A bit OT: iptables rules for simple network traffic accounting

To: Debian User <debian-user@lists.debian.org>
Subject: A bit OT: iptables rules for simple network traffic accounting
From: Carlos Sousa <csousa@tvtel.pt>
Date: Wed, 27 Aug 2003 13:14:45 +0100
Message-id: <[🔎] 20030827131445.4ff06201.csousa@tvtel.pt>

I'm using a very simple technique for keeping a count of the traffic
volume through my Internet connection, using 2 additional iptables rules
and a script run regularly by cron, but the amount of available packages
that deal with this issue, involving daemons and whatnot, makes me wonder
if my approach is not perhaps a bit simplistic and has problems I'm not
aware of. So I'd be grateful for any hints or warnings you may provide.

The 2 iptables rules:

iptables -t mangle -A PREROUTING -i $IFACE -j MARK --set-mark 1
iptables -t mangle -A POSTROUTING -o $IFACE -j MARK --set-mark 2

Then, iptables -L on the appropriate table/chain gives the byte counts for
the incoming and outgoing traffic. Successive runs of the command can then
be used for extrapolating hourly, daily, monthly, etc. traffic volume
rates, if the tables aren't flushed or the counts zeroed in the meantime.

As I understand it, packets travel through the system like this
(simplified):

(network)
v
mangle PREROUTING
|
nat PREROUTING
.
.
.
mangle POSTROUTING
|
nat POSTROUTING
v
(network)

So mangle/PREROUTING and nat/POSTROUTING should be the appropriate entry
and exit points to establish the byte-counting traps for ALL the packets
that REALLY come in or go out through the interface. But I could only
find a "harmless" target (MARK) for the mangle table, so I'm using it
instead of the nat one for the outgoing packets.

Results till now seem reasonable:

20030826-000002 1061852402 eth0 in:6163358 out:5261251 total:11424609
20030826-120003 1061895603 eth0 in:63503498 out:60344946 total:123848444 -- +107mb, 214mb/day, 6gb/month
20030827-000003 1061938803 eth0 in:191612289 out:124605420 total:316217709 -- +183mb, 367mb/day, 10gb/month
20030827-120002 1061982002 eth0 in:274144578 out:194747557 total:468892135 -- +145mb, 291mb/day, 8gb/month

Is this really trapping all the traffic? Is the iptables' MARK target
really innocuous concerning packet routing decisions (it's not used in
all my other iptables' rules)? Any problems I'm unaware of?

I've made this available through
http://vbc.dyndns.org/~carlos/share/index.html

Thanks for any comments.

--
Carlos Sousa
http://vbc.dyndns.org/

Reply to:

Prev by Date: Re: OT: Debian Mailinglist server slow?
Next by Date: Re: ircII behind proxy/firewall - how?
Previous by thread: CUPS renders but hangs with Compaq IJ750
Next by thread: cdr into jpg
Index(es):
- Date
- Thread