LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 11-26-2007, 11:54 PM   #1
Ammad
Member
 
Registered: Apr 2004
Distribution: redhat 9.0, fc4, redhat as 4
Posts: 522

Rep: Reputation: 31
iptables and accounting


i want to account all traffic by port, my current firewall configuration Drops all traffic. using this i am unable to calculate my by protocol.

root# iptables -L -v

Chain INPUT (policy DROP 8 packets, 557 bytes)
pkts bytes target prot opt in out source destination
265K 151M CM-INPUT 0 -- any any anywhere anywhere
0 0 ACCEPT tcp -- eth2 any anywhere anywhere state NEW,RELATED,ESTABLISHED tcp dpt:webcache
0 0 ACCEPT tcp -- eth0 any anywhere anywhere tcp spt:http state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- eth0 any anywhere anywhere tcp spt:hosts2-ns state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- any any 10.10.10.0/24 example.com icmp echo-request

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
50276 18M CM-INPUT 0 -- any any anywhere anywhere
0 0 ACCEPT tcp -- any any 10.10.10.0/24 example.com state NEW,RELATED,ESTABLISHED tcp dpt:webcache
0 0 ACCEPT tcp -- any any 10.10.10.0/24 example.com state NEW,RELATED,ESTABLISHED tcp dpt:webcache

Chain OUTPUT (policy ACCEPT 197K packets, 136M bytes)
pkts bytes target prot opt in out source destination
102K 19M ACCEPT tcp -- any eth0 anywhere anywhere state NEW,RELATED,ESTABLISHED tcp dpt:http
0 0 ACCEPT tcp -- any eth0 anywhere anywhere state NEW,RELATED,ESTABLISHED tcp dpt:hosts2-ns
0 0 ACCEPT tcp -- any eth2 anywhere anywhere tcp spt:http state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- any eth2 anywhere anywhere tcp spt:hosts2-ns state RELATED,ESTABLISHED

Chain CM-INPUT (2 references)
pkts bytes target prot opt in out source destination
4879 809K ACCEPT 0 -- lo any anywhere anywhere
20218 2433K ACCEPT 0 -- any any 10.10.10.0/24 anywhere state NEW
288K 165M ACCEPT 0 -- any any anywhere anywhere state RELATED,ESTABLISHED
322 10194 ACCEPT icmp -- any any anywhere anywhere icmp echo-request
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ftp
0 0 ACCEPT gre -- any any anywhere anywhere
0 0 ACCEPT l2tp -- any any anywhere anywhere
0 0 ACCEPT tlsp -- any any anywhere anywhere
0 0 ACCEPT esp -- any any anywhere anywhere
35 1448 ACCEPT tcp -- any any anywhere anywhere tcp dpt:webcache
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:webcache
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:hosts2-ns
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:hosts2-ns
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpts:tproxy:8090
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:submission
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dptop3s
0 0 ACCEPT udp -- any any anywhere anywhere udp dptop3s
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:smtps
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:465
0 0 ACCEPT udp -- any any anywhere anywhere udp dpts:tproxy:8090


If i remove the following rule from firewall, then it stops working.


$IPTABLES -P INPUT DROP;
$IPTABLES -P FORWARD DROP;
$IPTABLES -N CM-INPUT;
$IPTABLES -A INPUT -j CM-INPUT
$IPTABLES -A FORWARD -j CM-INPUT

echo 1 > /proc/sys/net/ipv4/ip_forward
$IPTABLES -A CM-INPUT -i lo -j ACCEPT
$IPTABLES -A CM-INPUT -s 10.10.10.0/24 -m state --state NEW -j ACCEPT
$IPTABLES -A CM-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A CM-INPUT -p icmp -m icmp --icmp-type ping -j ACCEPT
$IPTABLES -A CM-INPUT -p tcp --dport 21 -j ACCEPT
$IPTABLES -A CM-INPUT -s 10.10.20.0/24 -d 10.10.10.0/24 -j ACCEPT
$IPTABLES -A CM-INPUT -s 10.10.10.0/24 -d 10.10.20.0/24 -j ACCEPT
...
....
....
....

if i remove or disable
$IPTABLES -A CM-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
then firewall stops responding
can any one figure out the problem .

thanks
 
Old 11-28-2007, 11:23 PM   #2
dkm999
Member
 
Registered: Nov 2006
Location: Seattle, WA
Distribution: Fedora
Posts: 407

Rep: Reputation: 35
From your listing of the iptables rules with the traffic counters prepended, it seems clear that the first 3 or 4 rules are taking care of all the traffic. When you put in the target ACCEPT (by specifying -j), a matching packet is just accepted, without being subjected to the following rules.

To achieve what I think you want, you should put the rules for your individual port counters at the top of the chain CM-INPUT, and omit any target. That way, the protocol, address, and port matching will be done, but then the next rule will be considered as well for that packet. Only after all the counting is done will the actual filtering rules be applied.

To make this a little more efficient, you can put all the accounting rules into a subsidiary chain, and then specify the target -j RETURN for each one (the RETURN target will terminate the accounting rule). Put the highest-traffic rules first in the chain, so that, on average, each packet sees less than half of the list before being accepted.

Then, in your main filter chains, put in an unconditional call to the accounting rule
Code:
-A -j ACCNTG
. Put this in first, and follow it with the actual filtering rules.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables v1.2.9: Unknown arg `/sbin/iptables' Try `iptables -h' or 'iptables --help' Niceman2005 Linux - Security 4 12-29-2005 08:20 PM
accounting software visiondream3 Linux - Software 5 05-26-2005 11:01 AM
IP-Accounting by iptables? TobyD Linux - Networking 2 11-15-2004 06:59 PM
iptables traffic accounting for each IP/MAC sheyh Linux - Networking 0 07-11-2004 04:55 PM
iptables accounting rules petrax Linux - Networking 1 11-10-2003 09:09 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 03:22 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration