ACCOUNT target

ACCOUNT target

[Bob Miller]

Hello,
I am of the understanding that the ACCOUNT target does not count ARP,
ICMP, etc, and that it does count TCP.  I am wondering if it counts UDP.
I find no mention on google one way or the other...

Bob Miller
334-7117/633-3760
http://computerisms.ca
bob@computerisms.ca
Network, Internet, Server,
and Open Source Solutions

Re: ACCOUNT target

[Thomas Jacob]

On Thu, 2010-04-29 at 15:22 -0700, Bob Miller wrote:
> Hello,
> I am of the understanding that the ACCOUNT target does not count ARP,
> ICMP, etc, and that it does count TCP.  I am wondering if it counts UDP.
> I find no mention on google one way or the other...

AFAIK, the ACCOUNT target (the one developed by Intra2Net, there
are/were others) counts all IPv4 packets matched by the rule
you use this target in. 

So your ruleset determines what is counted and what isn't.

Now, ARP (which technically isn't an IPv4 layer 4 protocol but a
supporting layer 2/3 protocol for IPv4) isn't normally matched by
IPtables, unless you run a transparent (layer 2) firewall, and even then
you'll probably need to use ebtables or arptables to match ARP
packets.

http://ebtables.sourceforge.net/
http://linux.die.net/man/8/arptables

Re: ACCOUNT target

[Thomas Jacob]

On Tue, 2010-05-04 at 09:35 -0700, Bob Miller wrote:
> Interesting, I was not aware there were others.  I am using the
> xtables-addons package, and the documentation on the intra2net site
> seems to work as it says it should, so I am operating under the
> assumption it is that one...

Well, I don't know whether these are still being maintained but there
is for instance this one
http://code.google.com/p/ipt-account/wiki/Software

Anyway, yes, the xtables-addons package is the one by intra2net.

> >  counts all IPv4 packets matched by the rule
> > you use this target in. 
> > 
> > So your ruleset determines what is counted and what isn't.
> 
> If I may say this back to you differently to ensure I understand; the
> '-j ACCOUNT' target takes a subnet parameter (--addr 192.168.10.0/24),
> so any packet passing iptables with headers containing an IP address
> within that subnet will be counted regardless of protocol?  If I wanted
> to count only tcp or udp packets, I would then add a '-p tcp' or some
> such to the rule?  If this is true, then ICMP packets also have IP
> addresses, so the subnet parameter would match ICMP as well?

The actual packet matching is done by iptables proper, and -j ACCOUNT
then reduces the matched packets further with the --addr parameter,
which
is primarily needed to calculate the size of the internal data
structures.

so forwarded packet IP:1.1.1.1->2.2.2.2  would be matched by this rule
"-A FORWARD -j ACCOUNT --addr 192.168.10.0/24" but then not be
accounted, whereas IP:1.1.1.1->192.168.10.2 would be matched and then
also be accounted.

I guess the idea is to able to match only some part of a datastream
and ignore the rest, without having to specify iptables matchers for
that part as well, even though this probably would be more efficient.

i.e. 
-A FORWARD -j ACCOUNT --addr 192.168.10.128/25
does the same as 

-A FORWARD -s 192.168.10.128/25  -j ACCOUNT --addr 192.168.10.128/25
-A FORWARD -d 192.168.10.128/25  -j ACCOUNT --addr 192.168.10.128/25


And yes, if you do not specify -p all IPv4 layer 4 protocols are
matched, even ICMP. 

Cf. http://www.networksorcery.com/enp/protocol/ip.htm#Protocol