[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: IP accounting per user

(i have started a thread on this on debian-isp btw.)

also sprach Matthias Juchem <lists@konfido.de> [2002.01.07.0244 +0100]:
> There is one problem with this:  the module that matches user IDs
> can only be used in the OUTPUT chain (as said in the netfilter how-to).

oh man, this sucks!

> The big problem are the ssh shell accounts. The user can start almost any
> program that listens on a socket. You wouldn't have log files from this
> program and you can only account the outgoing traffic with iptables.

but the process runs as the user. there's got to be kernel patches...

> > since you can only really account for this at the router, and i, for
> > one, can't do that, my strategy will most likely be to multiply the
> > final total traffic by a factor.
> There is a tool set, including a Linux kernel patch: UserIPacct
> (http://ramses.smeyers.be/homepage/useripacct/). But I do not know how
> stable it is. Besides, the last patch is for 2.4.6 and I need a more
> up-to-date 2.4 kernel.

yeah, that looks nice, but who'd run a 2.4.6 these days???
dammit, i don't really want to patch 2.2.20 or 2.4.17 myself

> > you can stuff 1500 bytes into one packet on ethernet. over the past 20
> > days, the average of my users has been about 700 bytes/packet, so the
> > overhead is around 6%, which i'll just add to the top. it's not exact,
> > but it'll do.
> Is there a way to count incoming and outgoing packets per user?

not that i know of. that would be easy ;)

i think there may not be a way around subscribing to more IPs and then
setting each user up in a chroot jail with their own little network
interface (alias).

martin;              (greetings from the heart of the sun.)
  \____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck
never underestimate the power of human stupidity.

Attachment: pgps5JOotwdFA.pgp
Description: PGP signature

Reply to: