NuConntrack
Overview
NuConntrack is a XML-RPC service for monitoring and altering Netfilter connections for network admins.
It has the following functionnalities:
- Connections listing (with byte rate of connections)
- Entries removal
- Modification of mark and timeout
The program is called pyctd for: Pyctd, the PYthon ConnTrack Daemon.
NuConntrack is a free software released under GNU General Public License. Please see COPYING file for further informations.
By using XML-RPC, frontends can be easily built. A PHP frontend is already available:
And even better a Demonstration is available (please be aware that this is a demo, not a real way to view and kill connexions on our firewall)
See also pyctd-php (web frontend).
Who ?
Contact us: Pyctd Development Team <pyctd-dev AT inl.fr>
Main author & maintainer
Damien Boucard (aka Hackter) <damien.boucard AT inl.fr>
Other authors
- Victor Stinner (aka Haypo) <victor.stinner AT inl.fr>
- Éric Leblond (aka Regit) <eric.leblond AT inl.fr>
Get it !
Tarball releases
- Download pyctd-0.4.4.tar.gz
- See Cheeseshop to get old versions
GNU/Linux packages
- Debian Etch : pyctd_0.4.2-1_all.deb
- Packages were sent upstream in Mandriva repository since version 2008.0
- Rpm for Fedora can be found here
- Gentoo users can get a ebuild from the g-pipy project
Dependencies
- A Python interpreter 2.3 or more
- pynetfilter_conntrack library
- Optional :
- NuFW 2.0 or more (particularly nufw daemon with -m option to retrieve username of authenticated connection)
Subversion
Check out our latest subversion head with:
svn checkout http://software.inl.fr/svn/mirror/edenwall/pyctd/trunk/src pyctd
Browse source code
Browse NuConntrack source code online
Install NuConntrack
If you get NuConntrack with subversion or tarball, you will need to launch as super-user (eg. sudo):
python setup.py install
Run
Type pyctd -h for text about command usage.
Security notes
Server security
XML-RPC server is based on the SimpleHTTPServer from Python's standard library, so there is no waranty about security of this server. That's why we strongly recommands to keep it listening to localhost only and use Apache's mod_redirect to proxify it to the network. See apache-site.template for an example.
Authentication security
If you applied what written above, you can configure Apache to manage authentication. If done, you can give no mod_auth argument, but you will still have to call the login procedure in order to get a session ID. In that case arguments passed with login procedure has no importance (so you can give no argument).
Otherwise, we strongly recommand you to give a mod_auth argument. This argument is a module containing an authenticate function returning a boolean value and having the arguments passed with login remote procedure. A module auth_sha.py is provided with NuConntrack to manage a password file encrypted with SHA hashing. To use it, you must edit the script to set the module attribute PASSWD_FILE. Then, you have to add user/passwd by running the script itself:
python auth_sha.py username passord
To remove access for a user/passwd, you just have to delete the appropriate line in the passord file.
Contribute
Contributors are welcome !
If you want to implement one of those features, please contact us, we can create you a Trac account.
- Managing IPv6
- Managing ICMP
- Managing QoS server-side (by using StarQos?)
- Retrieving usernames in ulog (at server-side)
- Creating other frontends (console and/or graphical user interfaces)
- Enhancing daemon behaviour (e.g. redirect stdout to a logging function, option to kill other daemon instances) --> possibility to release auto_daemon.py in its own package.
- Writing other authentication modules (e.g. accessing to a LDAP server)
Frontends
Frontends are available to display and act remotely on conntrack.
PHP frontend
Documentation
There is currently only one frontend for NuConntrack, but you can develop new frontends by following our XML-RPC specifications.
