nat & ip accounting

nat & ip accounting

[Alexandru Coseru]

[-- Attachment #1: Type: text/plain, Size: 379 bytes --]



Hello..

I want to see using iptables -L -v  the ammount of traffic generated by each of my LAN's IP..

i have masq 192.168.0.2  to 192.168.0.50...

and now i want to see the traffic generated by 192.168.0.4 since the last reset of counters..

How can I do that ?  I want to be able to see the download and the upload ...


Thanks..
                        Alex

[-- Attachment #2: Type: text/html, Size: 1357 bytes --]

Re: nat & ip accounting

[Kim Jensen]

On Wednesday 26 March 2003 20:32, Alexandru Coseru wrote:
> Hello..
>
> I want to see using iptables -L -v  the ammount of traffic generated by
> each of my LAN's IP..
>
> i have masq 192.168.0.2  to 192.168.0.50...
>
> and now i want to see the traffic generated by 192.168.0.4 since the last
> reset of counters..
>
> How can I do that ?  I want to be able to see the download and the upload
> ...
>
ifconfig

/Kim

RE: nat & ip accounting

[Rowan Reid]

> > and now i want to see the traffic generated by 192.168.0.4 
> since the 
> > last reset of counters..
> >
> > How can I do that ?  I want to be able to see the download and the 
> > upload ...


I have an answer but you also got me thinking.  A good tool to keep
track of traffic via ip addresses would be mrtg. However is there an
mrtg type tool that uses the counters in iptables rules to keep track of
traffic and output it in a user friendly form.

Re: nat & ip accounting

[Bjorn Ruberg]

On Wed, 2003-03-26 at 22:01, Kim Jensen wrote:
> On Wednesday 26 March 2003 20:32, Alexandru Coseru wrote:
> > Hello..
> >
> > I want to see using iptables -L -v  the ammount of traffic generated by
> > each of my LAN's IP..
> >
> > i have masq 192.168.0.2  to 192.168.0.50...
> >
> > and now i want to see the traffic generated by 192.168.0.4 since the last
> > reset of counters..
> >
> > How can I do that ?  I want to be able to see the download and the upload
> > ...
> >
> ifconfig

ifconfig is the worst alternative, because it regularly resets its
counters.

As Rowan suggested, use MRTG [1] or some other tool (RRDtool [2],
perhaps? :) to read the statistics.

You may use MRTG with an SNMP daemon on your system or with an iptables
extract script [3].

Hope this helps;

Bjørn

[1] http://www.mrtg.org/
[2] http://www.rrdtool.org/
[3] http://www.norris160.org/cisco/MRTG_Monitor_Software.htm

Re: nat & ip accounting

[Kim Jensen]

On Wednesday 26 March 2003 22:11, Rowan Reid wrote:
> I have an answer but you also got me thinking.  A good tool to keep
> track of traffic via ip addresses would be mrtg. However is there an
> mrtg type tool that uses the counters in iptables rules to keep track of
> traffic and output it in a user friendly form.

If you wish to see things in a more user friendly way (or usable way, as no 
system is friendly :-) can be hard as you have to define what in what you 
wish to see things!

mrtg is quite good, since you get the results on a webpage, but for tracking 
ip specific things - I don't know, as I don't think the kernel remembers this 
statistic. You can read per interface but not from each ip connecting to an 
interface.

/Kim

Re: nat & ip accounting

[Kim Jensen]

On Wednesday 26 March 2003 22:38, Bjorn Ruberg wrote:
> On Wed, 2003-03-26 at 22:01, Kim Jensen wrote:
> > On Wednesday 26 March 2003 20:32, Alexandru Coseru wrote:
> > > Hello..
> > >
> > > I want to see using iptables -L -v  the ammount of traffic generated by
> > > each of my LAN's IP..
> > >
> > > i have masq 192.168.0.2  to 192.168.0.50...
> > >
> > > and now i want to see the traffic generated by 192.168.0.4 since the
> > > last reset of counters..
> > >
> > > How can I do that ?  I want to be able to see the download and the
> > > upload ...
> >
> > ifconfig
>
> ifconfig is the worst alternative, because it regularly resets its
> counters.
>
> As Rowan suggested, use MRTG [1] or some other tool (RRDtool [2],
> perhaps? :) to read the statistics.
>
> You may use MRTG with an SNMP daemon on your system or with an iptables
> extract script [3].
>
Well, I tried to be a little provocative with my remark on ifconfig - seems 
like it worked. MRTH is a much preferred tool. If the problem is that certain 
persons are having a very high load, then use host based limiting rules.

