[plug] IPtables non-local packet counters?

Andrew Furey andrew.furey at gmail.com
Fri Feb 26 07:10:20 UTC 2016


Bit of an update; looks like I can use nfcapd (flow-capture doesn't support
V9 which is all the FGs send) to write a file every 5 minutes.

Then with nfdump I can read the file as many times as I like, with the
different parameters ("src host 192.168.0.1", etc) and parse the final
Summary line to get my magic figure for that 5 minutes.

Lots more programming to come, joy... I'm still personally hoping we decide
not to go ahead with them, due to the various OTHER features we'll be
losing :-/

Andrew

On 25 February 2016 at 11:28, Euan <euan at dekock.net> wrote:

> I'll dig around to see if I still have some code. I wrote a program years
> ago to analyse netflow stats for pretty much the same purpose.
>
> Regards,
>
> Euan
>
>
> On 25 February 2016 10:09:42 am AWST, Andrew Furey <andrew.furey at gmail.com>
> wrote:
>>
>> Hmm, I can probably get what I need with netflow, which I'll do with a
>> dedicated VM rather than a physical (which already does other stuff). Looks
>> like I'll have to reimplement the grab-stats-from-raw-numbers by hand
>> though, as it'll be different to the simple iptables counter method from
>> all of the others. What overkill...
>>
>> Anyone have any cheat sheets in that regard? I remember doing a little
>> bit of netflow stuff years ago (hi Jeremy).
>>
>> Andrew
>>
>> On 24 February 2016 at 13:40, Balasubramaniam Natarajan <
>> bala150985 at gmail.com> wrote:
>>
>>> Hi Andrew,
>>>
>>> Shouldn't xplico or netflow do the trick since you are using a separate
>>> machine for listening to the traffic ?
>>>
>>> On Wed, Feb 24, 2016 at 8:27 AM, Andrew Furey <andrew.furey at gmail.com>
>>> wrote:
>>>
>>>> Hi all, long time no post...
>>>>
>>>> I have an existing Linux firewall router with two network interfaces -
>>>> eth0 (LAN) and eth1 (public IP). I'm using iptables rules to divert all
>>>> traffic to a "traffic" chain, and then rules like the following:
>>>>
>>>> iptables -A traffic -i eth0 -s 192.168.0.1
>>>> iptables -A traffic -o eth0 -d 192.168.0.1
>>>>
>>>> I can then do "iptables -L traffic -v -x -n -Z" to get figures for
>>>> packet and byte count on those matching rules, which I then parse and
>>>> script to get data files for MRTG to read.
>>>>
>>>> End result, I get an MRTG graph for bidirectional network traffic for
>>>> 192.168.0.1. I can also add other rules with more specific iptables flags,
>>>> combining multiple rules, etc to get any traffic graph I want. All so far
>>>> so good for the last 7-odd years.
>>>>
>>>> Now the tricky bit; the powers that be are planning to replace the
>>>> custom machine with Fortigate routers (90Ds in HA mode, if it matters).
>>>> I've already logged a support ticket with Fortinet and confirmed that their
>>>> system has no way to get those sorts of stats other than a simple
>>>> total-data-on-network-interface count (largely due to all of their rules
>>>> needing to have a target, so it can't just pass through for incrementing
>>>> stats alone).
>>>>
>>>> I was hoping to set up a separate machine listening to the traffic,
>>>> just for the stats side. I've set up port mirroring on the switch, to
>>>> mirror the router's LAN port into an unused network port on another, and by
>>>> turning promiscuous mode on I can see the traffic in tcpdump, iftop,
>>>> ifconfig counters, etc.
>>>>
>>>> HOWEVER it doesn't hit any iptables rules that I've tried; a thread on
>>>> netfilter-devel seems to indicate that it's because it's not actually
>>>> routing THROUGH the machine (
>>>> http://osdir.com/ml/security.firewalls.netfilter.devel/2002-11/msg00160.html).
>>>> In that vein I was also trying fancy things with the TEE target etc, but
>>>> still no luck.
>>>>
>>>> Has anyone ever done this before? If there's a simple method to get the
>>>> numbers another way, I'm all ears (the parsing of figures for MRTG is a
>>>> custom script of mine so I can do most anything), but I don't think
>>>> analysing PCAP files every 5 minutes will be very productive. Nor did I
>>>> really want to lose 50+ occasionally-very-useful graphs...
>>>>
>>>> TIA
>>>> Andrew
>>>>
>>>> --
>>>> Linux supports the notion of a command line or a shell for the same
>>>> reason that only children read books with only pictures in them.
>>>> Language, be it English or something else, is the only tool flexible
>>>> enough to accomplish a sufficiently broad range of tasks.
>>>>                           -- Bill Garrett
>>>>
>>>> _______________________________________________
>>>> PLUG discussion list: plug at plug.org.au
>>>> http://lists.plug.org.au/mailman/listinfo/plug
>>>> Committee e-mail: committee at plug.org.au
>>>> PLUG Membership: http://www.plug.org.au/membership
>>>>
>>>
>>>
>>>
>>> --
>>> Regards,
>>> Balasubramaniam Natarajan
>>> http://blog.etutorshop.com
>>> https://www.youracclaim.com/user/balasubramaniam-natarajan
>>>
>>
>>
>>


-- 
Linux supports the notion of a command line or a shell for the same
reason that only children read books with only pictures in them.
Language, be it English or something else, is the only tool flexible
enough to accomplish a sufficiently broad range of tasks.
                          -- Bill Garrett
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20160226/2803b176/attachment.html>


More information about the plug mailing list