From: Oskar Berggren <beo@sgs.o.se>
To: Toth Szabolcs <totya@mail.ajkanet.hu>
Cc: netfilter@lists.netfilter.org, netfilter-devel@lists.netfilter.org
Subject: Re: Help! ip traffic accounting and bidirection with iptables ??
Date: Mon, 16 Dec 2002 12:12:27 +0100 [thread overview]
Message-ID: <3DFDB51B.3010802@sgs.o.se> (raw)
In-Reply-To: Pine.LNX.4.21.0212131702290.24104-100000@eagle.ajkanet.hu
[-- Attachment #1: Type: text/plain, Size: 1955 bytes --]
Toth Szabolcs wrote:
>
> ipchains -N acct
> ipchains -A input -j acct -s 192.168.0.0/16 -b
> ipchains -A output -j acct -s 192.168.0.0/16 -b
>
> ipchains -A acct -p all -s 192.168.0.19 -i eth1 -b
> ipchains -A acct -p all -s 192.168.2.10 -i eth1 -b
> ipchains -A acct -p all -s 192.168.2.26 -i eth1 -b
> ipchains -A acct -p all -s 192.168.2.42 -i eth1 -b
> ipchains -A acct -p all -s 192.168.2.58 -i eth1 -b
> ......
> .....
> .....
> (n+1)
>
Hmm, i haven't worked extensively with ipchains, but isn't -b
just a shorthand for inserting two rules? Isn't it actually
2n rules in the kernel?
Anyway, a different means of doing this is using an iptables
extension wich I've written, called IPSTATS. It works
as a target.
To use, compile and insmod the module. Insert one rule
that selects the traffic you want to account for, irregardless
of interal ip. Target this traffic to the IPSTATS module, which
will separate the traffic based on ip-address. Then use a
separate utility 'ipstats' to list the counters.
If your ip-addresses are distributed sparsely in the B-net you
are using, this will use a lot of memory, but it will take
constant time.
iptables -A FORWARD -s 192.168.0.0/16 -j IPSTATS --is-id 1 \
--is-start-ip 192.168.0.0 --is-size 65536
--is-source
iptables -A FORWARD -d 192.168.0.0/16 -j IPSTATS --is-id 2 \
--is-start-ip 192.168.0.0 --is-size 65536
--is-source
# ./ipstats --list 1 |head -4
ac_idx: 1 elements: 65536
192.168.0.0 0 0
192.168.0.1 0 0
192.168.0.2 0 0
[...]
If your ip-addresses are distributed in only the lower part
of the subnet, it is perfectly valid to specify a smaller
size to the IPSTATS module.
Included is the source of the latest version. No guarantees of
any kind. We have recently started using it in a production
environment, and I know of at least one other person/organization
using it.
regards
Oskar
[-- Attachment #2: ipstats-0.8.5.tar.gz --]
[-- Type: application/gzip, Size: 13164 bytes --]
prev parent reply other threads:[~2002-12-16 11:12 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-12-13 16:42 Help! ip traffic accounting and bidirection with iptables ?? Toth Szabolcs
2002-12-16 11:12 ` Oskar Berggren [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3DFDB51B.3010802@sgs.o.se \
--to=beo@sgs.o.se \
--cc=netfilter-devel@lists.netfilter.org \
--cc=netfilter@lists.netfilter.org \
--cc=totya@mail.ajkanet.hu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.