Re: bandwidth again maybe O T

Re: bandwidth again maybe O T

[PayalR]

Hi,
Thanks a lot for mails. Well, I think I get the general idea.
> However, to measure the amount of http traffic going to/from a specific IP
> address, put a couple of rules such as this in your FORWARD chain:
> iptables -I FORWARD -d a.b.c.d -p tcp --dport 80
> iptables -I FORWARD -s a.b.c.d -p tcp --sport 80

I wanted for all protocol and not just http so I modified your rule a bit 
like,
iptables -I FORWARD -d 192.168.0.1 -p tcp
iptables -I FORWARD -s 192.168.0.1 -p tcp

These are the only two rules I have.

I tried to test it using 
#iptables -L FORWARD -x -v
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               
destination
       0        0            tcp  --  any    any     localhost.localdomain  
anywhere

       0        0            tcp  --  any    any     anywhere             
localhost.localdomain

I tried pinging it few times, connecting to port 25, telnet, 80 etc. fom the 
local machine. But the number of bytes above do not change.
What must be wrong?
Thanks a lot in advance and bye.
-Payal





>
> You might want to run this command in a cron job every day (or perhaps more
> frequently) and then you can calculate daily traffic patterns throughout a
> month etc.
>
> You can reset the counters with
>
> iptables -Z FORWARD
>
> If you combine the -Z option with the earlier command, you will find out
> the values of the counters and then they will be (atomically) reset to zero
> so you can start counting a new day from zero.
>
> Antony.

RE: bandwidth again maybe O T

[Stewart Thompson]

Hi:

	If the connections were to the local machine, they
Wouldn't show up in the Forward Chain, but in the input chain.
Did you check all the counters? Iptables -v -L.

Stu.........


-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of PayalR
Sent: September 5, 2002 12:13 AM
To: netfilter@lists.netfilter.org
Subject: Re: bandwidth again maybe O T

Hi,
Thanks a lot for mails. Well, I think I get the general idea.
> However, to measure the amount of http traffic going to/from a specific IP
> address, put a couple of rules such as this in your FORWARD chain:
> iptables -I FORWARD -d a.b.c.d -p tcp --dport 80
> iptables -I FORWARD -s a.b.c.d -p tcp --sport 80

I wanted for all protocol and not just http so I modified your rule a bit
like,
iptables -I FORWARD -d 192.168.0.1 -p tcp
iptables -I FORWARD -s 192.168.0.1 -p tcp

These are the only two rules I have.

I tried to test it using
#iptables -L FORWARD -x -v
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source
destination
       0        0            tcp  --  any    any     localhost.localdomain
anywhere

       0        0            tcp  --  any    any     anywhere
localhost.localdomain

I tried pinging it few times, connecting to port 25, telnet, 80 etc. fom the
local machine. But the number of bytes above do not change.
What must be wrong?
Thanks a lot in advance and bye.
-Payal





>
> You might want to run this command in a cron job every day (or perhaps
more
> frequently) and then you can calculate daily traffic patterns throughout a
> month etc.
>
> You can reset the counters with
>
> iptables -Z FORWARD
>
> If you combine the -Z option with the earlier command, you will find out
> the values of the counters and then they will be (atomically) reset to
zero
> so you can start counting a new day from zero.
>
> Antony.

Re: bandwidth again maybe O T

[Michael]

PayalR wrote:

>Hi,
>Thanks a lot for mails. Well, I think I get the general idea.
>  
>
>>However, to measure the amount of http traffic going to/from a specific IP
>>address, put a couple of rules such as this in your FORWARD chain:
>>iptables -I FORWARD -d a.b.c.d -p tcp --dport 80
>>iptables -I FORWARD -s a.b.c.d -p tcp --sport 80
>>    
>>
>
>I wanted for all protocol and not just http so I modified your rule a bit 
>like,
>iptables -I FORWARD -d 192.168.0.1 -p tcp
>iptables -I FORWARD -s 192.168.0.1 -p tcp
>
>These are the only two rules I have.
>
>I tried to test it using 
>#iptables -L FORWARD -x -v
>Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>    pkts      bytes target     prot opt in     out     source               
>destination
>       0        0            tcp  --  any    any     localhost.localdomain  
>anywhere
>
>       0        0            tcp  --  any    any     anywhere             
>localhost.localdomain
>
>I tried pinging it few times, connecting to port 25, telnet, 80 etc. fom the 
>local machine. But the number of bytes above do not change.
>What must be wrong?
>


Since you are pinging from localhost, I don't think the FORWARD chain is 
traversed. The packets go straight to OUTPUT chain. If the packets came 
from somewhere else, and are to be forwarded by the host on which 
iptabls is running, then the packets will be seen and counted by FORWARD.

Place the rules in the OUTPUT chain, you should see things from 
localhost being counted..

Cheers,
Michael

Re: bandwidth again maybe O T

[Antony Stone]

On Thursday 05 September 2002 11:33 am, Michael wrote:

> Ohh toss....
>
> My appologies, I shall clarify:
>
> If a packet originates from local processes, and is destined for a local
> process, the INPUT chain is traversed only.

That's not *quite* right - a packet from a local process to a local process 
traverses both the OUTPUT and INPUT chains (in that order).

Antony

-- 

Documentation is like sex:
when it's good, it's very very good;
when it's bad, it's still better than nothing.

Re: bandwidth again maybe O T

[Michael]

Ohh toss....

My appologies, I shall clarify:

If a packet originates from local processes, and is destined for a local 
process, the INPUT chain is traversed only.

If a packet originates from local process and is destined for non local 
process, the OUTPUT chain is traversed only.

If the packet originates from non local process, and is destined for 
local process, the INPUT chain is traversed.

If packet originates non-local, and is destined non-local, it traverses 
FORWARD

For all, not considering any NAT or MASQ...

Sorry for any confusion I might have caused.

Michael wrote:

> PayalR wrote:
> <snip>
>
> Since you are pinging from localhost, I don't think the FORWARD chain 
> is traversed. The packets go straight to OUTPUT chain. If the packets 
> came from somewhere else, and are to be forwarded by the host on which 
> iptabls is running, then the packets will be seen and counted by FORWARD.
>
> Place the rules in the OUTPUT chain, you should see things from 
> localhost being counted.. 

Err so long as the destination is non-local...Otherwise it will be seen 
in INPUT chain...


Cheers,
Michael

Re: bandwidth again maybe O T

[PayalR]

Hi,
	Thanks a lot for the mails. I am late to reply cos' my connection was down 
for 4 days.
Well, I put the rules like
ptables -I FORWARD -d 192.168.0.1 -p tcp
iptables -I FORWARD -s 192.168.0.1 -p tcp

Yes, I can see the logs by,
iptables -v -L
But there is nothing in FORWARD chain. The input and output chains are filled 
up.
What is the problem?
Thanks a lot and bye.
-Payal

On Thursday 05 September 2002 01:24 pm, Stewart Thompson wrote:
> Hi:
>
> 	If the connections were to the local machine, they
> Wouldn't show up in the Forward Chain, but in the input chain.
> Did you check all the counters? Iptables -v -L.
>
> Stu.........
>
>
> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org
> [mailto:netfilter-admin@lists.netfilter.org]On Behalf Of PayalR
> Sent: September 5, 2002 12:13 AM
> To: netfilter@lists.netfilter.org
> Subject: Re: bandwidth again maybe O T
>
> Hi,
> Thanks a lot for mails. Well, I think I get the general idea.
>
> > However, to measure the amount of http traffic going to/from a specific
> > IP address, put a couple of rules such as this in your FORWARD chain:
> > iptables -I FORWARD -d a.b.c.d -p tcp --dport 80
> > iptables -I FORWARD -s a.b.c.d -p tcp --sport 80
>
> I wanted for all protocol and not just http so I modified your rule a bit
> like,
> iptables -I FORWARD -d 192.168.0.1 -p tcp
> iptables -I FORWARD -s 192.168.0.1 -p tcp
>
> These are the only two rules I have.
>
> I tried to test it using
> #iptables -L FORWARD -x -v
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>     pkts      bytes target     prot opt in     out     source
> destination
>        0        0            tcp  --  any    any     localhost.localdomain
> anywhere
>
>        0        0            tcp  --  any    any     anywhere
> localhost.localdomain
>
> I tried pinging it few times, connecting to port 25, telnet, 80 etc. fom
> the local machine. But the number of bytes above do not change.
> What must be wrong?
> Thanks a lot in advance and bye.
> -Payal
>
> > You might want to run this command in a cron job every day (or perhaps
>
> more
>
> > frequently) and then you can calculate daily traffic patterns throughout
> > a month etc.
> >
> > You can reset the counters with
> >
> > iptables -Z FORWARD
> >
> > If you combine the -Z option with the earlier command, you will find out
> > the values of the counters and then they will be (atomically) reset to
>
> zero
>
> > so you can start counting a new day from zero.
> >
> > Antony.

Re: bandwidth again maybe O T

[Antony Stone]

On Monday 09 September 2002 7:31 am, PayalR wrote:

> Hi,
> 	Thanks a lot for the mails. I am late to reply cos' my connection was down
> for 4 days.
> Well, I put the rules like
> ptables -I FORWARD -d 192.168.0.1 -p tcp
> iptables -I FORWARD -s 192.168.0.1 -p tcp
>
> Yes, I can see the logs by,
> iptables -v -L
> But there is nothing in FORWARD chain. The input and output chains are
> filled up.
> What is the problem?

Are you trying to count packets going in & out of the firewall machine, or 
are you trying to count packets going through the firewall between two other 
machines ?

eg if you ping the firewall itself from some client, you will see packets 
comin the INPUT chain, and replies go out the OUTPUT chain.   This will not 
generate any FORWARD packets at all.

if you ping machine A on one side of your firewall from machine B on the 
other side of your firewall (neither A nor B actually is your firewall) then 
you will see packets in the FORWARD chain but nothing in the INPUT or OUTPUT 
chains.

Does this clarify things ?

Antony.

-- 

There are two possible outcomes.

If the result confirms the hypothesis, then you've made a measurement.
If the result is contrary to the hypothesis, then you've made a discovery.

 - Enrico Fermi