Accounting for national/international traffic

Accounting for national/international traffic

[Jean Hoderd]

Hi,

Here's the situation: in many countries it is customary for IPS's to
have separate quotas for national/international traffic (in my case the
limits are 20GB/2GB per month).

Now, given an IP address, knowing whether it is national or
international is a solved problem: there are publicly available lists
with the ranges of national IP addresses.

The problem: how to keep track of the monthly internet usage divided
into national/international traffic.

Please note that I am not interested in enforcing quotas per se (the
"quota" module, I believe).  Rather, I would simply like to know what
is the total traffic per category since the beginning of the month.

I have searched netfilter's repository, and it seems that the
ipt_account module might do the trick.  However, since I am still a
newbie with netfilter, I am having some trouble defining the actual
rules to make it work.  Let us imagine, for instance, that I have n
ranges of national IP addresses.  Adding them to a "national" counter
seems easy:

iptables -A INPUT -m account --addr "range1" --aname national
iptables -A INPUT -m account --addr "range2" --aname national
...
iptables -A INPUT -m account --addr "rangen" --aname national

The question is: how do I implement the logic for all non-matching
ranges, which should be added to an "international" counter?
Furthermore, I have already plenty of rules in my firewall, and I wish
that the traffic accounting would not interfere with them.

Thanks in advance for any help you can give me!
Regards,
Jean




		
__________________________________ 
Do you Yahoo!? 
Send a seasonal email greeting and help others. Do good. 
http://celebrity.mail.yahoo.com

Re: Accounting for national/international traffic

[Alistair Tonner]

On December 21, 2004 03:55 am, Jean Hoderd wrote:
> Hi,
>
> Here's the situation: in many countries it is customary for IPS's to
> have separate quotas for national/international traffic (in my case the
> limits are 20GB/2GB per month).
>
> Now, given an IP address, knowing whether it is national or
> international is a solved problem: there are publicly available lists
> with the ranges of national IP addresses.
>
> The problem: how to keep track of the monthly internet usage divided
> into national/international traffic.
>
> Please note that I am not interested in enforcing quotas per se (the
> "quota" module, I believe).  Rather, I would simply like to know what
> is the total traffic per category since the beginning of the month.
>
> I have searched netfilter's repository, and it seems that the
> ipt_account module might do the trick.  However, since I am still a
> newbie with netfilter, I am having some trouble defining the actual
> rules to make it work.  Let us imagine, for instance, that I have n
> ranges of national IP addresses.  Adding them to a "national" counter
> seems easy:
>
> iptables -A INPUT -m account --addr "range1" --aname national
> iptables -A INPUT -m account --addr "range2" --aname national
> ...
> iptables -A INPUT -m account --addr "rangen" --aname national
>
> The question is: how do I implement the logic for all non-matching
> ranges, which should be added to an "international" counter?
> Furthermore, I have already plenty of rules in my firewall, and I wish
> that the traffic accounting would not interfere with them.

 You want to have two user chains to do this.
 create the 'accounting' chain in which you will account the packets with the 
rules you've given, and *AFTER* each accounting rule put a matching rule that 
RETURNS the packets to the calling chain.  At the end of the 'accounting' 
chain add one rule to an 'international' chain that accounts for all non 
returned packets.  At the end of the 'international chain the packets will 
return to the 'accounting'  chain and since they are already on the end of 
that they will RETURN to the calling chain.

iptables -A accounting -m account --addr 'range1' --aname national
iptables -A accounting -d range1 -j RETURN
iptables -A accounting -m account --addr 'range2' --aname national
iptables -A accounting -d range2 -j RETURN
iptables-A accounting -j international
iptables -A international -m account --aname international


 Alistair Tonner


>
> Thanks in advance for any help you can give me!
> Regards,
> Jean
>
>
>
>
>
> __________________________________
> Do you Yahoo!?
> Send a seasonal email greeting and help others. Do good.
> http://celebrity.mail.yahoo.com

Re: Accounting for national/international traffic

[George Alexandru Dragoi]

Such ISPs use a different dscp in tos parameter in IP header. Here
some ISPs uses tos 0x80 or 0x84 or 0x21 . If you see tos 0x80 you can
match it with -m dscp --dscp 0x20 . For such details, better ask your
ISP.


