You are not logged in.
Can somebody explain me what is wrong? I've got this code:
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F
iptables -X
iptables -N traffic-output
iptables -F traffic-output
iptables -N all-traffic
iptables -F all-traffic
iptables -N ssh-traffic
iptables -F ssh-traffic
iptables -N www-traffic
iptables -F www-traffic
iptables -N smb139-traffic
iptables -F smb139-traffic
iptables -N smb445-traffic
iptables -F smb445-traffic
iptables -A INPUT -j all-traffic
iptables -A OUTPUT -j all-traffic
iptables -A all-traffic -j traffic-output
iptables -A INPUT -p tcp --dport 22 -j ssh-traffic
iptables -A OUTPUT -p tcp --sport 22 -j ssh-traffic
iptables -A ssh-traffic -j traffic-output
iptables -A INPUT -p tcp --dport 80 -j www-traffic
iptables -A OUTPUT -p tcp --sport 80 -j www-traffic
iptables -A www-traffic -j traffic-output
iptables -A INPUT -p tcp --dport 139 -j smb139-traffic
iptables -A OUTPUT -p tcp --sport 139 -j smb139-traffic
iptables -A smb139-traffic -j traffic-output
iptables -A INPUT -p tcp --dport 445 -j smb445-traffic
iptables -A OUTPUT -p tcp --sport 445 -j smb445-traffic
iptables -A smb445-traffic -j traffic-output
On Debian with iptables 1.4.14 that code works - that means every chain counts data
On Arch with iptables 1.4.19.1 - doesnt work. Only chain "all-traffic" is counted
On Centos with iptables 1.4.7 the same problem as in Arch
Last edited by koralgolek (2013-09-03 09:57:47)
Offline
I never understand these but doesn't
iptables -A INPUT -j all-traffic
iptables -A OUTPUT -j all-traffic
iptables -A all-traffic -j traffic-output
basically send everything immediately via all-traffic to traffic-output? So nothing will ever reach the other rules.
CLI Paste | How To Ask Questions
Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L
Offline
I commented this 3 lines out and still doesnt work. I expected that ssh-traffic would start counting but it didnt.
Offline
Did you check that everything was flushed correctly and that iptables was using the new rules?
CLI Paste | How To Ask Questions
Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L
Offline
Problem is solved. The problem was in the --dport --sport - I swapped them and it works.
So there is a question why it works on Debian?
Answer: Debian is a machine that I login remotely so I connect to its ssh and others. It's little diffrence between connecting to server and counting traffic on it than counting on client machine
Last edited by koralgolek (2013-09-03 10:07:07)
Offline
Are you saying it works on the Debian machine even with those three lines uncommented? I don't understand how that's possible...
CLI Paste | How To Ask Questions
Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L
Offline
The reason it works even with/without the three rules: Every packet goes to "traffic-output" after a few rules. However, "traffic-output" is an empty chain. So, the packet traverses the next rules until it may be counted (with a -j traffic-output again) and finally, tired by empty jump targets, passes via the default policy (e.g. -P OUTPUT accept).
Offline
OK. Thanks.
So would it be equivalent if you removed those 3 lines and removed the 3rd line in each of the counting sets which jumps to traffic-output as well as the lines setting up the all-traffic and traffic-output chains?
CLI Paste | How To Ask Questions
Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L
Offline
I dont know how does exactly this work but "traffic-output" is assistant I think. Without it I can't count traffic by
ALL=`${GREP_BIN} -A 2 "Chain all-traffic" ${LOGPATH}/tmpfile | ${TAIL_BIN} -n 1 | ${AWK_BIN} '{print $2}'`
echo -n "$ALL" > ${LOGPATH}/all-traffic
Chain INPUT (policy ACCEPT 22667586 packets, 14171167058 bytes)
pkts bytes target prot opt in out source destination
22667586 14171167058 all-traffic all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ssh-traffic tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22
6708132 6335579351 www-traffic tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:80
0 0 ftp-traffic tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:20
207290 184172880 radio-traffic tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:8000
0 0 gre-traffic 47 -- * * 0.0.0.0/0 0.0.0.0/0
861845 127458416 udp-traffic udp -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 9952226 packets, 1190096720 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 25693737 packets, 16639842951 bytes)
pkts bytes target prot opt in out source destination
0 0 ssh-traffic tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
5755417 903418420 www-traffic tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ftp-traffic tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20
201706 10553522 radio-traffic tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8000
0 0 gre-traffic 47 -- * * 0.0.0.0/0 0.0.0.0/0
488561 34544719 udp-traffic udp -- * * 0.0.0.0/0 0.0.0.0/0
Chain all-traffic (1 references)
pkts bytes target prot opt in out source destination
22667586 14171167058 traffic-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ftp-traffic (2 references)
pkts bytes target prot opt in out source destination
0 0 traffic-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain gre-traffic (2 references)
pkts bytes target prot opt in out source destination
0 0 traffic-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain radio-traffic (2 references)
pkts bytes target prot opt in out source destination
408996 194726402 traffic-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ssh-traffic (2 references)
pkts bytes target prot opt in out source destination
0 0 traffic-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain traffic-output (7 references)
pkts bytes target prot opt in out source destination
Chain udp-traffic (2 references)
pkts bytes target prot opt in out source destination
1350406 162003135 traffic-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain www-traffic (2 references)
pkts bytes target prot opt in out source destination
12463549 7238997771 traffic-output all -- * * 0.0.0.0/0 0.0.0.0/0
When I remove traffic-output then every chain at the bottom looks like the traffic-output in example above (there is empty line, without even 0)
Offline
Maybe you can explain to us again what you want to achieve.
If you only want to see the packets and bytes for the types of traffic, there is no need for any extra chain - is there? Why do you use them?
iptables -F
iptables -X
iptables -A INPUT -p tcp --sport 80 -j ACCEPT -m comment --comment "traffic-http"
iptables -A INPUT -p tcp --sport 22 -j ACCEPT -m comment --comment "traffic-ssh"
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT -m comment --comment "traffic-http"
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT -m comment --comment "traffic-ssh"
iptables -A OUTPUT -p tcp -j ACCEPT -m comment --comment "traffic-rest"
]$ sudo iptables -nvL |grep traffic
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:80 /* traffic-http */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 /* traffic-ssh */
486 66600 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 /* traffic-http */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 /* traffic-ssh */
11 1647 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* traffic-rest */
Offline
I tried to connect rrdtool with iptables. I suggested to ths site http://www.hilands.com/os-linux-serverstats.html from where I get scripts to obtain numbers from iptables' chains
Offline
Interesting. Well both work generally but they have built that tool on the rules you setup. The marking according to the texts "www-traffic" etc would not be necessary (the tool could just parse the log lines with the correct --sport and --dport parms for that). But the question that matters (for a server) behind it is which way the processing of the rules is most efficient for the machine. Yet thats maybe negligible for such simple rules. Have fun setting it up.
Offline