LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 09-09-2004, 10:25 AM   #1
mdkelly069
Member
 
Registered: Oct 2003
Posts: 43

Rep: Reputation: 15
Tracking internet usage with iptables


Hello,

Let me first say that I am still very new to iptables, but am slowly getting a handle on things.

I work in an office of about 12 employees and we are consistently running over our monthly traffic quota. What I want to do is set up some iptables rules that will log the internet usage, both input and output, of each individual computer on the LAN. We work more on an honour system so I really don't care what they are looking at, just how much they are looking.

I have read through many posts and googled for the subject, but most of it a bit over my head still. One thing I did find was this:

Quote:
iptables -A INPUT -s 192.168.0.15 #tracks inbound data from machine .15
iptables -A OUTPUT -d 192.168.0.9 #tracks outbound to machine .9
and then

Quote:
iptables -L -v
to view the logged information.

I would be very appreciative if someone could explain this to me in a bit greater detail and also put forward any suggestions to acheive what I am trying to.

thanks
mdkelly
 
Old 09-09-2004, 12:00 PM   #2
Joubert79
Member
 
Registered: Jul 2004
Location: Manchester, UK
Distribution: Gentoo
Posts: 46

Rep: Reputation: 15
OK, so the -A option appends the rule to a chain. Three chains in your filter table are INPUT, OUTPUT and FORWARD, through which all incoming, outgoing and forwarded traffic passes, respectively. I guess really you want "-I INPUT 1" instead of "-A INPUT", and similarly for OUTPUT, since you want the rules at the beginning of the chain before the packets match any other rule.

For example packets destined for 192.168.0.9 from the local machine will match the rule added with
iptables -I OUTPUT 1 -d 192.168.0.9
The -d bit is the destination of the outbound packet, however, this rule has no action and so the rule counters will increment (since the packet matched) and the packet will continue down the chain.

Similarly, incoming packets to the local machine from 192.168.0.15 will match the rule added with
iptables -I INPUT 1 -s 192.168.0.15
and rule counters will increment and the packet will continue on it's way.

To keep a record on each machine you could add two actionless rules to each machines iptables filter with something like
iptables -I INPUT 1
iptables -I OUTPUT 1

Or on your router, just as in the examples above, you could add the appropriate destination and source ips (ie with -d and -s). 'course the INPUT and OUTPUT bits might be the other way around at the router, since the router is doing the outputting to the lan machines input. Dunno though, I've never done this.

Indeed, "iptables -L -v" will give you the counters, I tend to use "iptables-save -c" to output the current state so you might play with something like "iptables-save -c | grep '-A OUPUT -d 192.168.0.15' | sed 's/\[[0-9]*://; s/\].*//'" to get the number of bytes outgoing to 192.168.0.15

Maybe you could setup write a script to check the number of bytes and email the appropriate person using mailx (or other) if they go over a threshold. Then run this script as an hourly cronjob.
 
Old 09-09-2004, 12:38 PM   #3
smokybobo
LQ Newbie
 
Registered: Feb 2003
Posts: 29

Rep: Reputation: 15
As an alternative to what Joubert79 wrote, you can try the ULOG target to write to a log file when packets are matched. Of course, you will need the ulog daemon installed to use the ULOG target properly.

It's documented in the iptables manpage, but below is a simple example of how I use ulog to log any packets that get dropped:

Code:
IPTABLES=/sbin/iptables
# ============Create target for logging and dropping=================
$IPTABLES --new LDROP
$IPTABLES -A LDROP --proto tcp -j ULOG --ulog-prefix "TCP Drop "
$IPTABLES -A LDROP --proto udp -j ULOG --ulog-prefix "UDP Drop "
$IPTABLES -A LDROP --proto icmp -j ULOG --ulog-prefix "ICMP Drop "
$IPTABLES -A LDROP -p all -j DROP

$IPTABLES -A INPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p all -m state --state NEW,INVALID -j LDROP
The above matches packets that should be dropped, but should be easy enough to match whatever packets to determine usage. You can then write up a script that can parse the log for whatever information you need and output the results to wherever, and then set that script up in cron to run at whatever times you want/need.

Note: You can also use just the plain jane LOG target which causes the kernel to log messages, but I like using ULOG to separate firewall stuff into its own logs; I've got enough kernel messages stuff to deal with sometimes, I don't want to sift through countless packet drop messages in the kernel log when trying to find important stuff.

Last edited by smokybobo; 09-09-2004 at 12:42 PM.
 
Old 09-09-2004, 01:39 PM   #4
mdkelly069
Member
 
Registered: Oct 2003
Posts: 43

Original Poster
Rep: Reputation: 15
Thank you for your responses.

Joubert79:

I implemented your suggestions on the firewall/gateway as a test for my own machine. It does log the packets, sort of. After ensuring my ip address was being tracked in both the INPUT and OUTPUT chains i started browsing the Internet and downloading files. I downloaded well over 5MB of files, but the chain only shows 218KB of traffic on the OUTPUT chain. Is it possible that it is only picking up the initial connections packets and ignoring the RELATED and ESTABLISHED ones? If I can get that addressed this does look like a good solution and once I get the iptables entries correct I will just write a script to collect the information for all machines.

smokybobo:

Thank you for your suggestions as well. I will look into the use of ULOG and do some testing


Thank you both for your time
mdkelly

Last edited by mdkelly069; 09-09-2004 at 01:42 PM.
 
Old 09-09-2004, 06:33 PM   #5
Joubert79
Member
 
Registered: Jul 2004
Location: Manchester, UK
Distribution: Gentoo
Posts: 46

Rep: Reputation: 15
Mmmm.... well I've never done what you are trying so I'm winging it here. But here goes:

I doubt it's to do with the RELATED and ESTABLISHED packets not being matched because I reckon all packets should be matched. If all else fails, you might check by adding an additional rule, identical to questionable one, but with "-m state --state NEW,RELATED,ESTABLISHED" as an option, or play with a subset of those states, and compare counters to see what is being picked up.

My money is on the FORWARD chain of your gateway, check it for packets destined for your lan ip.
 
Old 09-09-2004, 06:36 PM   #6
mdkelly069
Member
 
Registered: Oct 2003
Posts: 43

Original Poster
Rep: Reputation: 15
Joubert79, thank you for reply.

I am still working on it, but your suggestion about the FORWARD policy was the answer. I am now, I think, getting a complete byte count of the traffic from my machine to the net, and vice versa.

I will post later with more results

cheers
mdkelly
 
Old 09-09-2004, 07:26 PM   #7
Joubert79
Member
 
Registered: Jul 2004
Location: Manchester, UK
Distribution: Gentoo
Posts: 46

Rep: Reputation: 15
These projects can be damned good fun. Good luck.

As a final thought before bedtime, you might consider matching packets by interface rather than ip. This would certainly be useful if you use DHCP, or if your colleagues can change their lan ip.

Regards.
 
Old 09-13-2004, 11:13 AM   #8
mdkelly069
Member
 
Registered: Oct 2003
Posts: 43

Original Poster
Rep: Reputation: 15
Absolutely right. Once I got my feet wet with this it was/is a blast. I am currently tracking all traffic amounts for machines in the office, including our VPN.

I now have a list of things I would like to incorporate into this setup.
Thanks for the help in getting the first steps sorted out.

In terms of matching packets by interface I think I will hold off on that. We do not use DHCP and although users can change their IP,most of them have no desire to do so, and if they did I would know about it fairly quickly and I would have a few choice words with them. I will keep your suggestion in mind for future reference though

thanks again
mdkelly
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables tracking machine eranb2 Linux - Security 4 01-07-2005 11:12 AM
how to determine cpu usage, memory usage, I/O usage by a particular user logged on li rags2k Programming 4 08-21-2004 04:45 AM
Tracking Total Bandwidth Usage for Month Chibo *BSD 3 08-08-2004 01:56 AM
Iptables / Memory Usage kill4u666 Linux - Networking 4 02-23-2002 05:42 PM
tracking network usage of clients...recommendations? Pauly Linux - Networking 4 02-23-2002 12:09 PM


All times are GMT -5. The time now is 03:20 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration