[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[Re: Bytes counter with iptables]



The first thing to note is that ipchains has very different
structure from iptables. Please refer to documentation on
netfilter.kernelnotes.org. iptables is more robust and easier to
manage primarily due to its stateful nature which you could by
now find only in commercial routers/firewalls.

The second thing to note is that although in case of 256 hosts
you would have 512 iptables rules, it's not true that every
packet should fall through every rule. Actually, you would
define 'RETURN' target so that chain traversal stops as soon as
the rule is matched. You can further optimize the setup by
observing that you can collect the statistics about your hosts
and put the hosts with the highest traffic at the beginning of
your chain. You can bind iptables rules to external interface
only so that internal traffic is not accounted.

As for nacctab syntax, it's quite explanatory and there are no
catches. Be careful to collect the data on one interface only.
You will also need ipacct utility (which is part of debian
distribution, afaik). If you are having high traffic (with peaks
over 1 MByte/sec) and consider running nacctd then you should
purchase reasonably fast processor (pentiums over 800 MHz should
be fine). Oh, by the way, nacctd works by putting interface into
promiscous mode. It doesn't need firewalling (although you
should use firewall for security reasons in any case!).

Kresimir


----- Forwarded message from Norman Schmidt <Norman.Schmidt@chemie.stud.uni-erlangen.de> -----

I want to do the same with ipchains (2.2.19 kernel).

There is a debian package (can´t remember the name) which inserts more
ipchains rules into the ruleset. The packets go through these rules
unchanged, they´re just counted. The problem is that with ipchains, I
would need quite a lot of rules to count for 256 connected hosts
individually, and in addition to that to count the volume that costs us
and the volume that doesn´t cost (university-internally) seperately.

The problem with using the iptables counters is quite the same.

net-acctd seems to count for each connection seperately, not by host, so
you have to build sums yourself out of the logfiles. It doesn´t have to
insert lots of additional ipchains-rules, but, as you mentioned, might
count wrongly, especially under high load.
Is there a better documentaiton for the naccttab syntax? I´m afraid it
is far too unprecise, and I can´t try everything out.

Any other ideas or docs for net-acct?

Thanks, NOrman.


kreso@usa.net wrote:
> 
> I suggest to check net-acctd before giving suggestions to use it 

-- 

--
Norman Schmidt             Universitaet Erlangen-Nuernberg
cand.chem.                 Sysadmin Wohnheimnetzwerk RatNET
mailto:schmidt@naa.net


--  
To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org



Reply to: