[plug] IP Accounting

Matt Kemner zombie at wasp.net.au
Thu Mar 30 12:45:08 WST 2000 

On Thu, 30 Mar 2000, Brad Campbell wrote:

> I'm looking for pointers to info on IP packet accounting for
> Linux, ie I want to add accounting to my masq/dialup box so I
> can look at traffic flows from/to the outside world(ppp0) and
> the individual machines on my network(eth0).
> I have found nothing as yet, can someone point me at a faq
> or something along those lines..
> 
> I think what I really need is a Cisco router,

No you don't. :)

"It's a router, not an accountant" -- Martin Davis, Paradox Digital

With Linux you can do so much more

If you can set up a Firewall, you can set up accounting - each ipchain
rule has a counter attached to it.

Eg. if you want to count all traffic to/from 192.168.1.0/24 your firewall
would contain:

ipchains -A input -s 192.168.1.0/24  -j RETURN
ipchains -A output -d  192.168.1.0/24 -j RETURN

If you want to get more complex you can add a chain each for in and out
such as this script, which I use to count all traffic to one of our
customers - They have a host on our network and a subnet routed to them
 - since I want to count traffic to both, I do the following:

#!/bin/bash
#
# Main Rules
ipchains -N webtec-o
ipchains -N webtec-i
ipchains -F input
ipchains -F output 

ipchains -A input -d 202.61.164.128/25 -j webtec-o
ipchains -A input -s 202.61.164.128/25 -j webtec-i
ipchains -A input -d 202.61.164.84 -j webtec-o
ipchains -A input -s 202.61.164.84 -j webtec-i

# WebTec
ipchains -F webtec-o
ipchains -F webtec-i
ipchains -A webtec-o -s 0/0 -d 0/0 -j RETURN
ipchains -A webtec-i -s 0/0 -d 0/0 -j RETURN

so all traffic for the host (.168.84) and the subnet (.164.128/25) gets
sent to the webtec-i or webtec-o chain, where I just have a rule matching
everything sent to that chain.

Then to read the counters, you run:

ipchains -vxnL webtec-o # for traffic TO Webtec
ipchains -vxnL webtec-i # for traffic FROM Webtec

Then, if you put that in a script that does, eg:

#!/usr/bin/perl
$in=`ipchains -vxnL webtec-o|grep 0.0.0.0|cut -c9-19|tr -d " "`;
$out=`ipchains -vxnL webtec-i|grep 0.0.0.0|cut -c9-19|tr -d " "`;
$uptime=`uptime|cut -c13-28`;
print "$in";
print "$out";
print "$uptime";
print "`hostname`\n";

then you can call that script from within mrtg to draw pretty graphs. :)

 - Matt

P.S. yes I know the above script is better off in bash than in perl, but I
     do more with the counters than just pass them to mrtg. :)

More information about the plug mailing list