* thanks Antony ... and one more thing ...
@ 2004-04-09 7:34 Danila Octavian
2004-04-09 8:28 ` Antony Stone
0 siblings, 1 reply; 5+ messages in thread
From: Danila Octavian @ 2004-04-09 7:34 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 730 bytes --]
Hi,
Thank You very much for your help ( i bet you are already bored :-) )...
... and the other thing ... in fact I want to log together every destination my computer 192.168.13.222 goes ( except intip,extip,localnet) AND bytecount...
ex.: i want to be able to get a report like : 192.168.13.222 transferred xxxxxxxxxxbytes in 24h time and sepperately something like a list of destinations with how much is transferred to or from that particular destination.
I know that will generate a lot of logs ... but i have a huge harddisk :-)
also i know that request of mine seems exagerate ... but i wonder if is possible using only IPTABLES ...
Thanks again and sorry for bothering you ...
Regards,
Octavian DANILA
[-- Attachment #2: Type: text/html, Size: 1712 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: thanks Antony ... and one more thing ...
2004-04-09 7:34 thanks Antony ... and one more thing Danila Octavian
@ 2004-04-09 8:28 ` Antony Stone
2004-04-09 8:52 ` Danila Octavian
0 siblings, 1 reply; 5+ messages in thread
From: Antony Stone @ 2004-04-09 8:28 UTC (permalink / raw)
To: netfilter
On Friday 09 April 2004 8:34 am, Danila Octavian wrote:
> Hi,
Good morning.
> Thank You very much for your help ( i bet you are already bored :-) )...
Bored? No, I subscribed to the netfilter mailing list to stop me getting
bored :)
> ... and the other thing ... in fact I want to log together every
> destination my computer 192.168.13.222 goes ( except intip,extip,localnet)
> AND bytecount...
>
> ex.: i want to be able to get a report like : 192.168.13.222 transferred
> xxxxxxxxxxbytes in 24h time and sepperately something like a list of
> destinations with how much is transferred to or from that particular
> destination. I know that will generate a lot of logs ... but i have a huge
> harddisk :-)
>
> also i know that request of mine seems exagerate ... but i wonder if is
> possible using only IPTABLES ...
No, not using netfilter (unless you wanted to create a rule for each possible
destination, just in case some packets got sent there (but then you'd want to
know what protocol was used, too, so you'd need even more rules....)).
I suggest you investigate something like iptraf, netwatch or snort.
Regards,
Antony.
--
One good tern deserves another.
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: thanks Antony ... and one more thing ...
2004-04-09 8:28 ` Antony Stone
@ 2004-04-09 8:52 ` Danila Octavian
2004-04-09 9:13 ` Antony Stone
0 siblings, 1 reply; 5+ messages in thread
From: Danila Octavian @ 2004-04-09 8:52 UTC (permalink / raw)
To: netfilter
> No, not using netfilter (unless you wanted to create a rule for each
possible
> destination, just in case some packets got sent there (but then you'd want
to
> know what protocol was used, too, so you'd need even more rules....)).
>
> I suggest you investigate something like iptraf, netwatch or snort.
>
> Regards,
>
> Antony.
>
I have something like 30 clients ... in my LAN .
My boss is somehow paranoid and needs "total control" of every bit.
I was thinking at something like -A OUTPUT -d !extip !intip !localnet -j
LOG and then parse logs and generate reports with some script.
but the problem : i am not sure if adding three lines of -j LOG for every
destination that i ignore (extip intip and localnet) is a good thing.
what will happen with the packet after first line ?
thanks in advance,
Octavian DANILA
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: thanks Antony ... and one more thing ...
2004-04-09 8:52 ` Danila Octavian
@ 2004-04-09 9:13 ` Antony Stone
2004-04-09 9:44 ` Danila Octavian
0 siblings, 1 reply; 5+ messages in thread
From: Antony Stone @ 2004-04-09 9:13 UTC (permalink / raw)
To: netfilter
On Friday 09 April 2004 9:52 am, Danila Octavian wrote:
> > I suggest you investigate something like iptraf, netwatch or snort.
>
> I have something like 30 clients ... in my LAN .
> My boss is somehow paranoid and needs "total control" of every bit.
I hope you are in a jurisdiction where this kind iof traffic monitoring is
legal :)
> I was thinking at something like -A OUTPUT -d !extip !intip !localnet -j
> LOG
OUTPUT??? No - that's only for packets leaving the machine itself (unless
you're talking about putting this rule onto each client machine? But I
don't think so...) POSTROUTING mangle is the best place, as I said before,
because the only other choices I can think of are:
1. PREROUTING mangle - catches (all) the packets on the way in, but will count
those which get blocked by rules in your FORWARD chain as well
2. PRE or POSTROUTING nat - will not see much of the traffic because of the
automatic connection-tracking based stuff which goes on in the background
3. FORWARD - assuming you use ESTABLISHED,RELATED (and I recommend that you
do), again you will not see much of the traffic in any LOGging rules you put
after this
Previously I suggested a rule with no target, just to count the bytes.
If you add a LOG target, you will LOG every packet (and you can calculate the
number of bytes in it from the LENgth field of the log entry - just subtract
the size of the headers).
> and then parse logs and generate reports with some script.
Sure - that would work.
> but the problem : i am not sure if adding three lines of -j LOG for every
> destination that i ignore (extip intip and localnet) is a good thing.
Three lines? Why three? I think just one will do the job. It's your
script which analyses the logs afterwards which has to pick out source,
destination, port, length, and turn it all into something your boss can fall
asleep to (but then that's what Perl was invented for...)
> what will happen with the packet after first line ?
I don't understand this bit of your question.
I'm suggesting you simply change the rule I posted previously, and add a LOG
target to it:
iptables -A POSTROUTING -t mangle -s 192.168.13.222 -j LOG
If you want to log more than one machine as the source address, just make the
source match a little wider:
iptables -A POSTROUTING -t mangle -s 192.168.13.0/24 -j LOG
(Okay, so this will catch packets from your firewall itself as well, but those
can get parsed out by your script afterwards).
I still think snort would tell you a whole lot more interesting information,
though :)
Regards,
Antony.
--
The truth is rarely pure, and never simple.
- Oscar Wilde
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: thanks Antony ... and one more thing ...
2004-04-09 9:13 ` Antony Stone
@ 2004-04-09 9:44 ` Danila Octavian
0 siblings, 0 replies; 5+ messages in thread
From: Danila Octavian @ 2004-04-09 9:44 UTC (permalink / raw)
To: netfilter
okay ... i decided to try them both ( the rule you posted and snort) to see
... ( one at a time :-) )
i just installed snort but i am stuck in the manual right now ... if it
happens to have a snort conf file for me ... i will be more than
delighted...
i hope i'm not becoming anoying ... please tell me if that's the case.
thanks again,
Octavian DANILA
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2004-04-09 9:44 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-04-09 7:34 thanks Antony ... and one more thing Danila Octavian
2004-04-09 8:28 ` Antony Stone
2004-04-09 8:52 ` Danila Octavian
2004-04-09 9:13 ` Antony Stone
2004-04-09 9:44 ` Danila Octavian
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.