: Is there any way to dynamically measure the no of concurrent internal
: hosts (IP's) utilising the linux NAT Gateway/forwarding box.
If you have root level access to the box, you can use a bit of shell to
determine the number of concurrent "clients" in any given instant. This
assumes, of course, that you don't have an internally SNATed/masqueraded
network which {c,w}ould hide more clients.
ipchains?
# /sbin/ipchains -MnL | awk '/[0-9][0-9]:[0-9][0-9]/{print $3}' \
> | sort | uniq | wc -l
iptables?
# awk '/(ESTABLISHED|ASSURED)/{print $5}' /proc/net/ip_conntrack \
> | sort | uniq
Naturally with iptables, you'll need to know a bit more about your use of
the connection tracking to disambiguate any inbound or internal to DMZ
connections to accurately count your SNAT/MASQUERADEd connections.
The above shell is not designed with efficiency in mind (obviously), but
you get the idea.
-Martin
--
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com
