Well, i don't know if you want to log EVERYTHING. Remember ip_conntrackworkson streams, so you can log only NEW packets. I have like 90 rules with -m mac like those i said before + several port forwarding, on a P2 450Mhz, 100mbit internet connections, used a lot, almoust all the time at 11MB/s at upload (exactly where those rules aremostly hitted), and top says the sys load is arround 40% at most when i have full bandwith in use, but i think it is not because of the netfilter, but the PCI usage. Traffic at 50% usually needs much less CPU, like 5-10%. I also have many other rules for SYN scan limiting, bandwith counting, and so on. On 30 Aug 2004 20:54:36 +0200, Jose Maria Lopez <jkerouac@xxxxxxxxxxx> wrote: > El lun, 30 de 08 de 2004 a las 04:42, Henry Baxter escribió: > > > > Hello, > > > > I have been reading this list for several months, and I've really > > enjoyed learning all that I have, thank you everybody for the > > opportunity to listen:) > > > > Ultimately I am hoping to track the bandwidth usage of about 50 client > > computers through my router based on their MAC address. I understand > > that by simply writing a rule that does nothing to the packet, such as > > 'iptables -A FORWARD -m <mac address>' I can parse the netfilter log and > > find out what I need. This seems rather convoluted though - getting > > netfilter to create a basically human readable log file, and then > > parsing it. > > > > All of the network traffic is passing through unmanaged switches until > > finally hitting the interface on the router. > > > > I'm sure this must have been done by many others before, so could > > anybody give me some idea of what the most common way to handle this > > situation would be? > > > > I appreciate any input. > > > > Henry Baxter > > If you don't have a big number of users you can do something like this: > > iptables -N MACSTATS > iptables -A INPUT -j MACSTATS > iptables -A OUTPUT -j MACSTATS > iptables -A FORWARD -j MACSTATS > iptables -A MACSTATS -m mac --mac-source $CLIENT1_MAC_ADDRESS -j RETURN > iptables -A MACSTATS -m mac --mac-source $CLIENT2_MAC_ADDRESS -j RETURN > ... > > So you can read the data transfered by each client with the command: > iptables -L MACSTATS -nv > > More or less this is what we do in our bastion-firewall-stats module > from our bastion-firewall GPL firewall, but we extract the counters with > C code to put it in a rrdtool database and then create graphs with the > data. If need code you can look at the source code of this addon from > our firewall. > > -- > Jose Maria Lopez Hernandez > Director Tecnico de bgSEC > jkerouac@xxxxxxxxx > bgSEC Seguridad y Consultoria de Sistemas Informaticos > http://www.bgsec.com > ESPAÑA > > The only people for me are the mad ones -- the ones who are mad to live, > mad to talk, mad to be saved, desirous of everything at the same time, > the ones who never yawn or say a commonplace thing, but burn, burn, burn > like fabulous yellow Roman candles. > -- Jack Kerouac, "On the Road" > > -- Bla bla