/Kim

Re: nat & ip accounting

[alexb]

If you havn't to many diferent ip/ip-ranges to monitor you can enter iptables
filter rules for that ips with no action, just to count the trafic, than use a
script and mrtg to show them. something like:

iptables -A FORWARD -s [MonitoredIP] -i [NIC_conecting_to_IP]
iptables -A FORWARD -d {MonitoredIP] -o [NIC_conecting_to_IP]

make a script to grab the bytecount and output them as mrtg expect
(IN,OUT,UPTIME,HOSTNAME). Change ^[1,2] to select your rules
in the chain where you grab the trafic.

iptables -nvxL FORWARD --line-numbers|egrep ^[1,2]|awk '{print $3}'


Cópia Kim Jensen <kimj@dawn.dk>:

> On Wednesday 26 March 2003 22:11, Rowan Reid wrote:
> > I have an answer but you also got me thinking.  A good tool to keep
> > track of traffic via ip addresses would be mrtg. However is there an
> > mrtg type tool that uses the counters in iptables rules to keep track
> of
> > traffic and output it in a user friendly form.
> 
> If you wish to see things in a more user friendly way (or usable way, as
> no 
> system is friendly :-) can be hard as you have to define what in what
> you 
> wish to see things!
> 
> mrtg is quite good, since you get the results on a webpage, but for
> tracking 
> ip specific things - I don't know, as I don't think the kernel remembers
> this 
> statistic. You can read per interface but not from each ip connecting to
> an 
> interface.
> 
> /Kim
> 
> 

RE: nat & ip accounting

[Rowan Reid]

> 
> I've tried an mtrg , but no luck..  it's telling me only 
> about the whole eth0 ...  no traffic per ip basis..

Mrtg configures via snmp when I set it up I have a page for each
ineterface Ip.
So I can see my external address and internal address traffic.

Re: nat & ip accounting

[Bjorn Ruberg]

On Wed, 2003-03-26 at 22:51, Kim Jensen wrote:
> On Wednesday 26 March 2003 22:11, Rowan Reid wrote:
> > I have an answer but you also got me thinking.  A good tool to keep
> > track of traffic via ip addresses would be mrtg. However is there an
> > mrtg type tool that uses the counters in iptables rules to keep track of
> > traffic and output it in a user friendly form.
> 
> If you wish to see things in a more user friendly way (or usable way, as no 
> system is friendly :-) can be hard as you have to define what in what you 
> wish to see things!
> 
> mrtg is quite good, since you get the results on a webpage, but for tracking 
> ip specific things - I don't know, as I don't think the kernel remembers this 
> statistic. You can read per interface but not from each ip connecting to an 
> interface.

You can indeed log from each IP connecting. In fact you may read
whatever you configure iptables to log. You may end up with one heck of
a ruleset, as you need one iptables rule for every different parameter
you want to log.


Bjørn

Re: nat & ip accounting

[Bjorn Ruberg]

On Wed, 2003-03-26 at 20:32, Alexandru Coseru wrote:
> 
> 
> Hello..
> 
> I want to see using iptables -L -v  the ammount of traffic generated by each of my LAN's IP..
> 
> i have masq 192.168.0.2  to 192.168.0.50...
> 
> and now i want to see the traffic generated by 192.168.0.4 since the last reset of counters..
> 
> How can I do that ?  I want to be able to see the download and the upload ...

You will need to create an iptables rule for the specific IP, one for
outgoing and one for incoming traffic. Iptables is not able to give you
this information if you have not instructed it to store the specific
IP's connection. First the rules, then the statistics.

For your future logging requirements:

  iptables -A FORWARD -d 192.168.0.4 -j RETURN
  iptables -A FORWARD -s 192.168.0.4 -j RETURN

will create two new lines of traffic statistics to read from when
running "iptables -L -v", giving you information to and from the given
host, respectively. Be sure to put them somewhere early in your rule
set.

The RETURN target passes the packets back to the rest of the iptables
rule set after having counted them. Thus, these lines do not affect the
functionality of your iptables rules.

Bjørn

Re: nat & ip accounting

[Bjorn Ruberg]

Oops, a little error in my last posting. Do NOT use the RETURN target on
the default chain.

The RETURN target (obviously) returns the packets to the chain that sent
it there. If used in the main chain, it is the same as falling back to
the default behaviour of the chain and will hopefully be denied.
Therefore, a direction to a chain must be done.

        iptables -N count_in
        iptables -A count_in -j RETURN

        iptables -N count_out
        iptables -A count_out -j RETURN

        iptables -A FORWARD -s 192.168.0.4 -j count_in
        iptables -A FORWARD -d 192.168.0.4 -j count_out

will do the trick.

Bjørn

Re: nat & ip accounting

[Kelly Setzer]

On Wed, Mar 26, 2003 at 03:04:34PM -0800, Rowan Reid wrote:
> 
> > 
> > I've tried an mtrg , but no luck..  it's telling me only 
> > about the whole eth0 ...  no traffic per ip basis..

IP Audit might have what you need.

http://sp.uconn.edu/~jrifkin/ipaudit/

Kelly

--
Kelly Setzer, System Administrator/Architect - Placemark Investments
14180 Dallas Pkwy, Suite 200, Dallas, TX 75240
kelly.setzer@placemark.com  http://www.placemark.com
(972)404-8100x41 (work)       (214) 287-3464 (cell)