Dear All,

My OS:- Red Hat Enterprise Linux Server release 5 (Tikanga)
Kernel:-
Linux www 2.6.18-8.el5 #1 SMP Fri Jan 26 14:15:21 EST 2007 i686 i686 i386 GNU/Linux


My linux box is working as a router with two NIC.
a) eth0=10.10.56.23 (which is connected to internet via NATING)
eth1=10.136.15.197 (which is connected to internel N/w).

The box is acting as a gateway to the internet where customers connect to eth1 and by iptable forward rule the same gets out to eth0 to internet.
below is my iptable file from /etc/sysconfig
=============================================================
# Generated by iptables-save v1.3.5 on Mon Apr 19 23:22:06 2010
*mangle
:PREROUTING ACCEPT [35:5022]
:INPUT ACCEPT [35:5022]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [12:1734]
:POSTROUTING ACCEPT [12:1734]
COMMIT
# Completed on Mon Apr 19 23:22:06 2010
# Generated by iptables-save v1.3.5 on Mon Apr 19 23:22:06 2010
*filter
:INPUT ACCEPT [10:1578]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [12:1734]
:LOGDROP - [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -s ! 192.168.3.0/255.255.255.248 -i eth0 -p tcp -m tcp --dport 2222 -j LOGDROP
-A FORWARD -s 10.136.0.0/255.255.255.0 -i eth1 -o eth0 -m state --state NEW -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A LOGDROP -j LOG --log-prefix "LOGDROP "
-A LOGDROP -j DROP
COMMIT
# Completed on Mon Apr 19 23:22:06 2010
# Generated by iptables-save v1.3.5 on Mon Apr 19 23:22:06 2010
*nat
:PREROUTING ACCEPT [6:1020]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [2:153]
-A POSTROUTING -j MASQUERADE
COMMIT
# Completed on Mon Apr 19 23:22:06 2010
===========================================================

but when i apply(add) the iptable rule before the TWO FORWARD rules
-A INPUT -i eth1 -p tcp -m quota --quota 10000 -j ACCEPT
-A INPUT -i eth1 -p tcp -j DROP


it blocks the http traffic from client (eg 10.136.15.196/customer to 10.136.15.197/eth1),till the limit of 10000 which is fine, but my forward traffic which is also going to eth0(wan) and then to internet from eth1(customers), is not getting blocked(remains unlimited).
So in summary I want to mean that traffic destined till eth1 is getting blocked, but traffic destined to internet via eth0 is not getting blocked.




Also Let me tell what I have done post New Installation:-
1. Defined the eth0 as 10.10.56.23
2. Define eth1 as 10.136.15.197
3. enabled ip forwarding in the sysctl.conf
Controls IP packet forwarding
net.ipv4.ip_forward = 1
4. applied the below for firewall rules (after flushing all the iptable rules)
iptables -A FORWARD --in-interface eth1 --out-interface eth0 --source 10.136.0.0/24 -m state --state NEW -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A POSTROUTING -t nat -j MASQUERADE

Any help in this regard will be highly appeciable.

INPUT rule is for stuff that is destined for the box, you'll need to put a quota rule in the FORWARD table if you'd like that traffic limited

Hi etabroo,
thanks a lot for your help..
however would be very much thankfull if you could provide me the snippets of the forward rule that I need to put..I suppose the below should be the rule you want to mean.(marked in RED)
# Generated by iptables-save v1.3.5 on Mon Apr 19 23:22:06 2010
*mangle
:PREROUTING ACCEPT [35:5022]
:INPUT ACCEPT [35:5022]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [12:1734]
:POSTROUTING ACCEPT [12:1734]
COMMIT
# Completed on Mon Apr 19 23:22:06 2010
# Generated by iptables-save v1.3.5 on Mon Apr 19 23:22:06 2010
*filter
:INPUT ACCEPT [10:1578]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [12:1734]
:LOGDROP - [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -s ! 192.168.3.0/255.255.255.248 -i eth0 -p tcp -m tcp --dport 2222 -j LOGDROP
-A FORWARD -s 10.136.0.0/255.255.255.0 -i eth0 -p tcp -m quota --quota 10000 -j ACCEPT
-A FORWARD -s 10.136.0.0/255.255.255.0 -i eth0 -p tcp -j DROP
-A FORWARD -s 10.136.0.0/255.255.255.0 -i eth1 -o eth0 -m state --state NEW -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A LOGDROP -j LOG --log-prefix "LOGDROP "
-A LOGDROP -j DROP
COMMIT
# Completed on Mon Apr 19 23:22:06 2010
# Generated by iptables-save v1.3.5 on Mon Apr 19 23:22:06 2010
*nat
:PREROUTING ACCEPT [6:1020]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [2:153]
-A POSTROUTING -j MASQUERADE
COMMIT
# Completed on Mon Apr 19 23:22:06 2010

Yes the ones in red were what I was thinking

Hi Etabroo,
Thanks a lot for your kind help.But I tried the RED ones, but its not working.
But Next what is did is putting the below rules which working as per my requirement
iptables -t mangle -A PREROUTING -i eth1 -p tcp -m quota --quota 100000 -j ACCEPT
iptables -t mangle -A PREROUTING -i eth1 -p tcp -j LOG --log-prefix "quotaover " --log-level 4
iptables -t mangle -A PREROUTING -i eth1 -p tcp -j DROP

But one strange thing is for example I m have fixed the quota to 3000bytes, and then i randomly doewnload video to exceed the quota,and once i exceed the quota i again and again (very fast)execute the command below to check the status for the quota
iptables -t mangle -L -v
then I see that the left out quota (usually 0 bytes as I have exceeded the defined quota of 3000) keeps on changing automatically and randomly.sometimes it comes to again the original value(3000) and then again reverts to 0 value.it keeps on fluctualting between 3000 and 0.But one good thing is I am not able to surf the internet once the I have crossed the quota (though the value keeps on changing)