[plug] Iptables and RADIUS Accounting

[Ryan King]

On Thu, Oct 8, 2009 at 11:22 AM, Tim <weirdit at gmail.com> wrote:
> I've been using CoovaChilli to build a hotspot solution. But it's not
> ideal for another situation I have.
> Basically I want to do traffic accounting. What I as thinking though,
> was it could be really easy to use iptables and radius to replace the
> the coova chilli part of my existing project so most of the work can
> move into this new project. It seems like it should be really simple
> to have some sort of application that adds a rule for each ipaddress
> (or mac address maybe, not sure with iptables) and counts data. Then
> have another process that every few minutes reads the byte counter for
> each rule, send a radius accounting packet to the radius server, and
> zero the rules. In terms of the session handling, I was thinking that
> something that watches the DHCP leases file for example, (or just have
> the DHCP server call a process for each lease and expiry) to start
> each radius session and add the iptables rules and remove the later.
>
> Does anyone know of existing solutions that follow that kind of path.
> Or any other suggestions for traffic accounting into some sort of
> database (split up in particular by user based on ipaddress as I'm not
> concerned with authentication in this situation as I can rely on ip
> address or mac address)


Personally, I'd use netflow to make sure all traffic is being recorded
- but this might be overkill for your situation.  I believe you can
get an iptables netflow module to export data - something like
ipt-netflow (never used it myself - so not sure how much work it is to
set it up).  Then, use flow-tools to process the data (or the Cflow
perl module).

Netflow will give you all the information you need about which IP was
doing what and when.  Then you can tie it in with your radius records
to work out which IP belonged to which user.


Ryan