The linux kernel automatically tracks packet and byte counts for iptables each rule, This information can be used too do accounting on network usage.

Here is a quick guide shows you how to monitor transfers between nodes.

Configuration in iptables

On the host. there is nothing particular to regular iptables rules, Kernel tracks packet and byte counts for each rule.
So, want to count particular network activite ? just create a rule for it.

For example, if you want to monitor transfers between nodes, suppose is the remote host you want to monitor with

The, on your server, add two rules to /etc/sysconfig/iptables

-A INPUT  -m tcp -p tcp -s -j ACCEPT
-A OUTPUT -m tcp -p tcp -d -j ACCEPT

Restart iptables

# service iptables restart
Flushing firewall rules:                                   [  OK  ]
Setting chains to policy ACCEPT: filter                    [  OK  ]
Unloading iptables modules:                                [  OK  ]
Applying iptables firewall rules:                          [  OK  ]
Loading additional iptables modules: ip_conntrack_netbios_n[  OK  ]

Check and start monitoring

#iptables -nvxL
Chain INPUT (policy DROP 38545 packets, 5435287 bytes)
pkts      bytes target  prot opt in     out     source         destination        
  44       2960 ACCEPT  tcp  --  *      *        tcp
Chain OUTPUT (policy ACCEPT 143450 packets, 46125613 bytes)
pkts      bytes target  prot opt in     out     source         destination         
  30      22040 ACCEPT  tcp  --  *      *      tcp

In example above

  • -L lists all the rules.
  • -n does not resolve the ip addresses.
  • -v lists the packet and byte count.
  • -x displays the byte count (otherwise it gets abbreviated to 200K, 3M, etc).

Reset the counters

Want to zero the counters, use:
# iptables -Z

Setup Accounting rule

In the examples above, each rule has it's own counters. When reset, all counters will get reset. What if I want reset different counters at different time? Or group some traffic counters together?

There are many ways to do accounting separation or grouping, really depends on the situation/requirement you have.

Here I just show a simple example, suppose I have two ethernet ports working on a server, I want to group traffic by port, input,output and protocol.

Note: to keep the configuration short, the second port definition in below example is omitted.

First, define some chains

## default chains

:FORWARD [0:0]

#### defined chains

:Acc_in_eth0 [0:0]
:Acc_out_eth0 [0:0]
:Acc_in_eth0_tcp [0:0]
:Acc_in_eth0_udp [0:0]
:Acc_in_eth0_icmp [0:0]

Second, define rules

Make the buildin INPUT/OUTPUT trafic jump to defined rules

-A INPUT -j Acc_in_eth0
-A INPUT -j Acc_in_eth0_tcp
-A INPUT -j Acc_in_eth0_udp
-A INPUT -j Acc_in_eth0_icmp
-A OUTPUT -j Acc_out_eth0
-A OUTPUT -j Acc_out_eth0_tcp
-A OUTPUT -j Acc_out_eth0_udp
-A OUTPUT -j Acc_out_eth0_icmp

Separate traffic by its own matching rules, port, protocol etc..

-A Acc_in_eth0 -i eth0
-A Acc_in_eth0_tcp  -i eth0 -p tcp -m tcp
-A Acc_in_eth0_udp -i eth0 -p udp -m udp
-A Acc_in_eth0_icmp -i eth0 -p icmp -m icmp
-A Acc_out_eth0 -o eth0
-A Acc_out_eth0_tcp  -o eth0 -p tcp -m tcp
-A Acc_out_eth0_udp -o eth0 -p udp -m udp
-A Acc_out_eth0_icmp -o eth0 -p icmp -m icmp

Note1: in above setting, to keep it simpler and shorter, I did not define the counting rules for the second ethernet port, it's just matter of copy and paste.

Note2: In above config, there is no real filter/firewall implementation yet, it's just general iptables accouning. You can just add your usual iptables rules.

Show and reset accounting number by rule

Show Acc_out_eth0 accounting rule

iptables -nvxL Acc_out_eth0

Reset Acc_out_eth0 accounting rule

iptables -Z Acc_out_eth0


To be noted is that you can still do more accounting for particular purpose, for example, you want have a counter for a port access.

## Port Accounting rules
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j port_8080
-A port_8080 -m state --state NEW -m tcp -p tcp --dport 8080 -j Accept

Note: in the example above, the iptables rule has a 'NEW' state matching, thus, only the first packet is counted for each connection, or attempt. It also can be used as number of connections(or attempt) to a particular port.

Of course, remove the 'NEW' state matching, you will get all packets counted for the rule.

-A INPUT -m tcp -p tcp --dport 8080 -j port_8080
-A port_8080 -m tcp -p tcp --dport 8080 -j Accept

 More detail in port connection counting, see Use iptables to count port connection attempts

Comments powered by CComment