Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
Let me first say that I am still very new to iptables, but am slowly getting a handle on things.
I work in an office of about 12 employees and we are consistently running over our monthly traffic quota. What I want to do is set up some iptables rules that will log the internet usage, both input and output, of each individual computer on the LAN. We work more on an honour system so I really don't care what they are looking at, just how much they are looking.
I have read through many posts and googled for the subject, but most of it a bit over my head still. One thing I did find was this:
iptables -A INPUT -s 192.168.0.15 #tracks inbound data from machine .15
iptables -A OUTPUT -d 192.168.0.9 #tracks outbound to machine .9
iptables -L -v
to view the logged information.
I would be very appreciative if someone could explain this to me in a bit greater detail and also put forward any suggestions to acheive what I am trying to.
OK, so the -A option appends the rule to a chain. Three chains in your filter table are INPUT, OUTPUT and FORWARD, through which all incoming, outgoing and forwarded traffic passes, respectively. I guess really you want "-I INPUT 1" instead of "-A INPUT", and similarly for OUTPUT, since you want the rules at the beginning of the chain before the packets match any other rule.
For example packets destined for 192.168.0.9 from the local machine will match the rule added with
iptables -I OUTPUT 1 -d 192.168.0.9
The -d bit is the destination of the outbound packet, however, this rule has no action and so the rule counters will increment (since the packet matched) and the packet will continue down the chain.
Similarly, incoming packets to the local machine from 192.168.0.15 will match the rule added with
iptables -I INPUT 1 -s 192.168.0.15
and rule counters will increment and the packet will continue on it's way.
To keep a record on each machine you could add two actionless rules to each machines iptables filter with something like
iptables -I INPUT 1
iptables -I OUTPUT 1
Or on your router, just as in the examples above, you could add the appropriate destination and source ips (ie with -d and -s). 'course the INPUT and OUTPUT bits might be the other way around at the router, since the router is doing the outputting to the lan machines input. Dunno though, I've never done this.
Indeed, "iptables -L -v" will give you the counters, I tend to use "iptables-save -c" to output the current state so you might play with something like "iptables-save -c | grep '-A OUPUT -d 192.168.0.15' | sed 's/\[[0-9]*://; s/\].*//'" to get the number of bytes outgoing to 192.168.0.15
Maybe you could setup write a script to check the number of bytes and email the appropriate person using mailx (or other) if they go over a threshold. Then run this script as an hourly cronjob.
As an alternative to what Joubert79 wrote, you can try the ULOG target to write to a log file when packets are matched. Of course, you will need the ulog daemon installed to use the ULOG target properly.
It's documented in the iptables manpage, but below is a simple example of how I use ulog to log any packets that get dropped:
# ============Create target for logging and dropping=================
$IPTABLES --new LDROP
$IPTABLES -A LDROP --proto tcp -j ULOG --ulog-prefix "TCP Drop "
$IPTABLES -A LDROP --proto udp -j ULOG --ulog-prefix "UDP Drop "
$IPTABLES -A LDROP --proto icmp -j ULOG --ulog-prefix "ICMP Drop "
$IPTABLES -A LDROP -p all -j DROP
$IPTABLES -A INPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p all -m state --state NEW,INVALID -j LDROP
The above matches packets that should be dropped, but should be easy enough to match whatever packets to determine usage. You can then write up a script that can parse the log for whatever information you need and output the results to wherever, and then set that script up in cron to run at whatever times you want/need.
Note: You can also use just the plain jane LOG target which causes the kernel to log messages, but I like using ULOG to separate firewall stuff into its own logs; I've got enough kernel messages stuff to deal with sometimes, I don't want to sift through countless packet drop messages in the kernel log when trying to find important stuff.
I implemented your suggestions on the firewall/gateway as a test for my own machine. It does log the packets, sort of. After ensuring my ip address was being tracked in both the INPUT and OUTPUT chains i started browsing the Internet and downloading files. I downloaded well over 5MB of files, but the chain only shows 218KB of traffic on the OUTPUT chain. Is it possible that it is only picking up the initial connections packets and ignoring the RELATED and ESTABLISHED ones? If I can get that addressed this does look like a good solution and once I get the iptables entries correct I will just write a script to collect the information for all machines.
Thank you for your suggestions as well. I will look into the use of ULOG and do some testing
Thank you both for your time
Last edited by mdkelly069; 09-09-2004 at 01:42 PM.
Mmmm.... well I've never done what you are trying so I'm winging it here. But here goes:
I doubt it's to do with the RELATED and ESTABLISHED packets not being matched because I reckon all packets should be matched. If all else fails, you might check by adding an additional rule, identical to questionable one, but with "-m state --state NEW,RELATED,ESTABLISHED" as an option, or play with a subset of those states, and compare counters to see what is being picked up.
My money is on the FORWARD chain of your gateway, check it for packets destined for your lan ip.
Absolutely right. Once I got my feet wet with this it was/is a blast. I am currently tracking all traffic amounts for machines in the office, including our VPN.
I now have a list of things I would like to incorporate into this setup.
Thanks for the help in getting the first steps sorted out.
In terms of matching packets by interface I think I will hold off on that. We do not use DHCP and although users can change their IP,most of them have no desire to do so, and if they did I would know about it fairly quickly and I would have a few choice words with them. I will keep your suggestion in mind for future reference though