Re: strange upd traffic (ipchains newbie)
Thomas,
Create a rule for each possible source address, i.e.:
for i in 127.0.0.1 192.168.1.1 192.168.1.2 192.168.1.3; do
ipchains -A input -s $i
done
That will set up counters for traffic coming from 127.0.0.1, 192.168.1.1,
192.168.1.2, and 192.168.1.3, all with their own counters. Alternatively,
you could do this:
ipchains -N incoming
inchains -A incoming
for i in 127.0.0.1 192.168.1.1 192.168.1.2 192.168.1.3; do
ipchains -A input -s $i -j incoming
done
Notice the ipchains -A incoming line; that creates a no-op rule whose sole
purpose is for the counters attached to each rule. It would match _all_
packets, but not alter them in any way -- just count them. In addition,
the rules for each host (with `-j incoming' on the end) would also have
their own, separate counters. This entire rule set does nothing to
incoming packets other than to count them.
Regards,
Alex.
---
PGP/GPG Fingerprint:
EFD1 AC6C 7ED5 E453 C367 AC7A B474 16E0 758D 7ED9
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS/CM>CC/IT d- s:+ a16 C++(++++)>$ UL++++>$ P---() L+++>+ E+>+ W+(-) N o? K? w--()
!O M- !V PS+>+ PE- Y+ PGP t+ !5 X-- !R tv b DI D++
G>+++ e-- h! !r y
------END GEEK CODE BLOCK------
On Fri, 14 Jul 2000, Thomas Guettler wrote:
>
> Thanks, Leen, Alexander and Tim for your answers.
>
> I found the solution. I produced the traffic myself.
> I did "ipchains -v -L" every second in a script to see what happens
> on my network. I am interested in amount of traffic, at the moment.
> But ipchains itselfs displays ip-adresses with names, not numbers,
> so I had several dns-queries every second!
> Now I do "watch -n 1 -d 'echo started at: $DATE_START; ipchains -vn -L'"
> (-n!) and it works fine.
>
> Alexander, you said I shouldn't use "-j ACCEPT", but I want
> to split the traffic in three categories:
> from 127.* from company-addresses and from rest.
> Unfortunately you can't use boolean operators in "-s / -d".
> "-s (127.0.0.0/8 | 192.168.0.0/16)" would be cool.
> Is there a way of doing this?
>
> That's way I use "-j rule" at the moment. I want to change
> ACCEPT to my_rule someday if I have time to.
>
> # count access from localhost
> ipchains -A input -s 127.0.0.0/8 -i lo -j ACCEPT
> # count access from gurkensalat (localhost)
> ipchains -A input -s gurkensalat -j ACCEPT
> # count access from internal network
> ipchains -A input -s 193.101.57.0/24 -j ACCEPT
> # count access from rest (internet)
> ipchains -A input -j ACCEPT
>
>
>
> --
> Thomas Guettler
> Office:
> <guettli@interface-business.de> http://www.interface-business.de
> Private:
> <guettli@gmx.de> http://yj.org/guettli
>
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
Reply to: