[plug] IPtables non-local packet counters?

Andrew Furey andrew.furey at gmail.com
Wed Feb 24 02:57:06 UTC 2016

Hi all, long time no post...

I have an existing Linux firewall router with two network interfaces - eth0
(LAN) and eth1 (public IP). I'm using iptables rules to divert all traffic
to a "traffic" chain, and then rules like the following:

iptables -A traffic -i eth0 -s
iptables -A traffic -o eth0 -d

I can then do "iptables -L traffic -v -x -n -Z" to get figures for packet
and byte count on those matching rules, which I then parse and script to
get data files for MRTG to read.

End result, I get an MRTG graph for bidirectional network traffic for I can also add other rules with more specific iptables flags,
combining multiple rules, etc to get any traffic graph I want. All so far
so good for the last 7-odd years.

Now the tricky bit; the powers that be are planning to replace the custom
machine with Fortigate routers (90Ds in HA mode, if it matters). I've
already logged a support ticket with Fortinet and confirmed that their
system has no way to get those sorts of stats other than a simple
total-data-on-network-interface count (largely due to all of their rules
needing to have a target, so it can't just pass through for incrementing
stats alone).

I was hoping to set up a separate machine listening to the traffic, just
for the stats side. I've set up port mirroring on the switch, to mirror the
router's LAN port into an unused network port on another, and by turning
promiscuous mode on I can see the traffic in tcpdump, iftop, ifconfig
counters, etc.

HOWEVER it doesn't hit any iptables rules that I've tried; a thread on
netfilter-devel seems to indicate that it's because it's not actually
routing THROUGH the machine (
In that vein I was also trying fancy things with the TEE target etc, but
still no luck.

Has anyone ever done this before? If there's a simple method to get the
numbers another way, I'm all ears (the parsing of figures for MRTG is a
custom script of mine so I can do most anything), but I don't think
analysing PCAP files every 5 minutes will be very productive. Nor did I
really want to lose 50+ occasionally-very-useful graphs...


Linux supports the notion of a command line or a shell for the same
reason that only children read books with only pictures in them.
Language, be it English or something else, is the only tool flexible
enough to accomplish a sufficiently broad range of tasks.
                          -- Bill Garrett
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20160224/da4ab52f/attachment.html>

More information about the plug mailing list