Re: Accounting on a firewall
On Wed, 21 Jul 2004 19:37:48 +0200 Raffaele D'Elia wrote:
> I run a debian stable firewall, and I need to account ip data that
> travels through it.
>
> I've looked at ipac-ng, but I think it doesn't works well with the
> FORWARD chain.
>
> How can I do accounting using iptables just like ipac-ng does on the
> FORWARD chain?
Would something like my homegrown solution be of any use as a starting
point?
http://vbc.dyndns.org/~carlos/share/index.html (the netaccount bit)
It uses the PREROUTING and POSTROUTING chains of the iptables mangle
table, thus catching all traffic (I hope :) going through the specified
network interface.
You could adapt the rules to the FORWARD chain (mangle table), for
your purposes.
# IPTABLES - Packet traversal of chains/tables:
#
# (network)
# v
# mangle PREROUTING
# |
# nat PREROUTING
# / \
# / \
# mangle INPUT \
# | |
# filter INPUT |
# v |
# ,-----------. mangle FORWARD
# | local | |
# | processes | filter FORWARD
# `-----------~ |
# v |
# mangle OUTPUT |
# | |
# nat OUTPUT |
# | |
# filter OUTPUT /
# \ /
# \ /
# mangle POSTROUTING
# |
# nat POSTROUTING
# v
# (network)
A simple 'iptables -L' executed regularly enables you to keep a record
on the traffic, keeping in mind that a reboot will zero the counts.
HTH
--
Carlos Sousa
http://vbc.dyndns.org/
Reply to: