Re: Ip accounting Help

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2004-06-23 at 17:11, Antony Stone wrote:
> On Wednesday 23 June 2004 11:57 am, Joel wrote:
> 
> > On Wed, 2004-06-23 at 14:31, Antony Stone wrote:
> > >
> > > Beware of trying to do this if you are using the stateful connection
> > > tracking of netfilter (iptables -I FORWARD -m state --state
> > > ESTABLISHED,RELATED), because if you are, then almost all of the packets
> > > going through the machine (specifically, all except the first one of each
> > > connection) will be processed by this one rule, and all the other rules
> > > in the FORWARD chain will only see one packet per connection (the first
> > > one).
> > >
> > > You may be able to do what you want using the mangle table of the FORWARD
> > > chain, but not with the default filter table.
> >
> > Yes I am using stateful connection tracking of netfilter ( iptables -I
> > FORWARD -m state --state ESTABLISHED,RELATED)
> > So as per you i have used FORWARD chain in MANGLE table like this.
> >
> > # iptables -t mangle -i eth1 -A FORWARD -s 10.1.1.24/29 -j ACCEPT  ---> I
> > think for Download traffic  ---> M I right ?
> > # iptables -t mangle -i eth0 -A FORWARD -d 10.1.1.24/29 -j ACCEPT  ---> I
> > think for Upload traffic ----> M I right ?
> >
> > This is the output of 
> > # iptables -t mangle -nvL FORWARD
> >
> > Chain FORWARD (policy ACCEPT 1747K packets, 318M bytes)
> >  pkts bytes target     prot opt in     out     source             
> > destination
> > 1068 91499 ACCEPT     all  --  eth1   *       10.1.1.24/29         0.0.0.0/0
> >  148 26923 ACCEPT     all  --  eth0   *       0.0.0.0/0           
> > 10.1.1.24/29
> >
> > Antony i have lot of other ip address but i have created only this subnet
> > for mangle table for testing.
> > Traffic bytes are passing through this.
> > So is the correct method ?
> > Will be the bytes over here are accurate ???
> 
> The byte counts will be accurate, yes, and you have the correct idea about 
> using -s a.b.c.d and -d w.x.y.z to capture traffic to and from particular IP 
> addresses.
> 
> The thing I suggest you change, though, is not to have a -j ACCEPT at the end 
> of your rules - just let all the packets flow right through the mangle table, 
> with the rules simply counting them as they go past.
> 
> In other words, don't do:
> 
> iptables -t mangle -i eth1 -A FORWARD -s 10.1.1.24/29 -j ACCEPT
> 
> Just do:
> 
> iptables -t mangle -i eth1 -A FORWARD -s 10.1.1.24/29
> 
> The packets will still get counted just the same.
> 
> The reason for this advice is that the filter table is for filtering; the nat 
> and mangle tables are not.   Therefore you shouldn't use targets like ACCEPT, 
> DROP, etc (which are filtering operations) anywhere except the filter tables.
> 
> Regards,
> 
> Antony.

Hi antony,

I have done some R&D on this on my production server.

I have given this commands on the server.

# $IPT -t mangle -i eth1 -A FORWARD -s 192.168.0.2
# $IPT -t mangle -o eth1 -A FORWARD -d 192.168.0.2

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source        destination
    0     0            all  --  eth1   *       192.168.0.2     0.0.0.0/0
    0     0            all  --  *      eth1    0.0.0.0/0     192.168.0.2

		AND 

# $IPT -t mangle -i eth1 -A FORWARD -s 192.168.0.2
# $IPT -t mangle -o eth0 -A FORWARD -d 192.168.0.2


Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source        destination
    0     0            all  --  eth1   *       192.168.0.2    0.0.0.0/0
    0     0            all  --  *      eth0    0.0.0.0/0     192.168.0.2



Right now there are no bytes counter in above both scenario coz i have
restarted my production server.

I can get the dowload bytes counters perfectly in the $IPT -t mangle -i
eth1 -A FORWARD -s 192.168.0.2 command. From this command i can measure
the download bytes.

How do i measure the upload bytes ..?
what will be the command.
I tried the above commands but its not working appropiate.
Where i have gone wrong...?

Regards,
-- 
Joel n.solanki
Systems Administrator
(M) 91-9825500258
D2V ISP PVT LTD
http://www.d2visp.com





[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux