Help! ip traffic accounting and bidirection with iptables ??

Help! ip traffic accounting and bidirection with iptables ??

[Toth Szabolcs]

Hi All !

I have the following network schema :

         firewall
         _________
 INET    |   |	 |     LAN 
<------>ETH0 |   ETH1<----->
1.2.3.5  |   |   |    192.168.0.0/16
         ---------
	  server

I measure the ip traffic for each user who are in the LAN segment.
I measure all traffic that goes to , come from the server and INET.

I used unil now ipchains. The following rules make it possible for me to
see seperated the incoming and outgoing traffic on each user ip:

pkts	bytes
1125     208155 -          all  ------ 0xFF 0x00  eth1 				192.168.2.10         0.0.0.0/0             n/a
1542    1153702 -          all  ------ 0xFF 0x00  eth1 				0.0.0.0/0            192.168.2.10          n/a
---------------

ipchains -N acct
ipchains -A input -j acct -s 192.168.0.0/16 -b
ipchains -A output -j acct -s 192.168.0.0/16 -b

ipchains -A acct -p all -s 192.168.0.19  -i eth1 -b
ipchains -A acct -p all -s 192.168.2.10  -i eth1 -b
ipchains -A acct -p all -s 192.168.2.26  -i eth1 -b
ipchains -A acct -p all -s 192.168.2.42  -i eth1 -b
ipchains -A acct -p all -s 192.168.2.58  -i eth1 -b
......
.....
.....
(n+1)

Now I would change to iptables but I have a problem that I can not solve.
I can not measure the ip traffic / seperated for incoming and outgoing !!/ 
in ONE rule beacuse there is now "-b" /bidirection/ option in the 
iptables.

Now I use the following rules in iptables:

iptables -N acct
iptables -A acct -d 192.168.2.10
iptables -A acct -s 192.168.2.10
........
.......
(2n+1)

iptables -A INPUT -i eth1 -s 192.168.0.0/16 -j acct
iptables -A FORWARD -j acct
iptables -A OUTPUT -o eth1 -d 192.168.0.0/16 -j acct

If anybody know a better solution please write me: totya@ajkanet.hu

Re: Help! ip traffic accounting and bidirection with iptables ??

[Oskar Berggren]

[-- Attachment #1: Type: text/plain, Size: 1955 bytes --]

Toth Szabolcs wrote:

> 
> ipchains -N acct
> ipchains -A input -j acct -s 192.168.0.0/16 -b
> ipchains -A output -j acct -s 192.168.0.0/16 -b
> 
> ipchains -A acct -p all -s 192.168.0.19  -i eth1 -b
> ipchains -A acct -p all -s 192.168.2.10  -i eth1 -b
> ipchains -A acct -p all -s 192.168.2.26  -i eth1 -b
> ipchains -A acct -p all -s 192.168.2.42  -i eth1 -b
> ipchains -A acct -p all -s 192.168.2.58  -i eth1 -b
> ......
> .....
> .....
> (n+1)
> 


Hmm, i haven't worked extensively with ipchains, but isn't -b
just a shorthand for inserting two rules? Isn't it actually
2n rules in the kernel?

Anyway, a different means of doing this is using an iptables
extension wich I've written, called IPSTATS. It works
as a target.

To use, compile and insmod the module. Insert one rule
that selects the traffic you want to account for, irregardless
of interal ip. Target this traffic to the IPSTATS module, which
will separate the traffic based on ip-address. Then use a
separate utility 'ipstats' to list the counters.

If your ip-addresses are distributed sparsely in the B-net you
are using, this will use a lot of memory, but it will take
constant time.

iptables -A FORWARD -s 192.168.0.0/16 -j IPSTATS --is-id 1 \
                  --is-start-ip 192.168.0.0 --is-size 65536
                  --is-source
iptables -A FORWARD -d 192.168.0.0/16 -j IPSTATS --is-id 2 \
                  --is-start-ip 192.168.0.0 --is-size 65536
                  --is-source

# ./ipstats --list 1 |head -4
ac_idx: 1   elements: 65536
192.168.0.0    0    0
192.168.0.1    0    0
192.168.0.2    0    0
[...]

If your ip-addresses are distributed in only the lower part
of the subnet, it is perfectly valid to specify a smaller
size to the IPSTATS module.

Included is the source of the latest version. No guarantees of
any kind. We have recently started using it in a production
environment, and I know of at least one other person/organization
using it.

regards
Oskar



[-- Attachment #2: ipstats-0.8.5.tar.gz --]
[-- Type: application/gzip, Size: 13164 bytes --]