**ninja-bow** On Tuesday 06 July 2004 23:55, Alexander Samad wrote: > On Tue, Jul 06, 2004 at 11:07:25AM +0200, Etienne Ledoux wrote: > > super answer! tx! > > > > 1) > > Should I change the 10.168.0.2/32 to 0.0.0.0/0 ? Would that catch > > everything on eth0 ? My internal lan is 192.168.0.0/24. But mail is > > delivered directly to the fw which wont pass to the internal network but > > is also part of the internet traffic. So I guess I have to types of > > internet traffic. 192.168.0.0/24 which is the internal network doing the > > usual stuff on the internet like browsing etc. and mail which is going > > to/from 10.168.0.2 which is the external ethernet of the firewall. > > > > 2) iptables-save -c ACCT > > Unknown arguments found on commandline > > > > I guess I'm doing something stupid here. What would the right syntax be ? > > > > e. > > > > On Tuesday 06 July 2004 10:45, Antony Stone wrote: > > > On Tuesday 06 July 2004 9:17 am, Etienne Ledoux wrote: > > > > Greetings, > > > > > > > > 1) I have a firewall and would like to count all the traffic > > > > entering/leaving the external interface (I want to count only > > > > internet traffic, which is the traffic entering/leaving the external > > > > if). Is this rule right ? > > > > > > > > iptables -N ACCT > > > > iptables -I FORWARD -j ACCT > > > > iptables -I INPUT -j ACCT > > > > iptables -I OUTPUT -j ACCT > > > > iptables -A ACCT -s 10.168.0.2/32 -d 0.0.0.0/0 -o eth0 > > > > iptables -A ACCT -s 0.0.0.0/0 -d 10.168.0.2/32 -i eth0 > > why not something like > > iptables -t mangle -N ACCT > iptables -t mangle -I PREROUTING 1 -i eth0 -j ACCT > iptables -t mangle -I POSTROUTING 1 -o eth0 -j ACCT > > iptables -A ACCT -i eth0 > iptables -A ACCT -o eth0 > > > This should capture every thing entering and leave via eth0 > > > > > 10.168.0.2 is my external interface ip and is also the ip which my > > > > internal network is natted behind. > > > > > > You want to count traffic addressed *to this machine* from the > > > Internet, and traffic addressed *from this machine* to the Internet, > > > yes? In that case these rules will work, but there is no point in > > > jumping to the ACCT chain from the FORWARD chain. > > > > > > Remember that FORWARD is *only* for traffic going through the machine, > > > and INPUT and OUTPUT are *only* for traffic to/from the machine (ie: > > > *never* for traffic going through it). > > > > > > If you want to count traffic addressed *to any machine on your internal > > > network* from the Internet, and traffic addressed *from any machine on > > > your network* to the Internet, then you should use your subnet address > > > in the -s and -d options, not the address of your firewall. > > > > > > At a guess this subnet is going to be 10.168.0.0/24, but I don't know > > > what netmask you're using. > > > > > > > 2) I would like to save/restore only this accounting rule. I thought > > > > 'iptables-save -c -t ACCT' would work but it doesn't. > > > > > > No, ACCT is not a table (like filter, nat and mangle are) - it is a > > > chain (like FORWARD, INPUT and OUTPUT are). Don't use -t > > > > > > > 3) How do I flush the accounting stats. > > > > > > iptables -Z ACCT, or iptables -L -Z ACCT -nvx if you want to see the > > > counters immediately before zeroing them. > > > > > > Regards, > > > > > > Antony.
