NAT POSTROUTING accounting

All of lore.kernel.org
 help / color / mirror / Atom feed

* NAT POSTROUTING accounting
@ 2006-10-15 14:43 Kamal
  2006-10-15 18:09 ` Martijn Lievaart
  0 siblings, 1 reply; 7+ messages in thread
From: Kamal @ 2006-10-15 14:43 UTC (permalink / raw)
  To: netfilter

I have the following 2 rules:
 iptables -t nat -I POSTROUTING -o eth0 -p tcp --dport 80 -j SNAT --to
192.168.0.1
 iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to  192.168.0.2

 How can I do accounting on TOTAL number of packets & bytes that pass
through both rules since the packets & bytes that appear when listing
the chain reflect the number of packets creating new connections & not
all the packets that are NAT'ed. Also you can't add a chain in front
of this chain since NAT POSTROUTING is the last chain in a packet
traversal:

 Chain POSTROUTING (policy ACCEPT 2593 packets, 1181K bytes)
  pkts bytes target     prot opt in     out     source               destination
  2259  114K SNAT       tcp  --  *      eth0     0.0.0.0/0
0.0.0.0/0           tcp dpt:80 to:192.168.0.1
  223K   15M SNAT       all  --  *      eth0    0.0.0.0/0
0.0.0.0/0           to:192.168.0.2

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: NAT POSTROUTING accounting
  2006-10-15 14:43 NAT POSTROUTING accounting Kamal
@ 2006-10-15 18:09 ` Martijn Lievaart
  2006-10-16 12:00   ` Kamal
  0 siblings, 1 reply; 7+ messages in thread
From: Martijn Lievaart @ 2006-10-15 18:09 UTC (permalink / raw)
  To: Kamal; +Cc: netfilter

Kamal wrote:

> I have the following 2 rules:
> iptables -t nat -I POSTROUTING -o eth0 -p tcp --dport 80 -j SNAT --to
> 192.168.0.1
> iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to  192.168.0.2
>
> How can I do accounting on TOTAL number of packets & bytes that pass
> through both rules since the packets & bytes that appear when listing
> the chain reflect the number of packets creating new connections & not
> all the packets that are NAT'ed. Also you can't add a chain in front
> of this chain since NAT POSTROUTING is the last chain in a packet
> traversal:
>
> Chain POSTROUTING (policy ACCEPT 2593 packets, 1181K bytes)
>  pkts bytes target     prot opt in     out     source               
> destination
>  2259  114K SNAT       tcp  --  *      eth0     0.0.0.0/0
> 0.0.0.0/0           tcp dpt:80 to:192.168.0.1
>  223K   15M SNAT       all  --  *      eth0    0.0.0.0/0
> 0.0.0.0/0           to:192.168.0.2
>

Create a seperate rule in FORWARD that jumps to an empty chain. Put this 
rule before the -m state rule(s).

HTH,
M4



^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: NAT POSTROUTING accounting
  2006-10-15 18:09 ` Martijn Lievaart
@ 2006-10-16 12:00   ` Kamal
  2006-10-16 12:28     ` Gáspár Lajos
  0 siblings, 1 reply; 7+ messages in thread
From: Kamal @ 2006-10-16 12:00 UTC (permalink / raw)
  To: netfilter

On 10/15/06, Martijn Lievaart <m@rtij.nl> wrote:

> Create a seperate rule in FORWARD that jumps to an empty chain. Put this
> rule before the -m state rule(s).

I will try to guess that by FORWARD you mean the filter FORWARD chain
(as opposed to mangle FORWARD), & the empty chain that you're
referring to is a user-defined chain,
but I didn't get what you eman by "the -m state rule" since in my
example I didn't use the state module.

But in any case, doesn't the FORWARD chain only accounts for forwarded
packets through the machine. What about locally generated packets?

Thanks

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: NAT POSTROUTING accounting
  2006-10-16 12:00   ` Kamal
@ 2006-10-16 12:28     ` Gáspár Lajos
  2006-10-16 13:22       ` Kamal
  0 siblings, 1 reply; 7+ messages in thread
From: Gáspár Lajos @ 2006-10-16 12:28 UTC (permalink / raw)
  To: Kamal; +Cc: netfilter

Kamal írta:
> On 10/15/06, Martijn Lievaart <m@rtij.nl> wrote:
>
>> Create a seperate rule in FORWARD that jumps to an empty chain. Put this
>> rule before the -m state rule(s).
>
> I will try to guess that by FORWARD you mean the filter FORWARD chain
> (as opposed to mangle FORWARD), & the empty chain that you're
> referring to is a user-defined chain,
> but I didn't get what you eman by "the -m state rule" since in my
> example I didn't use the state module.
>
> But in any case, doesn't the FORWARD chain only accounts for forwarded
> packets through the machine. What about locally generated packets?
>
> Thanks
>

Maybe you can use the mangle POSTROUTING chain...

Swifty


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: NAT POSTROUTING accounting
  2006-10-16 12:28     ` Gáspár Lajos
@ 2006-10-16 13:22       ` Kamal
  2006-10-16 14:03         ` Gáspár Lajos
  0 siblings, 1 reply; 7+ messages in thread
From: Kamal @ 2006-10-16 13:22 UTC (permalink / raw)
  To: netfilter

This is one way, but isn't there a more graceful way other than
putting duplicate entries in NAT POSTROUTING & mangle POSTROUTING.

Thanks

On 10/16/06, Gáspár Lajos <swifty@freemail.hu> wrote:
> Kamal írta:
> > On 10/15/06, Martijn Lievaart <m@rtij.nl> wrote:
> >
> >> Create a seperate rule in FORWARD that jumps to an empty chain. Put this
> >> rule before the -m state rule(s).
> >
> > I will try to guess that by FORWARD you mean the filter FORWARD chain
> > (as opposed to mangle FORWARD), & the empty chain that you're
> > referring to is a user-defined chain,
> > but I didn't get what you eman by "the -m state rule" since in my
> > example I didn't use the state module.
> >
> > But in any case, doesn't the FORWARD chain only accounts for forwarded
> > packets through the machine. What about locally generated packets?
> >
> > Thanks
> >
>
> Maybe you can use the mangle POSTROUTING chain...
>
> Swifty
>


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: NAT POSTROUTING accounting
  2006-10-16 13:22       ` Kamal
@ 2006-10-16 14:03         ` Gáspár Lajos
  2006-10-16 17:40           ` Kamal
  0 siblings, 1 reply; 7+ messages in thread
From: Gáspár Lajos @ 2006-10-16 14:03 UTC (permalink / raw)
  To: Kamal; +Cc: netfilter

Kamal írta:
> This is one way, but isn't there a more graceful way other than
> putting duplicate entries in NAT POSTROUTING & mangle POSTROUTING.
>
> Thanks
>
Hmm... I do not understand you clearly... What do you mean "more 
graceful"... ? :)

1. You may do some changes on the packets... (SNAT/DNAT, etc...)

2.a. You have to mark or identify the packets you want to count in other 
chains ... (MARK target or direct rules)

2.b. You can use the mangle POSTROUTING chain for counting specified 
packets because this is the "last" chain BEFORE every packet leaves the 
system.
(I know that there is a "raw" table...)

So... How do you want to do it "more graceful" ?

Swifty

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: NAT POSTROUTING accounting
  2006-10-16 14:03         ` Gáspár Lajos
@ 2006-10-16 17:40           ` Kamal
  0 siblings, 0 replies; 7+ messages in thread
From: Kamal @ 2006-10-16 17:40 UTC (permalink / raw)
  To: netfilter

On 10/16/06, Gáspár Lajos <swifty@freemail.hu> wrote:


mangle POSTROUTING comes before nat POSTROUTING so nat POSTROUTING is
the last chain in a packet traversal as per:
http://iptables-tutorial.frozentux.net/images/tables_traverse.jpg

So replying to your email:
> 1. You may do some changes on the packets... (SNAT/DNAT, etc...)
How  would SNAT or DNAT help in accounting?

> 2.a. You have to mark or identify the packets you want to count in other
> chains ... (MARK target or direct rules)
Since nat POSTROUTING is the last chain I wouldn't be able to mark it
after the packet is SNATte'd.

> 2.b. You can use the mangle POSTROUTING chain for counting specified
> packets because this is the "last" chain BEFORE every packet leaves the
> system.
> (I know that there is a "raw" table...)
As I said POSTROUTING mangle comes before POSTROUTING nat.

If it were after it then I would have the following:

 iptables -t nat -I POSTROUTING -o eth0 -p tcp --dport 80 -j SNAT --to
192.168.0.1
 iptables -t nat -I POSTROUTING -o eth0 -p tcp --dport 25 -j SNAT --to
192.168.0.1
 iptables -t nat -I POSTROUTING -o eth0 -p tcp --dport 443 -j SNAT --to
192.168.0.1
 iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to  192.168.0.2

then I would have added
iptables -t mangle -I POSTROUTING -o eth0 -s 192.168.0.1 -j ACCEPT
iptables -t mangle -I POSTROUTING -o eth0 -s 192.168.0.2 -j ACCEPT

which would have been a nice solution

But since mangle POSTROUTING is before nat POSTROUTING, then the above
wouldn't work & I would have to add a statement in mangle POSTROUTING
for every nat rule:
iptables -t mangle -I POSTROUTING -o eth0 -p tcp --dport 80 -j ACCEPT
iptables -t mangle-I POSTROUTING -o eth0 -p tcp --dport 25 -j ACCEPT
iptables -t mangle -I POSTROUTING -o eth0 -p tcp --dport 443 -j ACCEPT
iptables -t mangle -I POSTROUTING -o eth0 -j ACCEPT

And that's what I meant by "not very graceful".

Thanks


^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2006-10-16 17:40 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-10-15 14:43 NAT POSTROUTING accounting Kamal
2006-10-15 18:09 ` Martijn Lievaart
2006-10-16 12:00   ` Kamal
2006-10-16 12:28     ` Gáspár Lajos
2006-10-16 13:22       ` Kamal
2006-10-16 14:03         ` Gáspár Lajos
2006-10-16 17:40           ` Kamal

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.