[LARTC] NAT statistics

[LARTC] NAT statistics

[Sebastian Taralunga]

Hi,

I want to be able to get statistics per IP address for both incoming and
outgoing traffic on a NAT server using iptables and kernel v2.4.18. I actually
have the same problem for a server running kernel v2.2.20, using ipchains.. Can
anyone help me?

Regards,

Sebastian

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] NAT statistics

[VaibhaV Sharma]

Hello,
See the -v option in man iptables


       -v, --verbose
              Verbose output.  This option makes the list command
              show the interface address, the  rule  options  (if
              any), and the TOS masks.  The packet and byte coun­
              ters are also listed, with the suffix 'K',  'M'  or
              'G' for 1000, 1,000,000 and 1,000,000,000 multipli­
              ers respectively (but see the  -x  flag  to  change
              this).   For  appending,  insertion,  deletion  and
              replacement, this causes  detailed  information  on
              the rule or rules to be printed.


This would give you the amount of data transferred for each rule that you
have in ur firewall as one of the columns

I wrote a small script to extract amount of data for each client I am
allowing FORWARD. The script takes the IP address of the machine you wanna
find info about as the command line parameter.

------------------------------------------------
#!/bin/sh

details=`/sbin/iptables -L -v -n | grep ACCEPT | grep -v INPUT | grep -v
OUTPUT | tr -s " " | grep $1 | cut -d" " -f 3,9,12`

bytes=`echo $details | cut -d" " -f1`
ip=`echo $details | cut -d" " -f2`

echo "IP address $ip transferred $bytes bytes."

------------------------------------------------

The cut thingi's are customised to the output I get for my rules. Check
urs and modify.

VaibhaV


On Thu, 14 Mar 2002 11:30:01 +0200 (EET) "Sebastian Taralunga"
<seba@tcx.ro> wrote:

> 
> Hi,
> 
> I want to be able to get statistics per IP address for both incoming and
> outgoing traffic on a NAT server using iptables and kernel v2.4.18. I
> actually have the same problem for a server running kernel v2.2.20,
> using ipchains.. Can anyone help me?
> 
> Regards,
> 
> Sebastian


 \                                                                  \
  \------------------------------------------------------------------\
\  |VaibhaV Sharma     |     vaibhav@exocore.com  |   L I N U X   \  |
 \ |Exocore Consulting |  http://www.exocore.com  |                \ |
  \|Bangalore, India   |  +91(80)3440397,3341137  |   R O C K S     \|
   \-----------------------------------------------------------------/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] NAT statistics

[Sebastian Taralunga]

Thank you VaibhaV,

Your script works just fine however my problem is to get traffic information
about both downlink and uplink on a NAT server. Do you know what iptables rules
should I use to be able to see such information? Right now my rules look like
this (generated by iptables-save):

*nat
:PREROUTING ACCEPT [1372:944647]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.130.2 -j MASQUERADE
-A POSTROUTING -s 192.168.130.3 -j MASQUERADE

-----

Regards,

Sebastian

On Thu, 14 Mar 2002, VaibhaV Sharma wrote:

> Hello,
> See the -v option in man iptables
>
>
>        -v, --verbose
>               Verbose output.  This option makes the list command
>               show the interface address, the  rule  options  (if
>               any), and the TOS masks.  The packet and byte coun­
>               ters are also listed, with the suffix 'K',  'M'  or
>               'G' for 1000, 1,000,000 and 1,000,000,000 multipli­
>               ers respectively (but see the  -x  flag  to  change
>               this).   For  appending,  insertion,  deletion  and
>               replacement, this causes  detailed  information  on
>               the rule or rules to be printed.
>
>
> This would give you the amount of data transferred for each rule that you
> have in ur firewall as one of the columns
>
> I wrote a small script to extract amount of data for each client I am
> allowing FORWARD. The script takes the IP address of the machine you wanna
> find info about as the command line parameter.
>
> ------------------------------------------------
> #!/bin/sh
>
> details=`/sbin/iptables -L -v -n | grep ACCEPT | grep -v INPUT | grep -v
> OUTPUT | tr -s " " | grep $1 | cut -d" " -f 3,9,12`
>
> bytes=`echo $details | cut -d" " -f1`
> ip=`echo $details | cut -d" " -f2`
>
> echo "IP address $ip transferred $bytes bytes."
>
> ------------------------------------------------
>
> The cut thingi's are customised to the output I get for my rules. Check
> urs and modify.
>
> VaibhaV
>
>
> On Thu, 14 Mar 2002 11:30:01 +0200 (EET) "Sebastian Taralunga"
> <seba@tcx.ro> wrote:
>
> >
> > Hi,
> >
> > I want to be able to get statistics per IP address for both incoming and
> > outgoing traffic on a NAT server using iptables and kernel v2.4.18. I
> > actually have the same problem for a server running kernel v2.2.20,
> > using ipchains.. Can anyone help me?
> >
> > Regards,
> >
> > Sebastian
>
>
>  \                                                                  \
>   \------------------------------------------------------------------\
> \  |VaibhaV Sharma     |     vaibhav@exocore.com  |   L I N U X   \  |
>  \ |Exocore Consulting |  http://www.exocore.com  |                \ |
>   \|Bangalore, India   |  +91(80)3440397,3341137  |   R O C K S     \|
>    \-----------------------------------------------------------------/
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] NAT statistics

