Traffic Accounting with Linux IPTables

You're viewing a comment by hjs and its responses.

hjs Permalink
April 19, 2010, 22:39

Let us do some real world accounting: Given iptable rules from the famous Linux IP-Masquerade-HOWTO [1], i.e.

IPTABLES=/sbin/iptables 
EXTIF="ppp0"
INTIF="eth1"
EXTIP="xxx.xxx.xxx.xxx"
INTNET="192.168.0.0/24"
INTIP="192.168.0.1/32"
UNIVERSE="0.0.0.0/0"
$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
$IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j DROP
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state \
 ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j DROP
$IPTABLES -A OUTPUT -m state -p icmp --state INVALID -j DROP
$IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j DROP
$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT
$IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j DROP
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state \ 
  ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j DROP
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP

For this firewall

iptables -L -nvx

returns something like the following

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts    bytes target   prot opt in     out     source           destination          
    0      (a) ACCEPT   all  --  lo     *       0.0.0.0/0        0.0.0.0/0           
11940      (b) ACCEPT   all  --  eth1   *       192.168.0.0/24   0.0.0.0/0           
    0      (i) REJECT   all  --  ppp0   *       192.168.0.0/24   0.0.0.0/0        reject-with icmp-port-unreachable 
 1147     (ii) ACCEPT   all  --  ppp0   *       0.0.0.0/0        xxx.xxx.xxx.xxx state RELATED,ESTABLISHED 
  174    (iii) REJECT   all  --  *      *       0.0.0.0/0        0.0.0.0/0       reject-with icmp-port-unreachable 

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts    bytes target   prot opt in     out     source           destination         
50119     (iv) ACCEPT   all  --  ppp0   eth1    0.0.0.0/0        0.0.0.0/0       state RELATED,ESTABLISHE 
42148      (c) ACCEPT   all  --  eth1   ppp0    0.0.0.0/0        0.0.0.0/0       
    0       0  REJECT   all  --  *      *       0.0.0.0/0        0.0.0.0/0       reject-with icmp-port-unreachable 

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts    bytes target   prot opt in     out     source           destination         
   21    1608  DROP     icmp --  *      *       0.0.0.0/0        0.0.0.0/0       state INVALID
    0      (d) ACCEPT   all  --  *      lo      0.0.0.0/0        0.0.0.0/0           
    0       0  ACCEPT   all  --  *      eth1    xxx.xxx.xxx.xxx  192.168.0.0/24      
 7620  655618  ACCEPT   all  --  *      eth1    192.168.0.1      192.168.0.0/24      
    0       0  REJECT   all  --  *      ppp0    0.0.0.0/0        192.168.0.0/24  reject-with icmp-port-unreachable
 1331      (e) ACCEPT   all  --  *      ppp0    xxx.xxx.xxx.xxx  0.0.0.0/0           
    0      (v) REJECT   all  --  *      *       0.0.0.0/0        0.0.0.0/0

NB.: Some numbers of bytes were replaced by (a), (b),..., (e), (i), (ii),..., (v).

Then

Upload  =(a)+ (b)+...+(e)
Download=(i)+(ii)+...+(v)

Would you confirm?

Regards
HJS

[1] http://tldp.org/HOWTO/IP-Masquerade-HOWTO/stronger-firewall-examples.html#RC.FIREWALL-IPTABLES-STRONGER

Reply to this comment

Reply To This Comment

(why do I need your e-mail?)

(Your twitter name, if you have one. (I'm @pkrumins, btw.))

Comment Help

Type first 3 letters of your name: (just to make sure you're a human)

Please preview the comment before submitting to make sure it's OK.