You are not logged in.
Hi all,
I'm raising traffic accounting and have faced a nasty problem with iptables. I need to count forwarded traffic, but not from certain subnets. I wrote the following in firewall script:
iptables -N TRAFFIC_FWD
for i in $LOCAL_ADDR ; do
iptables -A FORWARD ! -d $i -j TRAFFIC_FWD
iptables -A FORWARD ! -s $i -j TRAFFIC_FWD
done
iptables -A TRAFFIC_FWD -s $TARGET_IP
iptables -A TRAFFIC_FWD -d $TARGET_IP
iptables -A TRAFFIC_FWD -j RETURN
But iptables -L TRAFFIC_FWD -v shows all traffic, including from local subnets. What I'm doing wrong?
Last edited by Kosmonavt (2011-02-23 09:05:12)
Offline
Show us the output of `iptables -nvL` and what is "$LOCAL_ADDR" and "$TARGET_IP"?
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline
Sorry to be too late, but I fixed it. Dunno what was real reason, I just rewrote these rules from scratch. Now I got
iptables -N TRAFFIC_FWD
iptables -A FORWARD -s $TARGET_IP -j TRAFFIC_FWD
iptables -A FORWARD -d $TARGET_IP -j TRAFFIC_FWD
for i in $LOCAL_ADDR ; do
iptables -A TRAFFIC_FWD -s $i -j RETURN
iptables -A TRAFFIC_FWD -d $i -j RETURN
done
iptables -A TRAFFIC_FWD -d 0.0.0.0/0
iptables -A TRAFFIC_FWD -j RETURN
This rule is on a gateway, $TARGET_IP is address, from which traffic is counted. $LOCAL_ADDR - subnets to exclude from summary. The situation here is following - ISP charges bytes, but from Internet, excluding some ISP resources from $LOCAL_ADDR subnets. So I needed to raise simple billing system.
Offline
Dunno what was real reason, I just rewrote these rules from scratch
This is the reason.
for i in $LOCAL_ADDR ; do
iptables -A FORWARD ! -d $i -j TRAFFIC_FWD
iptables -A FORWARD ! -s $i -j TRAFFIC_FWD
done
Consider what this expanded to with two ips. 192.168.1.1 192.168.1.2
iptables -A FORWARD ! -s 192.168.1.1 -j TRAFFIC_FWD
iptables -A FORWARD ! -d 192.168.1.1 -j TRAFFIC_FWD
iptables -A FORWARD ! -s 192.168.1.2 -j TRAFFIC_FWD
iptables -A FORWARD ! -d 192.168.1.2 -j TRAFFIC_FWD
Now consider that when either ip passes down the chain and rules are tested, it will match one of those rules at least. For example.. 192.168.1.1 matches the second pair of rules.
The way you are doing it now (after rewriting) is much better.
Last edited by cactus (2011-02-22 10:13:43)
"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍
Offline
Great thanks for detailed explanation of my mistake! At first, haven't noticed such a fault in algo.
Offline