[plug] IPtables non-local packet counters?

Euan euan at dekock.net
Thu Feb 25 03:28:01 UTC 2016 

I'll dig around to see if I still have some code. I wrote a program years ago to analyse netflow stats for pretty much the same purpose.

Regards,

Euan

On 25 February 2016 10:09:42 am AWST, Andrew Furey <andrew.furey at gmail.com> wrote:
>Hmm, I can probably get what I need with netflow, which I'll do with a
>dedicated VM rather than a physical (which already does other stuff).
>Looks
>like I'll have to reimplement the grab-stats-from-raw-numbers by hand
>though, as it'll be different to the simple iptables counter method
>from
>all of the others. What overkill...
>
>Anyone have any cheat sheets in that regard? I remember doing a little
>bit
>of netflow stuff years ago (hi Jeremy).
>
>Andrew
>
>On 24 February 2016 at 13:40, Balasubramaniam Natarajan <
>bala150985 at gmail.com> wrote:
>
>> Hi Andrew,
>>
>> Shouldn't xplico or netflow do the trick since you are using a
>separate
>> machine for listening to the traffic ?
>>
>> On Wed, Feb 24, 2016 at 8:27 AM, Andrew Furey
><andrew.furey at gmail.com>
>> wrote:
>>
>>> Hi all, long time no post...
>>>
>>> I have an existing Linux firewall router with two network interfaces
>-
>>> eth0 (LAN) and eth1 (public IP). I'm using iptables rules to divert
>all
>>> traffic to a "traffic" chain, and then rules like the following:
>>>
>>> iptables -A traffic -i eth0 -s 192.168.0.1
>>> iptables -A traffic -o eth0 -d 192.168.0.1
>>>
>>> I can then do "iptables -L traffic -v -x -n -Z" to get figures for
>packet
>>> and byte count on those matching rules, which I then parse and
>script to
>>> get data files for MRTG to read.
>>>
>>> End result, I get an MRTG graph for bidirectional network traffic
>for
>>> 192.168.0.1. I can also add other rules with more specific iptables
>flags,
>>> combining multiple rules, etc to get any traffic graph I want. All
>so far
>>> so good for the last 7-odd years.
>>>
>>> Now the tricky bit; the powers that be are planning to replace the
>custom
>>> machine with Fortigate routers (90Ds in HA mode, if it matters).
>I've
>>> already logged a support ticket with Fortinet and confirmed that
>their
>>> system has no way to get those sorts of stats other than a simple
>>> total-data-on-network-interface count (largely due to all of their
>rules
>>> needing to have a target, so it can't just pass through for
>incrementing
>>> stats alone).
>>>
>>> I was hoping to set up a separate machine listening to the traffic,
>just
>>> for the stats side. I've set up port mirroring on the switch, to
>mirror the
>>> router's LAN port into an unused network port on another, and by
>turning
>>> promiscuous mode on I can see the traffic in tcpdump, iftop,
>ifconfig
>>> counters, etc.
>>>
>>> HOWEVER it doesn't hit any iptables rules that I've tried; a thread
>on
>>> netfilter-devel seems to indicate that it's because it's not
>actually
>>> routing THROUGH the machine (
>>>
>http://osdir.com/ml/security.firewalls.netfilter.devel/2002-11/msg00160.html).
>>> In that vein I was also trying fancy things with the TEE target etc,
>but
>>> still no luck.
>>>
>>> Has anyone ever done this before? If there's a simple method to get
>the
>>> numbers another way, I'm all ears (the parsing of figures for MRTG
>is a
>>> custom script of mine so I can do most anything), but I don't think
>>> analysing PCAP files every 5 minutes will be very productive. Nor
>did I
>>> really want to lose 50+ occasionally-very-useful graphs...
>>>
>>> TIA
>>> Andrew
>>>
>>> --
>>> Linux supports the notion of a command line or a shell for the same
>>> reason that only children read books with only pictures in them.
>>> Language, be it English or something else, is the only tool flexible
>>> enough to accomplish a sufficiently broad range of tasks.
>>>                           -- Bill Garrett
>>>
>>> _______________________________________________
>>> PLUG discussion list: plug at plug.org.au
>>> http://lists.plug.org.au/mailman/listinfo/plug
>>> Committee e-mail: committee at plug.org.au
>>> PLUG Membership: http://www.plug.org.au/membership
>>>
>>
>>
>>
>> --
>> Regards,
>> Balasubramaniam Natarajan
>> http://blog.etutorshop.com
>> https://www.youracclaim.com/user/balasubramaniam-natarajan
>>
>
>
>
>-- 
>Linux supports the notion of a command line or a shell for the same
>reason that only children read books with only pictures in them.
>Language, be it English or something else, is the only tool flexible
>enough to accomplish a sufficiently broad range of tasks.
>                          -- Bill Garrett
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>PLUG discussion list: plug at plug.org.au
>http://lists.plug.org.au/mailman/listinfo/plug
>Committee e-mail: committee at plug.org.au
>PLUG Membership: http://www.plug.org.au/membership
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20160225/da1c0caf/attachment.html>

More information about the plug mailing list