[Tobias Geiger]

Hello,

you can use the ipac-ng (http://sourceforge.net/projects/ipac-ng/) toolset to implement counters with iptables.
ipac-ng generates iptables-rulesjust for accounting, this data can be
summarized and even be graphed. ( i use mrtg for graphing the data, but
ipac-ng includes a graph-generator itself)

i hope that's what you were looking for

Tobias

On Thu, Mar 14, 2002 at 03:43:09PM +0200, Sebastian Taralunga wrote:
> 
> Thank you VaibhaV,
> 
> Your script works just fine however my problem is to get traffic information
> about both downlink and uplink on a NAT server. Do you know what iptables rules
> should I use to be able to see such information? Right now my rules look like
> this (generated by iptables-save):
> 
> *nat
> :PREROUTING ACCEPT [1372:944647]
> :POSTROUTING ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A POSTROUTING -s 192.168.130.2 -j MASQUERADE
> -A POSTROUTING -s 192.168.130.3 -j MASQUERADE
> 
> -----
> 
> Regards,
> 
> Sebastian
> 
> On Thu, 14 Mar 2002, VaibhaV Sharma wrote:
> 
> > Hello,
> > See the -v option in man iptables
> >
> >
> >        -v, --verbose
> >               Verbose output.  This option makes the list command
> >               show the interface address, the  rule  options  (if
> >               any), and the TOS masks.  The packet and byte coun­
> >               ters are also listed, with the suffix 'K',  'M'  or
> >               'G' for 1000, 1,000,000 and 1,000,000,000 multipli­
> >               ers respectively (but see the  -x  flag  to  change
> >               this).   For  appending,  insertion,  deletion  and
> >               replacement, this causes  detailed  information  on
> >               the rule or rules to be printed.
> >
> >
> > This would give you the amount of data transferred for each rule that you
> > have in ur firewall as one of the columns
> >
> > I wrote a small script to extract amount of data for each client I am
> > allowing FORWARD. The script takes the IP address of the machine you wanna
> > find info about as the command line parameter.
> >
> > ------------------------------------------------
> > #!/bin/sh
> >
> > details=`/sbin/iptables -L -v -n | grep ACCEPT | grep -v INPUT | grep -v
> > OUTPUT | tr -s " " | grep $1 | cut -d" " -f 3,9,12`
> >
> > bytes=`echo $details | cut -d" " -f1`
> > ip=`echo $details | cut -d" " -f2`
> >
> > echo "IP address $ip transferred $bytes bytes."
> >
> > ------------------------------------------------
> >
> > The cut thingi's are customised to the output I get for my rules. Check
> > urs and modify.
> >
> > VaibhaV
> >
> >
> > On Thu, 14 Mar 2002 11:30:01 +0200 (EET) "Sebastian Taralunga"
> > <seba@tcx.ro> wrote:
> >
> > >
> > > Hi,
> > >
> > > I want to be able to get statistics per IP address for both incoming and
> > > outgoing traffic on a NAT server using iptables and kernel v2.4.18. I
> > > actually have the same problem for a server running kernel v2.2.20,
> > > using ipchains.. Can anyone help me?
> > >
> > > Regards,
> > >
> > > Sebastian
> >
> >
> >  \                                                                  \
> >   \------------------------------------------------------------------\
> > \  |VaibhaV Sharma     |     vaibhav@exocore.com  |   L I N U X   \  |
> >  \ |Exocore Consulting |  http://www.exocore.com  |                \ |
> >   \|Bangalore, India   |  +91(80)3440397,3341137  |   R O C K S     \|
> >    \-----------------------------------------------------------------/
> > _______________________________________________
> > LARTC mailing list / LARTC@mailman.ds9a.nl
> > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> >
> 
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] NAT statistics

[Steele, Tom]

I don't know if this is the "proper" way to go about doing this, but here is
one way you could get it done with ip rule and realms.  This requires the
iproute2 package to be installed, and all of the pretty policy routing
options enabled in the kernel.  This would only be practical for a small
number of addresses, but it looks like you only have 2 so I don't think it
will be a big deal.

