump -n -l dst net 192.0.2.1/32 $(for a in $(cat goog-prefixes.txt); do echo or dst net $a; done) | ./teller
ipset create google-services hash:net
for a in $(cat goog-cloud-prefixes.txt)
do
echo $a
ipset add google-services $a nomatch
done
for a in $(cat goog-prefixes.txt)
do
ipset add google-services $a
done
ipset create google-services6 hash:net family inet6
for a in $(cat goog-cloud-prefixes6.txt)
do
ipset add google-services6 $a nomatch
done
for a in $(cat goog-prefixes6.txt)
do
ipset add google-services6 $a
done
iptables -I OUTPUT -m set --match-set google-services dst -j NFLOG --nflog-group 20
ip6tables -I OUTPUT -m set --match-set google-services6 dst -j NFLOG --nflog-group 20
```

And then cry.

## Problems

If `tcpdump` complains about `Warning: Kernel filter failed: Cannot allocate memory`, try
this first:

Then start as:
```
sudo sysctl net.core.optmem_max=204800
sudo tcpdump -i nflog:20 -ln | ./teller
```
And cry.

## Data source

The list of Google services IP addresses can be found on [this Google
support page](https://support.google.com/a/answer/10026322?hl=en).

Note that this splits out Google services and Google cloud user IP
addresses.
addresses. However, it appears the Google services set includes the cloud IP
addresses, so you must check both sets before determining something is in
fact a Google service and not a Google customer.
24 changes: 24 additions & 0 deletions ipset-setup.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
#!/bin/sh

ipset create google-services hash:net
for a in $(cat goog-cloud-prefixes.txt)
do
ipset add google-services $a nomatch
done
for a in $(cat goog-prefixes.txt)
do
ipset add google-services $a
done

ipset create google-services6 hash:net family inet6
for a in $(cat goog-cloud-prefixes6.txt)
do
ipset add google-services6 $a nomatch
done
for a in $(cat goog-prefixes6.txt)
do
ipset add google-services6 $a
done
iptables -I OUTPUT -m set --match-set google-services dst -j NFLOG --nflog-group 20
ip6tables -I OUTPUT -m set --match-set google-services6 dst -j NFLOG --nflog-group 20

0 comments on commit 1ccb326

Please sign in to comment.