[plug] IPtables non-local packet counters?

Balasubramaniam Natarajan bala150985 at gmail.com
Wed Feb 24 05:40:22 UTC 2016

Hi Andrew,

Shouldn't xplico or netflow do the trick since you are using a separate
machine for listening to the traffic ?

On Wed, Feb 24, 2016 at 8:27 AM, Andrew Furey <andrew.furey at gmail.com>

> Hi all, long time no post...
> I have an existing Linux firewall router with two network interfaces -
> eth0 (LAN) and eth1 (public IP). I'm using iptables rules to divert all
> traffic to a "traffic" chain, and then rules like the following:
> iptables -A traffic -i eth0 -s
> iptables -A traffic -o eth0 -d
> I can then do "iptables -L traffic -v -x -n -Z" to get figures for packet
> and byte count on those matching rules, which I then parse and script to
> get data files for MRTG to read.
> End result, I get an MRTG graph for bidirectional network traffic for
> I can also add other rules with more specific iptables flags,
> combining multiple rules, etc to get any traffic graph I want. All so far
> so good for the last 7-odd years.
> Now the tricky bit; the powers that be are planning to replace the custom
> machine with Fortigate routers (90Ds in HA mode, if it matters). I've
> already logged a support ticket with Fortinet and confirmed that their
> system has no way to get those sorts of stats other than a simple
> total-data-on-network-interface count (largely due to all of their rules
> needing to have a target, so it can't just pass through for incrementing
> stats alone).
> I was hoping to set up a separate machine listening to the traffic, just
> for the stats side. I've set up port mirroring on the switch, to mirror the
> router's LAN port into an unused network port on another, and by turning
> promiscuous mode on I can see the traffic in tcpdump, iftop, ifconfig
> counters, etc.
> HOWEVER it doesn't hit any iptables rules that I've tried; a thread on
> netfilter-devel seems to indicate that it's because it's not actually
> routing THROUGH the machine (
> http://osdir.com/ml/security.firewalls.netfilter.devel/2002-11/msg00160.html).
> In that vein I was also trying fancy things with the TEE target etc, but
> still no luck.
> Has anyone ever done this before? If there's a simple method to get the
> numbers another way, I'm all ears (the parsing of figures for MRTG is a
> custom script of mine so I can do most anything), but I don't think
> analysing PCAP files every 5 minutes will be very productive. Nor did I
> really want to lose 50+ occasionally-very-useful graphs...
> Andrew
> --
> Linux supports the notion of a command line or a shell for the same
> reason that only children read books with only pictures in them.
> Language, be it English or something else, is the only tool flexible
> enough to accomplish a sufficiently broad range of tasks.
>                           -- Bill Garrett
> _______________________________________________
> PLUG discussion list: plug at plug.org.au
> http://lists.plug.org.au/mailman/listinfo/plug
> Committee e-mail: committee at plug.org.au
> PLUG Membership: http://www.plug.org.au/membership

Balasubramaniam Natarajan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20160224/0fcd2e78/attachment.html>

More information about the plug mailing list