LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 10-01-2008, 03:05 PM   #1
richardfranks
LQ Newbie
 
Registered: May 2005
Location: England
Posts: 10

Rep: Reputation: 0
Network Usage Logging


OK - here goes

I've had a look around, and spent about 45 minutes searching the forums, and I cant seem to find just what I'm looking for. Apologies if this has been asked before.

Basically, I have this setup.

At the moment, I have a belkin router that is NATing my internet connection. This is all well and good, but I can't necessarily trust the users who are on my network, so I want to put some logging / firewalling in place.

This will, of course, run on a linux box.

After I have set up this linux box, the setup I want to have is like this:


Code:
|----------|      |-----------|     |
|          |      |           |     |
| INTERNET | ---- | LINUX BOX |-----| LAN
|          |      |           |     |
|----------|      |-----------|     |
I have found many posts on how to log traffic using squid, and redirecting port 80 through it using iptables, but I cant seem to find any that allow you to log all network traffic. I want to be able to see how much of my bandwidth they have used up, so that I can work out if someone is using more than their allowance. Everyone has their own machine, so I can just use the IP/Mac (although I will run a DHCP server myself, so will assign them host addresses in the DHCP server to allow me to know what IP each person is) to log it.

The other thing I want to be able to do is deny traffic under certain protocols. So, for example, I dont want to allow bittorrent.

Any help would be much appreciated, because I'm completely stuck!
 
Old 10-01-2008, 05:48 PM   #2
blackhole54
Senior Member
 
Registered: Mar 2006
Posts: 1,896

Rep: Reputation: 61
iptables/netfilter can be used for monitoring. With the -v (verbose) option, iptables will report both the packet total and byte total of matching packages. For example:

Code:
[root@box root]# iptables -I INPUT -s 192.168.yy.zz
[root@box root]# iptables -nvL INPUT
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   64  4744            all  --  *      *       192.168.yy.zz        0.0.0.0/0
This shows 64 packets containing a total of 4744 bytes. (Quite low since I just created the rule.) I am illustrating on an INPUT chain, but, of course, for your purposes you will be using the FORWARD chain. In place of (or in addition to) the IP address, you can match on the MAC address.

You will need to do something to preserve data across reboots. At shutdown you can save data (to the file of your choice) with iptables-save and restore it at next boot with iptables-restore. Be sure to include the -c option in both cases. If you need to allow for the possibility of an improper shutdown (crash, power failure, etc), you will have to create you own daemon to monitor at intervals and simply accept the data loss that occurs between the last time the daemon checked and the improper shutdown.

iptables/netfilter can also be used to block access to specified destination ports. If you want to, instead, block based on actual protocol you will have to use software that inspects the content of packets, which is beyond my knowledge. And, of course, if the user is using end-to-end encryption, such as SSL, you can't inspect the contents.

Bit torrent should be pretty easy to handle since, for it to be effective, incoming connections must be port forwarded. W/o your specifically setting up such port forwarding, the user's download speed will get seriously curtailed by standard bit torrent software.

Last edited by blackhole54; 10-01-2008 at 06:00 PM. Reason: just created chain -> just created rule
 
Old 10-03-2008, 11:57 AM   #3
racracracrac
Member
 
Registered: Sep 2008
Posts: 44

Rep: Reputation: 15
Its not really practical to log all access from all ports to all ports.

What is practical though it to use an IDS, like snort. It will attempt to flag bad things.

Last edited by reddazz; 10-14-2008 at 05:44 PM. Reason: removed spammed link
 
Old 10-04-2008, 08:04 AM   #4
richardfranks
LQ Newbie
 
Registered: May 2005
Location: England
Posts: 10

Original Poster
Rep: Reputation: 0
I cant say I've come across snort before. What does it do (not sure what an IDS does either).

The thing is, most of the data transfer that people are going to use are going to be for things like MSN, Skype, and stuff like that. I need to log them, because the HTTP will not give me an accurate representation of how much data people have used
 
Old 10-05-2008, 10:41 PM   #5
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 7.7 (?), Centos 8.1
Posts: 17,735

Rep: Reputation: 2523Reputation: 2523Reputation: 2523Reputation: 2523Reputation: 2523Reputation: 2523Reputation: 2523Reputation: 2523Reputation: 2523Reputation: 2523Reputation: 2523
You can use iptables to log traffic, but be aware that on a busy system that could be a lot of disk space. You prob want to pick protocols to log carefully.
snort: http://www.snort.org/ (Intrusion Detection System inc logging etc.)
 
Old 10-06-2008, 02:41 AM   #6
blackhole54
Senior Member
 
Registered: Mar 2006
Posts: 1,896

Rep: Reputation: 61
Quote:
Originally Posted by chrism01 View Post
You can use iptables to log traffic, but be aware that on a busy system that could be a lot of disk space. You prob want to pick protocols to log carefully.
If you use iptables to log every message then it can take a lot of disk space. But if all you want are total number of bytes, as I demonstrated in post #2, then the only disk space required is to save the totals across reboots, which is a very small file.

I demonstrated getting totals for an individual IP address. To break it down by port numbers, simply add more criterea to the rules. I am not aware of a way for iptables to do deep packet inspection, but there may be some modules available that I haven't taken the time to learn about.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
resource usage logging bigearsbilly Solaris / OpenSolaris 2 07-16-2007 04:46 AM
Tools for Logging Network Usage Statistics sadscientist Linux - Networking 1 11-26-2005 03:28 PM
Logging CPU / Memory Usage bastien Fedora 1 05-07-2005 09:16 PM
Setting up an internet gateway with web usage logging jcbeckettnz Linux - Newbie 7 05-03-2005 08:20 AM
Logging data usage Jazza005 Linux - Networking 7 03-17-2003 01:17 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 12:29 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration