Re: iptables: reading counters
--- Nathan Barham <nathan@sleepygeek.com> wrote:
> Marcin Owsiany wrote:
> > Hi!
> >
> > I have an 'accept' chain, which looks like this:
> >
> > pkts bytes target prot opt in out source
> destination
> > 123 3444 ACCEPT all -- eth0 * 0.0.0.0/0
> 1.2.3.4/32
> > 456 23334 ACCEPT all -- eth0 * 0.0.0.0/0
> 1.2.3.5/32
> > 789 32345 ACCEPT all -- eth1 * 0.0.0.0/0
> 0.0.0.0/0
> > [...]
> >
> > This lets me collect packet and byte counts for different kinds of
> traffic. In
> > order to generate nice graphs, I need to read those counts from
> > 'iptables -L -vn --exact' output.
> >
> > However the uncomfortable part is finding out which counters are for
> which
> > traffic. Currently I use awk and match stuff to a parameter like this:
> >
> > s == "foo-out" && $7 == "eth2" && $8 == "eth1" && $9 ==
> "192.168.254.2" ||
> > s == "bar-out" && $7 == "eth2" && $8 == "eth3" && $9 ==
> "192.168.254.2" ||
> > [...]
> > s == "other" && $9 ==
> "192.168.0.0/24" { print $3 " " $2 ; exit }
> >
> > But this gets very complicated when I want to differentiate between
> port
> > numbers etc.
> >
> > Therefore I would like to somehow attach a "label" (like "server-in"
> or
> > "lan-http" or "other") directly to iptables -L output. Then I would
> just have
See '-n' in most any man page(including iptables). Then use DNS or
hosts/networks/services for your host/net/port name resolving.
> > to use the label in two places: the chain setup script, and the
> counter reading
> > script. Is there some way to do that? I don't want to use line
> numbers, since
> > they change too much and way too often (e.g.at the time any rule is
> removed).
> >
> > regards,
> >
> > Marcin
>
>
> I may not understand what you're trying to do, and I'm no good with awk,
>
> but I'm pretty sure that the output of iptables -L -vn will be explicit
> if your iptables rule is explicit. i.e.
>
> This rule . . .
>
> $IPTABLES -A INPUT -i $EXT_IF -j ACCEPT
>
> just shows up shows up as
>
> 0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0
>
>
> But this rule with a specific protocol and port specified . . .
>
> $IPTABLES -A INPUT -i $EXT_IF -p tcp -s $ADMIN_IP -d $EXT_IP --dport
> 22:22 -j ACCEPT
>
> Show up with "tcp dpt:22" at the end, which allows you to identify it as
>
> ssh.
>
> 0 0 ACCEPT tcp -- eth0 * 65.100.35.140 66.253.12.168 tcp dpt:22
>
> Could you re-write your rules to be more specific and then use the
> protocol:port info to glean what type of traffic it is?
>
>
>
>
>
>
>
>
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
>
__________________________________
Do you Yahoo!?
Yahoo! Mail - Find what you need with new enhanced search.
http://info.mail.yahoo.com/mail_250
Reply to: