proxy and quotas - Yan Seiner

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: Yan Seiner <yan@seiner.com>
To: netfilter@vger.kernel.org
Subject: proxy and quotas
Date: Sun, 24 May 2015 12:11:03 -0700	[thread overview]
Message-ID: <55622247.90308@seiner.com> (raw)

I'm trying to get quotas working.  Earlier I posted a query about the 
proxy module not working correctly.  In my attempts to diagnose the 
problem I came up with another issue.

Right now, the 'guests' - those users who do not have credentials - use 
an unsecured network.  I am trying to figure out how to limit them to a 
quota.

However, I also have  proxy which gives my guests the ability to get to 
the internet either directly through the FORWARD chain or via the proxy 
through the INPUT chain.

So....  If I want to limit a user to a hard quota, how should I 
structure my iptables rules?

Not all packets go through the PREROUTING chain, and once the routing 
decision is done, they go either through the INPUT chain to the proxy or 
through the FORWARD chain to the outside via POSTROUTING.

On the return leg they repeat the process; come in on PREROUTING, get 
de-MASQ'd, and either go through FORWARD or INPUT and then out to the 
guest user via POSTROUTING.

I could put my accounting rules in POSTROUTING but then I lose the 
source or destination information.

Is there a place in PRE- or POSTROUTING that is guaranteed to see every 
packet?

Thanks.

                 reply	other threads:[~2015-05-24 19:11 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=55622247.90308@seiner.com \
    --to=yan@seiner.com \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox