NAT POSTROUTING accounting

NAT POSTROUTING accounting

[Kamal]

I have the following 2 rules:
 iptables -t nat -I POSTROUTING -o eth0 -p tcp --dport 80 -j SNAT --to
192.168.0.1
 iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to  192.168.0.2

 How can I do accounting on TOTAL number of packets & bytes that pass
through both rules since the packets & bytes that appear when listing
the chain reflect the number of packets creating new connections & not
all the packets that are NAT'ed. Also you can't add a chain in front
of this chain since NAT POSTROUTING is the last chain in a packet
traversal:

 Chain POSTROUTING (policy ACCEPT 2593 packets, 1181K bytes)
  pkts bytes target     prot opt in     out     source               destination
  2259  114K SNAT       tcp  --  *      eth0     0.0.0.0/0
0.0.0.0/0           tcp dpt:80 to:192.168.0.1
  223K   15M SNAT       all  --  *      eth0    0.0.0.0/0
0.0.0.0/0           to:192.168.0.2

Re: NAT POSTROUTING accounting

[Martijn Lievaart]

Kamal wrote:

> I have the following 2 rules:
> iptables -t nat -I POSTROUTING -o eth0 -p tcp --dport 80 -j SNAT --to
> 192.168.0.1
> iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to  192.168.0.2
>
> How can I do accounting on TOTAL number of packets & bytes that pass
> through both rules since the packets & bytes that appear when listing
> the chain reflect the number of packets creating new connections & not
> all the packets that are NAT'ed. Also you can't add a chain in front
> of this chain since NAT POSTROUTING is the last chain in a packet
> traversal:
>
> Chain POSTROUTING (policy ACCEPT 2593 packets, 1181K bytes)
>  pkts bytes target     prot opt in     out     source               
> destination
>  2259  114K SNAT       tcp  --  *      eth0     0.0.0.0/0
> 0.0.0.0/0           tcp dpt:80 to:192.168.0.1
>  223K   15M SNAT       all  --  *      eth0    0.0.0.0/0
> 0.0.0.0/0           to:192.168.0.2
>

Create a seperate rule in FORWARD that jumps to an empty chain. Put this 
rule before the -m state rule(s).

HTH,
M4

Re: NAT POSTROUTING accounting

[Kamal]

On 10/15/06, Martijn Lievaart <m@rtij.nl> wrote:

> Create a seperate rule in FORWARD that jumps to an empty chain. Put this
> rule before the -m state rule(s).

I will try to guess that by FORWARD you mean the filter FORWARD chain
(as opposed to mangle FORWARD), & the empty chain that you're
referring to is a user-defined chain,
but I didn't get what you eman by "the -m state rule" since in my
example I didn't use the state module.

But in any case, doesn't the FORWARD chain only accounts for forwarded
packets through the machine. What about locally generated packets?

Thanks

Re: NAT POSTROUTING accounting

[Gáspár Lajos]

Kamal írta:
> On 10/15/06, Martijn Lievaart <m@rtij.nl> wrote:
>
>> Create a seperate rule in FORWARD that jumps to an empty chain. Put this
>> rule before the -m state rule(s).
>
> I will try to guess that by FORWARD you mean the filter FORWARD chain
> (as opposed to mangle FORWARD), & the empty chain that you're
> referring to is a user-defined chain,
> but I didn't get what you eman by "the -m state rule" since in my
> example I didn't use the state module.
>
> But in any case, doesn't the FORWARD chain only accounts for forwarded
> packets through the machine. What about locally generated packets?
>
> Thanks
>

Maybe you can use the mangle POSTROUTING chain...

Swifty

Re: NAT POSTROUTING accounting

[Kamal]

This is one way, but isn't there a more graceful way other than
putting duplicate entries in NAT POSTROUTING & mangle POSTROUTING.

Thanks

On 10/16/06, Gáspár Lajos <swifty@freemail.hu> wrote:
> Kamal írta:
> > On 10/15/06, Martijn Lievaart <m@rtij.nl> wrote:
> >
> >> Create a seperate rule in FORWARD that jumps to an empty chain. Put this
> >> rule before the -m state rule(s).
> >
> > I will try to guess that by FORWARD you mean the filter FORWARD chain
> > (as opposed to mangle FORWARD), & the empty chain that you're
> > referring to is a user-defined chain,
> > but I didn't get what you eman by "the -m state rule" since in my
> > example I didn't use the state module.
> >
> > But in any case, doesn't the FORWARD chain only accounts for forwarded
> > packets through the machine. What about locally generated packets?
> >
> > Thanks
> >
>
> Maybe you can use the mangle POSTROUTING chain...
>
> Swifty
>

Re: NAT POSTROUTING accounting

[Gáspár Lajos]

Kamal írta:
> This is one way, but isn't there a more graceful way other than
> putting duplicate entries in NAT POSTROUTING & mangle POSTROUTING.
>
> Thanks
>
Hmm... I do not understand you clearly... What do you mean "more 
graceful"... ? :)

1. You may do some changes on the packets... (SNAT/DNAT, etc...)

2.a. You have to mark or identify the packets you want to count in other 
chains ... (MARK target or direct rules)

2.b. You can use the mangle POSTROUTING chain for counting specified 
packets because this is the "last" chain BEFORE every packet leaves the 
system.
(I know that there is a "raw" table...)

So... How do you want to do it "more graceful" ?

Swifty

Re: NAT POSTROUTING accounting

[Kamal]

On 10/16/06, Gáspár Lajos <swifty@freemail.hu> wrote:


mangle POSTROUTING comes before nat POSTROUTING so nat POSTROUTING is
the last chain in a packet traversal as per:
http://iptables-tutorial.frozentux.net/images/tables_traverse.jpg

So replying to your email:
> 1. You may do some changes on the packets... (SNAT/DNAT, etc...)
How  would SNAT or DNAT help in accounting?

> 2.a. You have to mark or identify the packets you want to count in other
> chains ... (MARK target or direct rules)
Since nat POSTROUTING is the last chain I wouldn't be able to mark it
after the packet is SNATte'd.

> 2.b. You can use the mangle POSTROUTING chain for counting specified
> packets because this is the "last" chain BEFORE every packet leaves the
> system.
> (I know that there is a "raw" table...)
As I said POSTROUTING mangle comes before POSTROUTING nat.

If it were after it then I would have the following:

 iptables -t nat -I POSTROUTING -o eth0 -p tcp --dport 80 -j SNAT --to
192.168.0.1
 iptables -t nat -I POSTROUTING -o eth0 -p tcp --dport 25 -j SNAT --to
192.168.0.1
 iptables -t nat -I POSTROUTING -o eth0 -p tcp --dport 443 -j SNAT --to
192.168.0.1
 iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to  192.168.0.2

then I would have added
iptables -t mangle -I POSTROUTING -o eth0 -s 192.168.0.1 -j ACCEPT
iptables -t mangle -I POSTROUTING -o eth0 -s 192.168.0.2 -j ACCEPT

which would have been a nice solution

But since mangle POSTROUTING is before nat POSTROUTING, then the above
wouldn't work & I would have to add a statement in mangle POSTROUTING
for every nat rule:
iptables -t mangle -I POSTROUTING -o eth0 -p tcp --dport 80 -j ACCEPT
iptables -t mangle-I POSTROUTING -o eth0 -p tcp --dport 25 -j ACCEPT
iptables -t mangle -I POSTROUTING -o eth0 -p tcp --dport 443 -j ACCEPT
iptables -t mangle -I POSTROUTING -o eth0 -j ACCEPT

And that's what I meant by "not very graceful".

Thanks