Re: Ip accounting Help--> Urgent

[Joel Solanki <zealous@bonbon.net>]

Hello all, ANTONY ...hoping something from u :)

I am testing ip accounting on my production server for last 2 days but i
can sort the things. Any body if u could throw little light that would
be really helpful to me.
This is my testing results.

# $IPT -t mangle -i eth1 -A FORWARD -s 192.168.0.2
# $IPT -t mangle -o eth0 -A FORWARD -d 192.168.0.2

Results:-

Chain FORWARD (policy ACCEPT 6853 packets, 2981K bytes)
 pkts bytes target     prot opt in     out     source        destination
 3267 1483K            all  --  eth1   *       192.168.0.2   0.0.0.0/0
    0     0            all  --  *      eth0    0.0.0.0/0     192.168.0.2

I download squid-2.5.STABLE5.tar.gz from my ftp server. 
The size of squid is 1.3M

When I downloaded the bytes counter came in to the first command :-- you
can see that above.

Now when i did upload same squid package from local machine to remote
ftp server it doesnt show any bytes counter in second command :--you can
see that above ...counters bytes are 0.

so how can i count the upload bytes?
Where i have gone wrong ?
Any ideas?

Regards,
-- 
Joel n.solanki
Systems Administrator
(M) 91-9825500258
D2V ISP PVT LTD
http://www.d2visp.com



On Wed, 2004-06-23 at 17:11, Antony Stone wrote:
> On Wednesday 23 June 2004 11:57 am, Joel wrote:
> 
> > On Wed, 2004-06-23 at 14:31, Antony Stone wrote:
> > >
> > > Beware of trying to do this if you are using the stateful connection
> > > tracking of netfilter (iptables -I FORWARD -m state --state
> > > ESTABLISHED,RELATED), because if you are, then almost all of the packets
> > > going through the machine (specifically, all except the first one of each
> > > connection) will be processed by this one rule, and all the other rules
> > > in the FORWARD chain will only see one packet per connection (the first
> > > one).
> > >
> > > You may be able to do what you want using the mangle table of the FORWARD
> > > chain, but not with the default filter table.
> >
> > Yes I am using stateful connection tracking of netfilter ( iptables -I
> > FORWARD -m state --state ESTABLISHED,RELATED)
> > So as per you i have used FORWARD chain in MANGLE table like this.
> >
> > # iptables -t mangle -i eth1 -A FORWARD -s 10.1.1.24/29 -j ACCEPT  ---> I
> > think for Download traffic  ---> M I right ?
> > # iptables -t mangle -i eth0 -A FORWARD -d 10.1.1.24/29 -j ACCEPT  ---> I
> > think for Upload traffic ----> M I right ?
> >
> > This is the output of 
> > # iptables -t mangle -nvL FORWARD
> >
> > Chain FORWARD (policy ACCEPT 1747K packets, 318M bytes)
> >  pkts bytes target     prot opt in     out     source             
> > destination
> > 1068 91499 ACCEPT     all  --  eth1   *       10.1.1.24/29         0.0.0.0/0
> >  148 26923 ACCEPT     all  --  eth0   *       0.0.0.0/0           
> > 10.1.1.24/29
> >
> > Antony i have lot of other ip address but i have created only this subnet
> > for mangle table for testing.
> > Traffic bytes are passing through this.
> > So is the correct method ?
> > Will be the bytes over here are accurate ???
> 
> The byte counts will be accurate, yes, and you have the correct idea about 
> using -s a.b.c.d and -d w.x.y.z to capture traffic to and from particular IP 
> addresses.
> 
> The thing I suggest you change, though, is not to have a -j ACCEPT at the end 
> of your rules - just let all the packets flow right through the mangle table, 
> with the rules simply counting them as they go past.
> 
> In other words, don't do:
> 
> iptables -t mangle -i eth1 -A FORWARD -s 10.1.1.24/29 -j ACCEPT
> 
> Just do:
> 
> iptables -t mangle -i eth1 -A FORWARD -s 10.1.1.24/29
> 
> The packets will still get counted just the same.
> 
> The reason for this advice is that the filter table is for filtering; the nat 
> and mangle tables are not.   Therefore you shouldn't use targets like ACCEPT, 
> DROP, etc (which are filtering operations) anywhere except the filter tables.
> 
> Regards,
> 
> Antony.