You are not logged in.

#1 2013-08-26 21:42:49

koralgolek
Member
Registered: 2010-07-27
Posts: 23

[SOLVED] iptables chain's bytes counting problem

Can somebody explain me what is wrong? I've got this code:

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F
iptables -X

iptables -N traffic-output
iptables -F traffic-output
iptables -N all-traffic
iptables -F all-traffic
iptables -N ssh-traffic
iptables -F ssh-traffic
iptables -N www-traffic
iptables -F www-traffic
iptables -N smb139-traffic
iptables -F smb139-traffic
iptables -N smb445-traffic
iptables -F smb445-traffic

iptables -A INPUT -j all-traffic
iptables -A OUTPUT -j all-traffic
iptables -A all-traffic -j traffic-output

iptables -A INPUT -p tcp --dport 22 -j ssh-traffic
iptables -A OUTPUT -p tcp --sport 22 -j ssh-traffic
iptables -A ssh-traffic -j traffic-output

iptables -A INPUT -p tcp --dport 80 -j www-traffic
iptables -A OUTPUT -p tcp --sport 80 -j www-traffic
iptables -A www-traffic -j traffic-output

iptables -A INPUT -p tcp --dport 139 -j smb139-traffic
iptables -A OUTPUT -p tcp --sport 139 -j smb139-traffic
iptables -A smb139-traffic -j traffic-output

iptables -A INPUT -p tcp --dport 445 -j smb445-traffic
iptables -A OUTPUT -p tcp --sport 445 -j smb445-traffic
iptables -A smb445-traffic -j traffic-output 

On Debian with iptables 1.4.14 that code works - that means every chain counts data
On Arch with iptables 1.4.19.1 - doesnt work. Only chain "all-traffic" is counted
On Centos with iptables 1.4.7 the same problem as in Arch

Last edited by koralgolek (2013-09-03 09:57:47)

Offline

#2 2013-08-26 23:28:44

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,131

Re: [SOLVED] iptables chain's bytes counting problem

I never understand these but doesn't

iptables -A INPUT -j all-traffic
iptables -A OUTPUT -j all-traffic
iptables -A all-traffic -j traffic-output

basically send everything immediately via all-traffic to traffic-output? So nothing will ever reach the other rules.


CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

#3 2013-08-27 09:47:44

koralgolek
Member
Registered: 2010-07-27
Posts: 23

Re: [SOLVED] iptables chain's bytes counting problem

I commented this 3 lines out and still doesnt work. I expected that ssh-traffic would start counting but it didnt.

Offline

#4 2013-08-27 20:33:44

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,131

Re: [SOLVED] iptables chain's bytes counting problem

Did you check that everything was flushed correctly and that iptables was using the new rules?


CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

#5 2013-09-03 10:06:35

koralgolek
Member
Registered: 2010-07-27
Posts: 23

Re: [SOLVED] iptables chain's bytes counting problem

Problem is solved. The problem was in the --dport --sport  - I swapped them and it works.

So there is a question why it works on Debian?
Answer: Debian is a machine that I login remotely so I connect to its ssh and others. It's little diffrence between connecting to server and counting traffic on it than counting on client machine wink

Last edited by koralgolek (2013-09-03 10:07:07)

Offline

#6 2013-09-03 19:55:21

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,131

Re: [SOLVED] iptables chain's bytes counting problem

Are you saying it works on the Debian machine even with those three lines uncommented? I don't understand how that's possible...


CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

#7 2013-09-03 22:11:29

Strike0
Member
From: Germany
Registered: 2011-09-05
Posts: 1,429

Re: [SOLVED] iptables chain's bytes counting problem

The reason it works even with/without the three rules: Every packet goes to "traffic-output" after a few rules. However, "traffic-output" is an empty chain. So, the packet traverses the next rules until it may be counted (with a -j traffic-output again) and finally, tired by empty jump targets, passes via the default policy (e.g. -P OUTPUT accept).

Offline

#8 2013-09-03 23:06:44

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,131

Re: [SOLVED] iptables chain's bytes counting problem

OK. Thanks.

So would it be equivalent if you removed those 3 lines and removed the 3rd line in each of the counting sets which jumps to traffic-output as well as the lines setting up the all-traffic and traffic-output chains?


CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

#9 2013-09-04 10:20:59

koralgolek
Member
Registered: 2010-07-27
Posts: 23

Re: [SOLVED] iptables chain's bytes counting problem

I dont know how does exactly this work but "traffic-output" is assistant I think. Without it I can't count traffic by

 ALL=`${GREP_BIN} -A 2 "Chain all-traffic" ${LOGPATH}/tmpfile | ${TAIL_BIN} -n 1 | ${AWK_BIN} '{print $2}'`
        echo -n "$ALL" > ${LOGPATH}/all-traffic 
Chain INPUT (policy ACCEPT 22667586 packets, 14171167058 bytes)
    pkts      bytes target     prot opt in     out     source               destination
22667586 14171167058 all-traffic  all  --  *      *       0.0.0.0/0            0.0.0.0/0
       0        0 ssh-traffic  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:22
 6708132 6335579351 www-traffic  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:80
       0        0 ftp-traffic  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:20
  207290 184172880 radio-traffic  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:8000
       0        0 gre-traffic  47   --  *      *       0.0.0.0/0            0.0.0.0/0
  861845 127458416 udp-traffic  udp  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT 9952226 packets, 1190096720 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 25693737 packets, 16639842951 bytes)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 ssh-traffic  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
 5755417 903418420 www-traffic  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
       0        0 ftp-traffic  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:20
  201706 10553522 radio-traffic  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8000
       0        0 gre-traffic  47   --  *      *       0.0.0.0/0            0.0.0.0/0
  488561 34544719 udp-traffic  udp  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain all-traffic (1 references)
    pkts      bytes target     prot opt in     out     source               destination
22667586 14171167058 traffic-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ftp-traffic (2 references)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 traffic-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain gre-traffic (2 references)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 traffic-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain radio-traffic (2 references)
    pkts      bytes target     prot opt in     out     source               destination
  408996 194726402 traffic-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ssh-traffic (2 references)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 traffic-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain traffic-output (7 references)
    pkts      bytes target     prot opt in     out     source               destination

Chain udp-traffic (2 references)
    pkts      bytes target     prot opt in     out     source               destination
 1350406 162003135 traffic-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain www-traffic (2 references)
    pkts      bytes target     prot opt in     out     source               destination
12463549 7238997771 traffic-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0

When I remove traffic-output then every chain at the bottom looks like the traffic-output in example above (there is empty line, without even 0)

Offline

#10 2013-09-05 22:29:20

Strike0
Member
From: Germany
Registered: 2011-09-05
Posts: 1,429

Re: [SOLVED] iptables chain's bytes counting problem

Maybe you can explain to us again what you want to achieve.
If you only want to see the packets and bytes for the types of traffic, there is no need for any extra chain - is there? Why do you use them? 

iptables -F
iptables -X
iptables -A INPUT -p tcp --sport 80 -j ACCEPT -m comment --comment "traffic-http"
iptables -A INPUT -p tcp --sport 22 -j ACCEPT -m comment --comment "traffic-ssh"
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT -m comment --comment "traffic-http"
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT -m comment --comment "traffic-ssh"
iptables -A OUTPUT -p tcp -j ACCEPT -m comment --comment "traffic-rest"
]$ sudo iptables -nvL  |grep traffic 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:80 /* traffic-http */
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:22 /* traffic-ssh */
  486 66600 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 /* traffic-http */
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 /* traffic-ssh */
   11  1647 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* traffic-rest */

Offline

#11 2013-09-06 10:20:17

koralgolek
Member
Registered: 2010-07-27
Posts: 23

Re: [SOLVED] iptables chain's bytes counting problem

I tried to connect rrdtool with iptables. I suggested to ths site http://www.hilands.com/os-linux-serverstats.html from where I get scripts to obtain numbers from iptables' chains

Offline

#12 2013-09-06 18:30:07

Strike0
Member
From: Germany
Registered: 2011-09-05
Posts: 1,429

Re: [SOLVED] iptables chain's bytes counting problem

Interesting. Well both work generally but they have built that tool on the rules you setup. The marking according to the texts "www-traffic" etc would not be necessary (the tool could just parse the log lines with the correct --sport and --dport parms for that). But the question that matters (for a server) behind it is which way the processing of the rules is most efficient for the machine. Yet thats maybe negligible for such simple rules. Have fun setting it up.

Offline

Board footer

Powered by FluxBB