Re: iptables: reading counters

To: Nathan Barham <nathan@sleepygeek.com>, debian-firewall@lists.debian.org
Subject: Re: iptables: reading counters
From: Mike Mestnik <cheako911@yahoo.com>
Date: Fri, 7 Jan 2005 22:00:36 -0800 (PST)
Message-id: <20050108060036.43742.qmail@web11908.mail.yahoo.com>
In-reply-to: <41DEE50E.4010805@sleepygeek.com>

--- Nathan Barham <nathan@sleepygeek.com> wrote:

> Marcin Owsiany wrote:
> > Hi!
> > 
> > I have an 'accept' chain, which looks like this:
> > 
> >  pkts bytes target     prot opt in     out     source              
> destination
> >   123  3444 ACCEPT     all  --  eth0   *       0.0.0.0/0           
> 1.2.3.4/32
> >   456 23334 ACCEPT     all  --  eth0   *       0.0.0.0/0           
> 1.2.3.5/32
> >   789 32345 ACCEPT     all  --  eth1   *       0.0.0.0/0           
> 0.0.0.0/0
> > [...]
> > 
> > This lets me collect packet and byte counts for different kinds of
> traffic. In
> > order to generate nice graphs, I need to read those counts from
> > 'iptables -L -vn --exact' output.
> > 
> > However the uncomfortable part is finding out which counters are for
> which
> > traffic. Currently I use awk and match stuff to a parameter like this:
> > 
> > s == "foo-out"          && $7 == "eth2" && $8 == "eth1" && $9  ==
> "192.168.254.2"  ||
> > s == "bar-out"          && $7 == "eth2" && $8 == "eth3" && $9  ==
> "192.168.254.2"  ||
> > [...]
> > s == "other"                                            && $9  ==
> "192.168.0.0/24" { print $3 " " $2 ; exit }
> > 
> > But this gets very complicated when I want to differentiate between
> port
> > numbers etc.
> > 
> > Therefore I would like to somehow attach a "label" (like "server-in"
> or
> > "lan-http" or "other") directly to iptables -L output. Then I would
> just have
See '-n' in most any man page(including iptables).  Then use DNS or
hosts/networks/services for your host/net/port name resolving.

> > to use the label in two places: the chain setup script, and the
> counter reading
> > script. Is there some way to do that? I don't want to use line
> numbers, since
> > they change too much and way too often (e.g.at the time any rule is
> removed).
> > 
> > regards,
> > 
> > Marcin
> 
> 
> I may not understand what you're trying to do, and I'm no good with awk,
> 
> but I'm pretty sure that the output of iptables -L -vn will be explicit 
> if your iptables rule is explicit.  i.e.
> 
> This rule . . .
> 
> $IPTABLES -A INPUT -i $EXT_IF -j ACCEPT
> 
> just shows up shows up as
> 
> 0 0 ACCEPT  all -- eth0  *  0.0.0.0/0  0.0.0.0/0
> 
> 
> But this rule with a specific protocol and port specified . . .
> 
> $IPTABLES -A INPUT -i $EXT_IF -p tcp -s $ADMIN_IP -d $EXT_IP --dport 
> 22:22 -j ACCEPT
> 
> Show up with "tcp dpt:22" at the end, which allows you to identify it as
> 
> ssh.
> 
> 0 0 ACCEPT  tcp -- eth0 * 65.100.35.140 66.253.12.168 tcp dpt:22
> 
> Could you re-write your rules to be more specific and then use the 
> protocol:port info to glean what type of traffic it is?
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> 
> 



		
__________________________________ 
Do you Yahoo!? 
Yahoo! Mail - Find what you need with new enhanced search.
http://info.mail.yahoo.com/mail_250

Reply to:

Follow-Ups:
- Re: iptables: reading counters
  - From: Marcin Owsiany <porridge@debian.org>

References:
- Re: iptables: reading counters
  - From: Nathan Barham <nathan@sleepygeek.com>

Prev by Date: Re: iptables: reading counters
Next by Date: Re: log_messenger
Previous by thread: Re: iptables: reading counters
Next by thread: Re: iptables: reading counters
Index(es):
- Date
- Thread