[plug] IPtables non-local packet counters?

Andrew Furey andrew.furey at gmail.com
Thu Feb 25 02:09:42 UTC 2016


Hmm, I can probably get what I need with netflow, which I'll do with a
dedicated VM rather than a physical (which already does other stuff). Looks
like I'll have to reimplement the grab-stats-from-raw-numbers by hand
though, as it'll be different to the simple iptables counter method from
all of the others. What overkill...

Anyone have any cheat sheets in that regard? I remember doing a little bit
of netflow stuff years ago (hi Jeremy).

Andrew

On 24 February 2016 at 13:40, Balasubramaniam Natarajan <
bala150985 at gmail.com> wrote:

> Hi Andrew,
>
> Shouldn't xplico or netflow do the trick since you are using a separate
> machine for listening to the traffic ?
>
> On Wed, Feb 24, 2016 at 8:27 AM, Andrew Furey <andrew.furey at gmail.com>
> wrote:
>
>> Hi all, long time no post...
>>
>> I have an existing Linux firewall router with two network interfaces -
>> eth0 (LAN) and eth1 (public IP). I'm using iptables rules to divert all
>> traffic to a "traffic" chain, and then rules like the following:
>>
>> iptables -A traffic -i eth0 -s 192.168.0.1
>> iptables -A traffic -o eth0 -d 192.168.0.1
>>
>> I can then do "iptables -L traffic -v -x -n -Z" to get figures for packet
>> and byte count on those matching rules, which I then parse and script to
>> get data files for MRTG to read.
>>
>> End result, I get an MRTG graph for bidirectional network traffic for
>> 192.168.0.1. I can also add other rules with more specific iptables flags,
>> combining multiple rules, etc to get any traffic graph I want. All so far
>> so good for the last 7-odd years.
>>
>> Now the tricky bit; the powers that be are planning to replace the custom
>> machine with Fortigate routers (90Ds in HA mode, if it matters). I've
>> already logged a support ticket with Fortinet and confirmed that their
>> system has no way to get those sorts of stats other than a simple
>> total-data-on-network-interface count (largely due to all of their rules
>> needing to have a target, so it can't just pass through for incrementing
>> stats alone).
>>
>> I was hoping to set up a separate machine listening to the traffic, just
>> for the stats side. I've set up port mirroring on the switch, to mirror the
>> router's LAN port into an unused network port on another, and by turning
>> promiscuous mode on I can see the traffic in tcpdump, iftop, ifconfig
>> counters, etc.
>>
>> HOWEVER it doesn't hit any iptables rules that I've tried; a thread on
>> netfilter-devel seems to indicate that it's because it's not actually
>> routing THROUGH the machine (
>> http://osdir.com/ml/security.firewalls.netfilter.devel/2002-11/msg00160.html).
>> In that vein I was also trying fancy things with the TEE target etc, but
>> still no luck.
>>
>> Has anyone ever done this before? If there's a simple method to get the
>> numbers another way, I'm all ears (the parsing of figures for MRTG is a
>> custom script of mine so I can do most anything), but I don't think
>> analysing PCAP files every 5 minutes will be very productive. Nor did I
>> really want to lose 50+ occasionally-very-useful graphs...
>>
>> TIA
>> Andrew
>>
>> --
>> Linux supports the notion of a command line or a shell for the same
>> reason that only children read books with only pictures in them.
>> Language, be it English or something else, is the only tool flexible
>> enough to accomplish a sufficiently broad range of tasks.
>>                           -- Bill Garrett
>>
>> _______________________________________________
>> PLUG discussion list: plug at plug.org.au
>> http://lists.plug.org.au/mailman/listinfo/plug
>> Committee e-mail: committee at plug.org.au
>> PLUG Membership: http://www.plug.org.au/membership
>>
>
>
>
> --
> Regards,
> Balasubramaniam Natarajan
> http://blog.etutorshop.com
> https://www.youracclaim.com/user/balasubramaniam-natarajan
>



-- 
Linux supports the notion of a command line or a shell for the same
reason that only children read books with only pictures in them.
Language, be it English or something else, is the only tool flexible
enough to accomplish a sufficiently broad range of tasks.
                          -- Bill Garrett
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20160225/0df0f53a/attachment.html>


More information about the plug mailing list