On Wed, 2004-06-23 at 17:11, Antony Stone wrote:
> On Wednesday 23 June 2004 11:57 am, Joel wrote:
>
> > On Wed, 2004-06-23 at 14:31, Antony Stone wrote:
> > >
> > > Beware of trying to do this if you are using the stateful connection
> > > tracking of netfilter (iptables -I FORWARD -m state --state
> > > ESTABLISHED,RELATED), because if you are, then almost all of the packets
> > > going through the machine (specifically, all except the first one of each
> > > connection) will be processed by this one rule, and all the other rules
> > > in the FORWARD chain will only see one packet per connection (the first
> > > one).
> > >
> > > You may be able to do what you want using the mangle table of the FORWARD
> > > chain, but not with the default filter table.
> >
> > Yes I am using stateful connection tracking of netfilter ( iptables -I
> > FORWARD -m state --state ESTABLISHED,RELATED)
> > So as per you i have used FORWARD chain in MANGLE table like this.
> >
> > # iptables -t mangle -i eth1 -A FORWARD -s 10.1.1.24/29 -j ACCEPT ---> I
> > think for Download traffic ---> M I right ?
> > # iptables -t mangle -i eth0 -A FORWARD -d 10.1.1.24/29 -j ACCEPT ---> I
> > think for Upload traffic ----> M I right ?
> >
> > This is the output of
> > # iptables -t mangle -nvL FORWARD
> >
> > Chain FORWARD (policy ACCEPT 1747K packets, 318M bytes)
> > pkts bytes target prot opt in out source
> > destination
> > 1068 91499 ACCEPT all -- eth1 * 10.1.1.24/29 0.0.0.0/0
> > 148 26923 ACCEPT all -- eth0 * 0.0.0.0/0
> > 10.1.1.24/29
> >
> > Antony i have lot of other ip address but i have created only this subnet
> > for mangle table for testing.
> > Traffic bytes are passing through this.
> > So is the correct method ?
> > Will be the bytes over here are accurate ???
>
> The byte counts will be accurate, yes, and you have the correct idea about
> using -s a.b.c.d and -d w.x.y.z to capture traffic to and from particular IP
> addresses.
>
> The thing I suggest you change, though, is not to have a -j ACCEPT at the end
> of your rules - just let all the packets flow right through the mangle table,
> with the rules simply counting them as they go past.
>
> In other words, don't do:
>
> iptables -t mangle -i eth1 -A FORWARD -s 10.1.1.24/29 -j ACCEPT
>
> Just do:
>
> iptables -t mangle -i eth1 -A FORWARD -s 10.1.1.24/29
>
> The packets will still get counted just the same.
>
> The reason for this advice is that the filter table is for filtering; the nat
> and mangle tables are not. Therefore you shouldn't use targets like ACCEPT,
> DROP, etc (which are filtering operations) anywhere except the filter tables.
>
> Regards,
>
> Antony.
Hi antony,
I have done some R&D on this on my production server.
I have given this commands on the server.
# $IPT -t mangle -i eth1 -A FORWARD -s 192.168.0.2
# $IPT -t mangle -o eth1 -A FORWARD -d 192.168.0.2
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 all -- eth1 * 192.168.0.2 0.0.0.0/0
0 0 all -- * eth1 0.0.0.0/0 192.168.0.2
AND
# $IPT -t mangle -i eth1 -A FORWARD -s 192.168.0.2
# $IPT -t mangle -o eth0 -A FORWARD -d 192.168.0.2
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 all -- eth1 * 192.168.0.2 0.0.0.0/0
0 0 all -- * eth0 0.0.0.0/0 192.168.0.2
Right now there are no bytes counter in above both scenario coz i have
restarted my production server.
I can get the dowload bytes counters perfectly in the $IPT -t mangle -i
eth1 -A FORWARD -s 192.168.0.2 command. From this command i can measure
the download bytes.
How do i measure the upload bytes ..?
what will be the command.
I tried the above commands but its not working appropiate.
Where i have gone wrong...?
Regards,
--
Joel n.solanki
Systems Administrator
(M) 91-9825500258
D2V ISP PVT LTD
http://www.d2visp.com
