[plug] Iptables log/count all NAT packets in stream

[Tim]

I'm attempting to use iptables to count data being natted through a box.

I was going to try something in the NAT PREROUTING until I discovered
that packets only hit that if they are the first of a stream. I read a
bit more and forward seemed the likely choice, but it too seems to
only log the first packet of a connection. My rules are as follows.

iptables -N ACCOUNTING
iptables -I FORWARD 1 -j ACCOUNTING
iptables -A ACCOUNTING -s ftp.iinet.net.au -j RETURN
iptables -A ACCOUNTING -d ftp.iinet.net.au -j RETURN
iptables -A ACCOUNTING -s ipaddress1 -j RETURN
iptables -A ACCOUNTING -d ipaddress1 -j RETURN
iptables -A ACCOUNTING -s ipaddress2 -j RETURN
iptables -A ACCOUNTING -d ipaddress2 -j RETURN


Basically, the idea is to count all packets to and from each machine
(with packets to or from iinet being caught by the first filter.)
Only problem is that is seems to only count the first packet of a
connection. Any ideas where I need rules so that each packet in a
natted connection goes through the rules? Once a connection is
established and natted, I understand that it assumes all other packets
will match the rules that the first one matched, does this mean I
can't get any packet/byte counter for these packets and they basically
just skip the whole iptables tables?
If this is the case, I can see why using something like a captive
portal makes lots of sense!

Thanks

Tim

-- 
Timothy White - Somewhere in Australia