On Tue, 21 Dec 2004 13:33:00 -0500, Alistair Tonner <Alistair@nerdnet.ca> wrote:
> On December 21, 2004 03:55 am, Jean Hoderd wrote:
> > Hi,
> >
> > Here's the situation: in many countries it is customary for IPS's to
> > have separate quotas for national/international traffic (in my case the
> > limits are 20GB/2GB per month).
> >
> > Now, given an IP address, knowing whether it is national or
> > international is a solved problem: there are publicly available lists
> > with the ranges of national IP addresses.
> >
> > The problem: how to keep track of the monthly internet usage divided
> > into national/international traffic.
> >
> > Please note that I am not interested in enforcing quotas per se (the
> > "quota" module, I believe).  Rather, I would simply like to know what
> > is the total traffic per category since the beginning of the month.
> >
> > I have searched netfilter's repository, and it seems that the
> > ipt_account module might do the trick.  However, since I am still a
> > newbie with netfilter, I am having some trouble defining the actual
> > rules to make it work.  Let us imagine, for instance, that I have n
> > ranges of national IP addresses.  Adding them to a "national" counter
> > seems easy:
> >
> > iptables -A INPUT -m account --addr "range1" --aname national
> > iptables -A INPUT -m account --addr "range2" --aname national
> > ...
> > iptables -A INPUT -m account --addr "rangen" --aname national
> >
> > The question is: how do I implement the logic for all non-matching
> > ranges, which should be added to an "international" counter?
> > Furthermore, I have already plenty of rules in my firewall, and I wish
> > that the traffic accounting would not interfere with them.
> 
>  You want to have two user chains to do this.
>  create the 'accounting' chain in which you will account the packets with the
> rules you've given, and *AFTER* each accounting rule put a matching rule that
> RETURNS the packets to the calling chain.  At the end of the 'accounting'
> chain add one rule to an 'international' chain that accounts for all non
> returned packets.  At the end of the 'international chain the packets will
> return to the 'accounting'  chain and since they are already on the end of
> that they will RETURN to the calling chain.
> 
> iptables -A accounting -m account --addr 'range1' --aname national
> iptables -A accounting -d range1 -j RETURN
> iptables -A accounting -m account --addr 'range2' --aname national
> iptables -A accounting -d range2 -j RETURN
> iptables-A accounting -j international
> iptables -A international -m account --aname international
> 
> 
>  Alistair Tonner
> 
> 
> >
> > Thanks in advance for any help you can give me!
> > Regards,
> > Jean
> >
> >
> >
> >
> >
> > __________________________________
> > Do you Yahoo!?
> > Send a seasonal email greeting and help others. Do good.
> > http://celebrity.mail.yahoo.com
> 
> 


-- 
Bla bla

Re: Accounting for national/international traffic

[Jean Hoderd]

Hi,

And thanks to both people who have answered my question! Accounting for
national/international traffic using the "ipt_account" module seems
quite straightforward now. However, since the list of national IP
ranges is quite long, it might introduce a serious performance penalty.
In that respect, the "dscp" module seems to be a better option -- if
supported by my ISP. (It also has the advantage that the classification
is always up-to-date with the list of national IP ranges).

Anyway, looking at the long list of IP ranges, it occurred to me that
this is essentially a decision tree problem, which could be optimised
using known algorithms.  My googling has returned empty-handed, so my
question is: does someone know of any project which aims at optimising
iptables rules based on decision trees?  If not, I would gladly take a
look at the problem when I find some time.

Cheers,
Jean



		
__________________________________ 
Do you Yahoo!? 
Yahoo! Mail - now with 250MB free storage. Learn more.
http://info.mail.yahoo.com/mail_250