You are not logged in.

#1 2011-02-21 10:45:35

Kosmonavt
Member
Registered: 2010-02-15
Posts: 100

[solved] iptables - inverting IP match

Hi all,

I'm raising traffic accounting and have faced a nasty problem with iptables. I need to count forwarded traffic, but not from certain subnets. I wrote the following in firewall script:

iptables -N TRAFFIC_FWD

for i in $LOCAL_ADDR ; do
    iptables -A FORWARD ! -d $i -j TRAFFIC_FWD
    iptables -A FORWARD ! -s $i -j TRAFFIC_FWD
done

iptables -A TRAFFIC_FWD -s $TARGET_IP
iptables -A TRAFFIC_FWD -d $TARGET_IP

iptables -A TRAFFIC_FWD -j RETURN

But iptables -L TRAFFIC_FWD -v shows all traffic, including from local subnets. What I'm doing wrong?

Last edited by Kosmonavt (2011-02-23 09:05:12)

Offline

#2 2011-02-21 22:00:21

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,217
Website

Re: [solved] iptables - inverting IP match

Show us the output of `iptables -nvL` and what is "$LOCAL_ADDR" and "$TARGET_IP"?

Offline

#3 2011-02-22 08:19:23

Kosmonavt
Member
Registered: 2010-02-15
Posts: 100

Re: [solved] iptables - inverting IP match

Sorry to be too late, but I fixed it. Dunno what was real reason, I just rewrote these rules from scratch. Now I got

iptables -N TRAFFIC_FWD

iptables -A FORWARD -s $TARGET_IP -j TRAFFIC_FWD
iptables -A FORWARD -d $TARGET_IP -j TRAFFIC_FWD

for i in $LOCAL_ADDR ; do
    iptables -A TRAFFIC_FWD -s $i -j RETURN
    iptables -A TRAFFIC_FWD -d $i -j RETURN
done

iptables -A TRAFFIC_FWD -d 0.0.0.0/0

iptables -A TRAFFIC_FWD -j RETURN

This rule is on a gateway, $TARGET_IP is address, from which traffic is counted. $LOCAL_ADDR - subnets to exclude from summary. The situation here is following - ISP charges bytes, but from Internet, excluding some ISP resources from $LOCAL_ADDR subnets. So I needed to raise simple billing system.

Offline

#4 2011-02-22 10:12:35

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,622
Website

Re: [solved] iptables - inverting IP match

Kosmonavt wrote:

Dunno what was real reason, I just rewrote these rules from scratch

This is the reason.

for i in $LOCAL_ADDR ; do
    iptables -A FORWARD ! -d $i -j TRAFFIC_FWD
    iptables -A FORWARD ! -s $i -j TRAFFIC_FWD
done

Consider what this expanded to with two ips. 192.168.1.1 192.168.1.2

iptables -A FORWARD ! -s 192.168.1.1 -j TRAFFIC_FWD
iptables -A FORWARD ! -d 192.168.1.1 -j TRAFFIC_FWD

iptables -A FORWARD ! -s 192.168.1.2 -j TRAFFIC_FWD
iptables -A FORWARD ! -d 192.168.1.2 -j TRAFFIC_FWD

Now consider that when either ip passes down the chain and rules are tested, it will match one of those rules at least. For example.. 192.168.1.1 matches the second pair of rules.

The way you are doing it now (after rewriting) is much better.

Last edited by cactus (2011-02-22 10:13:43)


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#5 2011-02-23 09:04:54

Kosmonavt
Member
Registered: 2010-02-15
Posts: 100

Re: [solved] iptables - inverting IP match

Great thanks for detailed explanation of my mistake! At first, haven't noticed such a fault in algo.

Offline

Board footer

Powered by FluxBB