bandwidth counting

bandwidth counting

[Bob Miller]

Greetings,
I am not sure what it is about iptables, to me it's like a level 7 spell
and I am only a level 6 mage.  I (think I) understand the concepts when
I read them, but whenever I try to implement them, they seldom come out
as I expect them too.
I have a debian box I use as a firewall, I use the ipmasq package to
manage my iptables setup.
I saw an article some time ago on how to set up bandwidth monitoring
using iptables.  I wanted to use this idea to track how much data is
being passed across my external interface to see if it matches what my
ISP says, as well as to find out which computers on my lan were using
the data.  I also wanted to measure only the internet traffic from the
lan, and avoid counting the data destined for other lan targets - I am
not concerned with the intranet bandwidth.
I think the forward chain of the filter table should pass all packets I
want to keep track of, so I sent all packets on the forward chain to a
custom chain to count bandwidth, and I sent all the packets with a
source/dest ip from the lan passing through the forward chain to another
custom chain for counting.  
But the numbers dont' add up, I get a total of just over 2 GB for the
lan ips in both directions, but the total count on the forward chain is
11 GB.  I expected them to be very close to the same. 
So, obviously I don't have the understanding of the level 7 spell that I
thought I did.
I also think (thought) that the input and output chains of the filter
table should give me a total count of bandwidth on my external
interface, but some documentation I have been reading has me rethinking
that perhaps the prerouting chain on the raw table for incoming and
postrouting on the nat table for outgoing would give me a more accurate
count of what my ISP will count.
I am sure there are more ways to approach this than I wish to count, but
I would very much welcome some suggestions and comments on which
tables/chains would be best for my purposes...
Thank you :)

Bob Miller
334-7117/633-3760
http://computerisms.ca
bob@computerisms.ca
Network, Internet, Server,
and Open Source Solutions

Re: bandwidth counting

[Amos Jeffries]

Bob Miller wrote:
> Greetings,
> I am not sure what it is about iptables, to me it's like a level 7 spell
> and I am only a level 6 mage.  I (think I) understand the concepts when
> I read them, but whenever I try to implement them, they seldom come out
> as I expect them too.
> I have a debian box I use as a firewall, I use the ipmasq package to
> manage my iptables setup.
> I saw an article some time ago on how to set up bandwidth monitoring
> using iptables.  I wanted to use this idea to track how much data is
> being passed across my external interface to see if it matches what my
> ISP says, as well as to find out which computers on my lan were using
> the data.  I also wanted to measure only the internet traffic from the
> lan, and avoid counting the data destined for other lan targets - I am
> not concerned with the intranet bandwidth.
> I think the forward chain of the filter table should pass all packets I
> want to keep track of, so I sent all packets on the forward chain to a
> custom chain to count bandwidth, and I sent all the packets with a
> source/dest ip from the lan passing through the forward chain to another
> custom chain for counting.  
> But the numbers dont' add up, I get a total of just over 2 GB for the
> lan ips in both directions, but the total count on the forward chain is
> 11 GB.  I expected them to be very close to the same. 
> So, obviously I don't have the understanding of the level 7 spell that I
> thought I did.
> I also think (thought) that the input and output chains of the filter
> table should give me a total count of bandwidth on my external
> interface, but some documentation I have been reading has me rethinking
> that perhaps the prerouting chain on the raw table for incoming and
> postrouting on the nat table for outgoing would give me a more accurate
> count of what my ISP will count.
> I am sure there are more ways to approach this than I wish to count, but
> I would very much welcome some suggestions and comments on which
> tables/chains would be best for my purposes...

I hit this same problem myself.
It turns out that FORWARD in filter only sees packets destined to other 
boxes on the network.

What you need to monitor is the mangle table. That table sees everything 
going in/out of the box.

AYJ

Re: bandwidth counting

[Thomas Jacob]

[-- Attachment #1: Type: text/plain, Size: 755 bytes --]

On Fri, 2009-09-25 at 20:29 -0700, Bob Miller wrote:
> But the numbers dont' add up, I get a total of just over 2 GB for the
> lan ips in both directions, but the total count on the forward chain is
> 11 GB.  I expected them to be very close to the same. 
> So, obviously I don't have the understanding of the level 7 spell that I
> thought I did.

If you'd post some details on how your FORWARD chain is setup, people
on the list might be able to say more.

In general though, all forwarded packets pass through the FORWARD chain,
so your approach should work in the end. You might also want to look
into ipt_ACCOUNT to give you an easy way to collect details on your
LAN-IPs.

http://www.intra2net.com/en/developer/ipt_ACCOUNT/index.php

[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 5414 bytes --]