iptables and accounting
 

i want to account all traffic by port, my current firewall configuration Drops all traffic. using this i am unable to calculate my by protocol.

root# iptables -L -v

Chain INPUT (policy DROP 8 packets, 557 bytes)
pkts bytes target prot opt in out source destination
265K 151M CM-INPUT 0 -- any any anywhere anywhere
0 0 ACCEPT tcp -- eth2 any anywhere anywhere state NEW,RELATED,ESTABLISHED tcp dpt:webcache
0 0 ACCEPT tcp -- eth0 any anywhere anywhere tcp spt:http state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- eth0 any anywhere anywhere tcp spt:hosts2-ns state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- any any 10.10.10.0/24 example.com icmp echo-request

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
50276 18M CM-INPUT 0 -- any any anywhere anywhere
0 0 ACCEPT tcp -- any any 10.10.10.0/24 example.com state NEW,RELATED,ESTABLISHED tcp dpt:webcache
0 0 ACCEPT tcp -- any any 10.10.10.0/24 example.com state NEW,RELATED,ESTABLISHED tcp dpt:webcache

Chain OUTPUT (policy ACCEPT 197K packets, 136M bytes)
pkts bytes target prot opt in out source destination
102K 19M ACCEPT tcp -- any eth0 anywhere anywhere state NEW,RELATED,ESTABLISHED tcp dpt:http
0 0 ACCEPT tcp -- any eth0 anywhere anywhere state NEW,RELATED,ESTABLISHED tcp dpt:hosts2-ns
0 0 ACCEPT tcp -- any eth2 anywhere anywhere tcp spt:http state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- any eth2 anywhere anywhere tcp spt:hosts2-ns state RELATED,ESTABLISHED

Chain CM-INPUT (2 references)
pkts bytes target prot opt in out source destination
4879 809K ACCEPT 0 -- lo any anywhere anywhere
20218 2433K ACCEPT 0 -- any any 10.10.10.0/24 anywhere state NEW
288K 165M ACCEPT 0 -- any any anywhere anywhere state RELATED,ESTABLISHED
322 10194 ACCEPT icmp -- any any anywhere anywhere icmp echo-request
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ftp
0 0 ACCEPT gre -- any any anywhere anywhere
0 0 ACCEPT l2tp -- any any anywhere anywhere
0 0 ACCEPT tlsp -- any any anywhere anywhere
0 0 ACCEPT esp -- any any anywhere anywhere
35 1448 ACCEPT tcp -- any any anywhere anywhere tcp dpt:webcache
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:webcache
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:hosts2-ns
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:hosts2-ns
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpts:tproxy:8090
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:submission
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:pop3s
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:pop3s
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:smtps
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:465
0 0 ACCEPT udp -- any any anywhere anywhere udp dpts:tproxy:8090


If i remove the following rule from firewall, then it stops working.


$IPTABLES -P INPUT DROP;
$IPTABLES -P FORWARD DROP;
$IPTABLES -N CM-INPUT;
$IPTABLES -A INPUT -j CM-INPUT
$IPTABLES -A FORWARD -j CM-INPUT

echo 1 > /proc/sys/net/ipv4/ip_forward
$IPTABLES -A CM-INPUT -i lo -j ACCEPT
$IPTABLES -A CM-INPUT -s 10.10.10.0/24 -m state --state NEW -j ACCEPT
$IPTABLES -A CM-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A CM-INPUT -p icmp -m icmp --icmp-type ping -j ACCEPT
$IPTABLES -A CM-INPUT -p tcp --dport 21 -j ACCEPT
$IPTABLES -A CM-INPUT -s 10.10.20.0/24 -d 10.10.10.0/24 -j ACCEPT
$IPTABLES -A CM-INPUT -s 10.10.10.0/24 -d 10.10.20.0/24 -j ACCEPT
...
....
....
....

if i remove or disable
$IPTABLES -A CM-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
then firewall stops responding
can any one figure out the problem .

thanks

From your listing of the iptables rules with the traffic counters prepended, it seems clear that the first 3 or 4 rules are taking care of all the traffic. When you put in the target ACCEPT (by specifying -j), a matching packet is just accepted, without being subjected to the following rules.

To achieve what I think you want, you should put the rules for your individual port counters at the top of the chain CM-INPUT, and omit any target. That way, the protocol, address, and port matching will be done, but then the next rule will be considered as well for that packet. Only after all the counting is done will the actual filtering rules be applied.

To make this a little more efficient, you can put all the accounting rules into a subsidiary chain, and then specify the target -j RETURN for each one (the RETURN target will terminate the accounting rule). Put the highest-traffic rules first in the chain, so that, on average, each packet sees less than half of the list before being accepted.

Then, in your main filter chains, put in an unconditional call to the accounting rule . Put this in first, and follow it with the actual filtering rules.