1) edit /etc/iproute2/rt_realms, and add an entry for each ip address you
want to monitor.  The format is:
<number>     <realmname>
so:
1            host1
2            host2

2) Then add rules to match the packets to realms.

/sbin/ip rule add from 192.168.130.2/32 lookup table main realms host1(the
realm name)
/sbin/ip rule add from 192.168.130.3/32 lookup table main realms host2

This will assign the traffic from specific hosts to your realms for
accounting, while still looking up the main routing table.  After this is
done, just type rtacct to to see the breakdown of packets on each
realm(hence address) by to/from in bytes and number of packets. This may not
be the way you were looking for, but hey...it works and it's fun.  Hope this
helps.

******************
Tom Steele
Comm/Systems Engineer
Children's Hospital
Omaha, NE
tsteele@chsomaha.org 




-----Original Message-----
From: Sebastian Taralunga [mailto:seba@tcx.ro]
Sent: Thursday, March 14, 2002 7:43 AM
To: VaibhaV Sharma
Cc: lartc@mailman.ds9a.nl
Subject: Re: [LARTC] NAT statistics



Thank you VaibhaV,

Your script works just fine however my problem is to get traffic information
about both downlink and uplink on a NAT server. Do you know what iptables
rules
should I use to be able to see such information? Right now my rules look
like
this (generated by iptables-save):

*nat
:PREROUTING ACCEPT [1372:944647]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.130.2 -j MASQUERADE
-A POSTROUTING -s 192.168.130.3 -j MASQUERADE

-----

Regards,

Sebastian

On Thu, 14 Mar 2002, VaibhaV Sharma wrote:

> Hello,
> See the -v option in man iptables
>
>
>        -v, --verbose
>               Verbose output.  This option makes the list command
>               show the interface address, the  rule  options  (if
>               any), and the TOS masks.  The packet and byte coun­
>               ters are also listed, with the suffix 'K',  'M'  or
>               'G' for 1000, 1,000,000 and 1,000,000,000 multipli­
>               ers respectively (but see the  -x  flag  to  change
>               this).   For  appending,  insertion,  deletion  and
>               replacement, this causes  detailed  information  on
>               the rule or rules to be printed.
>
>
> This would give you the amount of data transferred for each rule that you
> have in ur firewall as one of the columns
>
> I wrote a small script to extract amount of data for each client I am
> allowing FORWARD. The script takes the IP address of the machine you wanna
> find info about as the command line parameter.
>
> ------------------------------------------------
> #!/bin/sh
>
> details=`/sbin/iptables -L -v -n | grep ACCEPT | grep -v INPUT | grep -v
> OUTPUT | tr -s " " | grep $1 | cut -d" " -f 3,9,12`
>
> bytes=`echo $details | cut -d" " -f1`
> ip=`echo $details | cut -d" " -f2`
>
> echo "IP address $ip transferred $bytes bytes."
>
> ------------------------------------------------
>
> The cut thingi's are customised to the output I get for my rules. Check
> urs and modify.
>
> VaibhaV
>
>
> On Thu, 14 Mar 2002 11:30:01 +0200 (EET) "Sebastian Taralunga"
> <seba@tcx.ro> wrote:
>
> >
> > Hi,
> >
> > I want to be able to get statistics per IP address for both incoming and
> > outgoing traffic on a NAT server using iptables and kernel v2.4.18. I
> > actually have the same problem for a server running kernel v2.2.20,
> > using ipchains.. Can anyone help me?
> >
> > Regards,
> >
> > Sebastian
>
>
>  \                                                                  \
>   \------------------------------------------------------------------\
> \  |VaibhaV Sharma     |     vaibhav@exocore.com  |   L I N U X   \  |
>  \ |Exocore Consulting |  http://www.exocore.com  |                \ |
>   \|Bangalore, India   |  +91(80)3440397,3341137  |   R O C K S     \|
>    \-----------------------------------------------------------------/
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] NAT statistics

[Steele, Tom]

>2) Then add rules to match the packets to realms.
>/sbin/ip rule add from 192.168.130.2/32 lookup table main realms host1(the
realm name)
>/sbin/ip rule add from 192.168.130.3/32 lookup table main realms host2

Oops...sorry, little bit of wrong syntax on ip rule.  It should be either
table main, or lookup main..both are valid.  So it should be:

ip rule add from 192.168.130.2/32 lookup main realms host1

******************
Tom Steele
Comm/Systems Engineer
Children's Hospital
Omaha, NE
tsteele@chsomaha.org 
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] NAT statistics

[VaibhaV Sharma]

Well,
iptables accounting thingi would give you bytes transferred only for
the rules that you have in your firewall. Its a cruddy way of doing
things, but if you want both incoming and outgoing traffic logging, put in
dummy rules for incoming and outgoing traffic on a per IP basis.

e.g. just giving you an example, by default, all incoming packets are set
to ACCEPT in the INPUT chain. If you wanna know how much traffic is coming
from your clients to your machine, put in INPUT ACCEPT rules for each
machine. You'll now get bytes transferred for these rules. Extract the
info and use.

This would get cruddy if you have tons of machines sitting behind your
firewall. Better way to do is to use some network sniffing tool which can
generate stats, which ofcourse is not in the scope of discussions of this
list.

I dunno if there is a better way of doing this using iptables. Maybe
someone else can shed some light on this.

VaibhaV


On Thu, 14 Mar 2002 15:43:09 +0200 (EET) "Sebastian Taralunga"
<seba@tcx.ro> wrote:

> 
> Thank you VaibhaV,
> 
> Your script works just fine however my problem is to get traffic
> information about both downlink and uplink on a NAT server. Do you know
> what iptables rules should I use to be able to see such information?
> Right now my rules look like this (generated by iptables-save):
> 
> *nat
> :PREROUTING ACCEPT [1372:944647]
> :POSTROUTING ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A POSTROUTING -s 192.168.130.2 -j MASQUERADE
> -A POSTROUTING -s 192.168.130.3 -j MASQUERADE
> 
> -----
> 
> Regards,
> 
> Sebastian
> 
> On Thu, 14 Mar 2002, VaibhaV Sharma wrote:
> 
> > Hello,
> > See the -v option in man iptables
> >
> >
> >        -v, --verbose
> >               Verbose output.  This option makes the list command
> >               show the interface address, the  rule  options  (if
> >               any), and the TOS masks.  The packet and byte coun­
> >               ters are also listed, with the suffix 'K',  'M'  or
> >               'G' for 1000, 1,000,000 and 1,000,000,000 multipli­
> >               ers respectively (but see the  -x  flag  to  change
> >               this).   For  appending,  insertion,  deletion  and
> >               replacement, this causes  detailed  information  on
> >               the rule or rules to be printed.
> >
> >
> > This would give you the amount of data transferred for each rule that
> > you have in ur firewall as one of the columns
> >
> > I wrote a small script to extract amount of data for each client I am
> > allowing FORWARD. The script takes the IP address of the machine you
> > wanna find info about as the command line parameter.
> >
> > ------------------------------------------------
> > #!/bin/sh
> >
> > details=`/sbin/iptables -L -v -n | grep ACCEPT | grep -v INPUT | grep
> > -v OUTPUT | tr -s " " | grep $1 | cut -d" " -f 3,9,12`
> >
> > bytes=`echo $details | cut -d" " -f1`
> > ip=`echo $details | cut -d" " -f2`
> >
> > echo "IP address $ip transferred $bytes bytes."
> >
> > ------------------------------------------------
> >
> > The cut thingi's are customised to the output I get for my rules.
> > Check urs and modify.
> >
> > VaibhaV
> >
> >
> > On Thu, 14 Mar 2002 11:30:01 +0200 (EET) "Sebastian Taralunga"
> > <seba@tcx.ro> wrote:
> >
> > >
> > > Hi,
> > >
> > > I want to be able to get statistics per IP address for both incoming
> > > and outgoing traffic on a NAT server using iptables and kernel
> > > v2.4.18. I actually have the same problem for a server running
> > > kernel v2.2.20, using ipchains.. Can anyone help me?
> > >
> > > Regards,
> > >
> > > Sebastian
> >
> >
> >  \                                                                  \
> >   \------------------------------------------------------------------\
> > \  |VaibhaV Sharma     |     vaibhav@exocore.com  |   L I N U X   \  |
> >  \ |Exocore Consulting |  http://www.exocore.com  |                \ |
> >   \|Bangalore, India   |  +91(80)3440397,3341137  |   R O C K S     \|
> >    \-----------------------------------------------------------------/
> > _______________________________________________
> > LARTC mailing list / LARTC@mailman.ds9a.nl
> > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> >


 \                                                                  \
  \------------------------------------------------------------------\
\  |VaibhaV Sharma     |     vaibhav@exocore.com  |   L I N U X   \  |
 \ |Exocore Consulting |  http://www.exocore.com  |                \ |
  \|Bangalore, India   |  +91(80)3440397,3341137  |   R O C K S     \|
   \-----------------------------------------------------------------/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/