Such ISPs use a different dscp in tos parameter in IP header. Here some ISPs uses tos 0x80 or 0x84 or 0x21 . If you see tos 0x80 you can match it with -m dscp --dscp 0x20 . For such details, better ask your ISP. On Tue, 21 Dec 2004 13:33:00 -0500, Alistair Tonner <Alistair@xxxxxxxxxx> wrote: > On December 21, 2004 03:55 am, Jean Hoderd wrote: > > Hi, > > > > Here's the situation: in many countries it is customary for IPS's to > > have separate quotas for national/international traffic (in my case the > > limits are 20GB/2GB per month). > > > > Now, given an IP address, knowing whether it is national or > > international is a solved problem: there are publicly available lists > > with the ranges of national IP addresses. > > > > The problem: how to keep track of the monthly internet usage divided > > into national/international traffic. > > > > Please note that I am not interested in enforcing quotas per se (the > > "quota" module, I believe). Rather, I would simply like to know what > > is the total traffic per category since the beginning of the month. > > > > I have searched netfilter's repository, and it seems that the > > ipt_account module might do the trick. However, since I am still a > > newbie with netfilter, I am having some trouble defining the actual > > rules to make it work. Let us imagine, for instance, that I have n > > ranges of national IP addresses. Adding them to a "national" counter > > seems easy: > > > > iptables -A INPUT -m account --addr "range1" --aname national > > iptables -A INPUT -m account --addr "range2" --aname national > > ... > > iptables -A INPUT -m account --addr "rangen" --aname national > > > > The question is: how do I implement the logic for all non-matching > > ranges, which should be added to an "international" counter? > > Furthermore, I have already plenty of rules in my firewall, and I wish > > that the traffic accounting would not interfere with them. > > You want to have two user chains to do this. > create the 'accounting' chain in which you will account the packets with the > rules you've given, and *AFTER* each accounting rule put a matching rule that > RETURNS the packets to the calling chain. At the end of the 'accounting' > chain add one rule to an 'international' chain that accounts for all non > returned packets. At the end of the 'international chain the packets will > return to the 'accounting' chain and since they are already on the end of > that they will RETURN to the calling chain. > > iptables -A accounting -m account --addr 'range1' --aname national > iptables -A accounting -d range1 -j RETURN > iptables -A accounting -m account --addr 'range2' --aname national > iptables -A accounting -d range2 -j RETURN > iptables-A accounting -j international > iptables -A international -m account --aname international > > > Alistair Tonner > > > > > > Thanks in advance for any help you can give me! > > Regards, > > Jean > > > > > > > > > > > > __________________________________ > > Do you Yahoo!? > > Send a seasonal email greeting and help others. Do good. > > http://celebrity.mail.yahoo.com > > -- Bla bla
