Re: iptables: reading counters

To: debian-firewall@lists.debian.org
Subject: Re: iptables: reading counters
From: Nathan Barham <nathan@sleepygeek.com>
Date: Fri, 07 Jan 2005 11:37:50 -0800
Message-id: <41DEE50E.4010805@sleepygeek.com>
In-reply-to: <20050106124739.GA21137@melina11.ds11.agh.edu.pl>
References: <20050106124739.GA21137@melina11.ds11.agh.edu.pl>

Marcin Owsiany wrote:

Hi!

I have an 'accept' chain, which looks like this:

 pkts bytes target     prot opt in     out     source               destination
  123  3444 ACCEPT     all  --  eth0   *       0.0.0.0/0            1.2.3.4/32
  456 23334 ACCEPT     all  --  eth0   *       0.0.0.0/0            1.2.3.5/32
  789 32345 ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0
[...]

This lets me collect packet and byte counts for different kinds of traffic. In
order to generate nice graphs, I need to read those counts from
'iptables -L -vn --exact' output.

However the uncomfortable part is finding out which counters are for which
traffic. Currently I use awk and match stuff to a parameter like this:

s == "foo-out"          && $7 == "eth2" && $8 == "eth1" && $9  == "192.168.254.2"  ||
s == "bar-out"          && $7 == "eth2" && $8 == "eth3" && $9  == "192.168.254.2"  ||
[...]
s == "other"                                            && $9  == "192.168.0.0/24" { print $3 " " $2 ; exit }

But this gets very complicated when I want to differentiate between port
numbers etc.

Therefore I would like to somehow attach a "label" (like "server-in" or
"lan-http" or "other") directly to iptables -L output. Then I would just have
to use the label in two places: the chain setup script, and the counter reading
script. Is there some way to do that? I don't want to use line numbers, since
they change too much and way too often (e.g.at the time any rule is removed).

regards,

Marcin

I may not understand what you're trying to do, and I'm no good with awk,but I'm pretty sure that the output of iptables -L -vn will be explicitif your iptables rule is explicit. i.e.


This rule . . .

$IPTABLES -A INPUT -i $EXT_IF -j ACCEPT

just shows up shows up as

0 0 ACCEPT  all -- eth0  *  0.0.0.0/0  0.0.0.0/0


But this rule with a specific protocol and port specified . . .

$IPTABLES -A INPUT -i $EXT_IF -p tcp -s $ADMIN_IP -d $EXT_IP --dport22:22 -j ACCEPT

Show up with "tcp dpt:22" at the end, which allows you to identify it asssh.


0 0 ACCEPT  tcp -- eth0 * 65.100.35.140 66.253.12.168 tcp dpt:22

Could you re-write your rules to be more specific and then use theprotocol:port info to glean what type of traffic it is?

Reply to:

Follow-Ups:
- Re: iptables: reading counters
  - From: Marcin Owsiany <porridge@debian.org>
- Re: iptables: reading counters
  - From: Mike Mestnik <cheako911@yahoo.com>

References:
- iptables: reading counters
  - From: Marcin Owsiany <porridge@debian.org>

Prev by Date: Re: iptables blocking eth0 .. why ?
Next by Date: Re: iptables: reading counters
Previous by thread: Re: iptables: reading counters
Next by thread: Re: iptables: reading counters
Index(es):
- Date
- Thread