* thanks Antony ... and one more thing ... @ 2004-04-09 7:34 Danila Octavian 2004-04-09 8:28 ` Antony Stone 0 siblings, 1 reply; 5+ messages in thread From: Danila Octavian @ 2004-04-09 7:34 UTC (permalink / raw) To: netfilter [-- Attachment #1: Type: text/plain, Size: 730 bytes --] Hi, Thank You very much for your help ( i bet you are already bored :-) )... ... and the other thing ... in fact I want to log together every destination my computer 192.168.13.222 goes ( except intip,extip,localnet) AND bytecount... ex.: i want to be able to get a report like : 192.168.13.222 transferred xxxxxxxxxxbytes in 24h time and sepperately something like a list of destinations with how much is transferred to or from that particular destination. I know that will generate a lot of logs ... but i have a huge harddisk :-) also i know that request of mine seems exagerate ... but i wonder if is possible using only IPTABLES ... Thanks again and sorry for bothering you ... Regards, Octavian DANILA [-- Attachment #2: Type: text/html, Size: 1712 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: thanks Antony ... and one more thing ... 2004-04-09 7:34 thanks Antony ... and one more thing Danila Octavian @ 2004-04-09 8:28 ` Antony Stone 2004-04-09 8:52 ` Danila Octavian 0 siblings, 1 reply; 5+ messages in thread From: Antony Stone @ 2004-04-09 8:28 UTC (permalink / raw) To: netfilter On Friday 09 April 2004 8:34 am, Danila Octavian wrote: > Hi, Good morning. > Thank You very much for your help ( i bet you are already bored :-) )... Bored? No, I subscribed to the netfilter mailing list to stop me getting bored :) > ... and the other thing ... in fact I want to log together every > destination my computer 192.168.13.222 goes ( except intip,extip,localnet) > AND bytecount... > > ex.: i want to be able to get a report like : 192.168.13.222 transferred > xxxxxxxxxxbytes in 24h time and sepperately something like a list of > destinations with how much is transferred to or from that particular > destination. I know that will generate a lot of logs ... but i have a huge > harddisk :-) > > also i know that request of mine seems exagerate ... but i wonder if is > possible using only IPTABLES ... No, not using netfilter (unless you wanted to create a rule for each possible destination, just in case some packets got sent there (but then you'd want to know what protocol was used, too, so you'd need even more rules....)). I suggest you investigate something like iptraf, netwatch or snort. Regards, Antony. -- One good tern deserves another. Please reply to the list; please don't CC me. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: thanks Antony ... and one more thing ... 2004-04-09 8:28 ` Antony Stone @ 2004-04-09 8:52 ` Danila Octavian 2004-04-09 9:13 ` Antony Stone 0 siblings, 1 reply; 5+ messages in thread From: Danila Octavian @ 2004-04-09 8:52 UTC (permalink / raw) To: netfilter > No, not using netfilter (unless you wanted to create a rule for each possible > destination, just in case some packets got sent there (but then you'd want to > know what protocol was used, too, so you'd need even more rules....)). > > I suggest you investigate something like iptraf, netwatch or snort. > > Regards, > > Antony. > I have something like 30 clients ... in my LAN . My boss is somehow paranoid and needs "total control" of every bit. I was thinking at something like -A OUTPUT -d !extip !intip !localnet -j LOG and then parse logs and generate reports with some script. but the problem : i am not sure if adding three lines of -j LOG for every destination that i ignore (extip intip and localnet) is a good thing. what will happen with the packet after first line ? thanks in advance, Octavian DANILA ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: thanks Antony ... and one more thing ... 2004-04-09 8:52 ` Danila Octavian @ 2004-04-09 9:13 ` Antony Stone 2004-04-09 9:44 ` Danila Octavian 0 siblings, 1 reply; 5+ messages in thread From: Antony Stone @ 2004-04-09 9:13 UTC (permalink / raw) To: netfilter On Friday 09 April 2004 9:52 am, Danila Octavian wrote: > > I suggest you investigate something like iptraf, netwatch or snort. > > I have something like 30 clients ... in my LAN . > My boss is somehow paranoid and needs "total control" of every bit. I hope you are in a jurisdiction where this kind iof traffic monitoring is legal :) > I was thinking at something like -A OUTPUT -d !extip !intip !localnet -j > LOG OUTPUT??? No - that's only for packets leaving the machine itself (unless you're talking about putting this rule onto each client machine? But I don't think so...) POSTROUTING mangle is the best place, as I said before, because the only other choices I can think of are: 1. PREROUTING mangle - catches (all) the packets on the way in, but will count those which get blocked by rules in your FORWARD chain as well 2. PRE or POSTROUTING nat - will not see much of the traffic because of the automatic connection-tracking based stuff which goes on in the background 3. FORWARD - assuming you use ESTABLISHED,RELATED (and I recommend that you do), again you will not see much of the traffic in any LOGging rules you put after this Previously I suggested a rule with no target, just to count the bytes. If you add a LOG target, you will LOG every packet (and you can calculate the number of bytes in it from the LENgth field of the log entry - just subtract the size of the headers). > and then parse logs and generate reports with some script. Sure - that would work. > but the problem : i am not sure if adding three lines of -j LOG for every > destination that i ignore (extip intip and localnet) is a good thing. Three lines? Why three? I think just one will do the job. It's your script which analyses the logs afterwards which has to pick out source, destination, port, length, and turn it all into something your boss can fall asleep to (but then that's what Perl was invented for...) > what will happen with the packet after first line ? I don't understand this bit of your question. I'm suggesting you simply change the rule I posted previously, and add a LOG target to it: iptables -A POSTROUTING -t mangle -s 192.168.13.222 -j LOG If you want to log more than one machine as the source address, just make the source match a little wider: iptables -A POSTROUTING -t mangle -s 192.168.13.0/24 -j LOG (Okay, so this will catch packets from your firewall itself as well, but those can get parsed out by your script afterwards). I still think snort would tell you a whole lot more interesting information, though :) Regards, Antony. -- The truth is rarely pure, and never simple. - Oscar Wilde Please reply to the list; please don't CC me. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: thanks Antony ... and one more thing ... 2004-04-09 9:13 ` Antony Stone @ 2004-04-09 9:44 ` Danila Octavian 0 siblings, 0 replies; 5+ messages in thread From: Danila Octavian @ 2004-04-09 9:44 UTC (permalink / raw) To: netfilter okay ... i decided to try them both ( the rule you posted and snort) to see ... ( one at a time :-) ) i just installed snort but i am stuck in the manual right now ... if it happens to have a snort conf file for me ... i will be more than delighted... i hope i'm not becoming anoying ... please tell me if that's the case. thanks again, Octavian DANILA ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2004-04-09 9:44 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2004-04-09 7:34 thanks Antony ... and one more thing Danila Octavian 2004-04-09 8:28 ` Antony Stone 2004-04-09 8:52 ` Danila Octavian 2004-04-09 9:13 ` Antony Stone 2004-04-09 9:44 ` Danila Octavian
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.