(i have started a thread on this on debian-isp btw.) also sprach Matthias Juchem <lists@konfido.de> [2002.01.07.0244 +0100]: > There is one problem with this: the module that matches user IDs > can only be used in the OUTPUT chain (as said in the netfilter how-to). oh man, this sucks! > The big problem are the ssh shell accounts. The user can start almost any > program that listens on a socket. You wouldn't have log files from this > program and you can only account the outgoing traffic with iptables. but the process runs as the user. there's got to be kernel patches... > > since you can only really account for this at the router, and i, for > > one, can't do that, my strategy will most likely be to multiply the > > final total traffic by a factor. > > There is a tool set, including a Linux kernel patch: UserIPacct > (http://ramses.smeyers.be/homepage/useripacct/). But I do not know how > stable it is. Besides, the last patch is for 2.4.6 and I need a more > up-to-date 2.4 kernel. yeah, that looks nice, but who'd run a 2.4.6 these days??? dammit, i don't really want to patch 2.2.20 or 2.4.17 myself > > you can stuff 1500 bytes into one packet on ethernet. over the past 20 > > days, the average of my users has been about 700 bytes/packet, so the > > overhead is around 6%, which i'll just add to the top. it's not exact, > > but it'll do. > > Is there a way to count incoming and outgoing packets per user? not that i know of. that would be easy ;) i think there may not be a way around subscribing to more IPs and then setting each user up in a chroot jail with their own little network interface (alias). -- martin; (greetings from the heart of the sun.) \____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@madduck never underestimate the power of human stupidity.
Attachment:
pgps5JOotwdFA.pgp
Description: PGP signature