[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: IP accounting per user

also sprach Matthias Juchem <matthias@euklid.math.uni-mannheim.de> [2002.01.06.1914 +0100]:
> Does Debian (potato or woody) have tools to account IP traffic per user?

iptables, as others have suggested.

AFAIK, the recommended method of doing this is to create a chain for
every user or group of users that you intend to account for separately,
then simply pass the packets through this chain with the appropriate
filter on the UID, and then use iptables counting method to obtain
usable values.

i totally *need* to implement this sometime very soon. in fact, given
a server that hosts web, mail, and ssh shell accounts for users, i need
to keep track of traffic on a user level...

postfix does a moderately good job on keeping size data for received and
sent emails, but with aliases, it's almost impossible to associate every
email with a user. but this has to be done globally, or else users could

apache is not a problem as long as the logfiles cannot be tampered with.
webalizer, for instance, can give total traffic per configured domain.

POP3/IMAP as well as shell stuff will be logged by iptables, that's the
cleanest approach.

heck, how can all this be automated and logged on something like a four
times a day basis???

and you should also consider the overhead. if you are really billed for
traffic, then consider that a TCP packet has at least 44 bytes in
addition to the gross data, while each UDP packet adds at least 28 bytes
to the payload. moreover, postfix doesn't include the SMTP dialog and
apache's logs don't include the HTTP Request

since you can only really account for this at the
router, and i, for one, can't do that, my strategy will most likely be
to multiply the final total traffic by a factor.

you can stuff 1500 bytes into one packet on ethernet. over the past 20
days, the average of my users has been about 700 bytes/packet, so the
overhead is around 6%, which i'll just add to the top. it's not exact,
but it'll do.

are there better suggestions that work without separate IP addresses?

martin;              (greetings from the heart of the sun.)
  \____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck
it has been said that there are only two businesses
that refer to customers as users:
illegal drug trade and the computer industry.

Attachment: pgp4a_MWzRxOH.pgp
Description: PGP signature

Reply to: