On Sat, Apr 13, 2002 at 12:40:03PM -0700, Paul Makepeace wrote:
> Does anyone here have any ideas, thoughts, solutions for keeping track
> of a machine network usage? I have recently discovered /proc/net/dev and
> am cron'ing it into a logrotate.d file and may try to do something
> rrdtool related with it.
A friend logs /proc/net/dev every 60 secs (and uses it to dispute his
service providers bills :-(
> But, what I'd really like to see is relative usage of bandwidth by
> application, for example, DNS, LDAP, freenet, HTTP, etc. I don't see a
> way to do this with /proc - is there? HTTP is do-able by post-munging
> analog output but that's not general.
I've planned but not yet installed a set of iptables rules to count by
protocol:
iptables -A in_ext -p tcp --dport http
iptables -A in_ext -p all --dport domain
iptables -A in_ext -p udp --dport ldap
Since this can be done by interface, it should make a good way of
charging back ...
Use iptables -L -x -v -n to report.
Currently I only monitor new connections (SYNs) so I can see
the number of connections, but only totals of data ...
... http traffic
pkts bytes target prot opt in out source destination
9163 550K ACCEPT tcp -- any any anywhere anywhere tcp
dpt:http flags:SYN,RST,ACK/SYN
222 13320 ACCEPT tcp -- any any anywhere anywhere tcp
dpt:https flags:SYN,RST,ACK/SYN
6774 406K ACCEPT tcp -- any any anywhere anywhere tcp
dpt:http flags:SYN,RST,ACK/SYN
232 13920 ACCEPT tcp -- any any anywhere anywhere tcp
dpt:https flags:SYN,RST,ACK/SYN
15 900 ACCEPT tcp -- any any anywhere anywhere tcp
dpt:http-alt flags:SYN,RST,ACK/SYN
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
34M 23G connected all -- any any anywhere anywhere
6090 411K ACCEPT all -- lo any anywhere anywhere
2124 465K in_ext all -- ippp0 any anywhere anywhere
8138 628K in_int all -- eth0 any anywhere anywhere
Anyone who's read this far want an undocumented Perl script to translate a
human-readable firewall description like the attached, into a set of
iptables commands?
--
Chris Benson
define $INTERNAL eth0
define $EXTERNAL ippp+
define $DEMON_SMTP_NET 1.2.3.4/24
define $ANY all 0:65355
modules ip_conntrack ip_conntrack_ftp ip_nat_ftp
modules ipt_MIRROR ipt_LOG ipt_MASQUERADE ipt_REJECT
options forwarding address_verification log_martians
options noaccept_redirects ignore_broadcast_ping
nat $EXTERNAL
allow_out accepts tcp http; smtp; ssh; ident; https; 8080; nntp; ftp ; ftp-data;
allow_out accepts udp domain; ntp; 33434:33500;
allow_out accepts icmp echo-request;
on forward from $INTERNAL to $EXTERNAL do fwd_int_ext
on forward from $EXTERNAL to $INTERNAL do fwd_ext_int
on forward log "DROPPING:forward "
on forward drop
on input from lo accept
on input from $INTERNAL do in_int
on input from $EXTERNAL do in_ext
on input log "DROPPING:input "
on input drop
on output to lo accept
on output to $INTERNAL do out_int
on output to $EXTERNAL do out_ext
on output log "DROPPING:output "
on output drop
fwd_int_ext do connected
fwd_int_ext drops all netbios-ns; netbios-dgm; netbios-ssn;
fwd_int_ext do allow_out
fwd_int_ext log "DROPPING:fwd_int_ext "
fwd_int_ext reject
fwd_ext_int do connected
fwd_ext_int log "DROPPING:fwd_ext_int "
fwd_ext_int drop
in_int do connected
in_int accept
out_int do connected
out_int accept
in_ext counts tcp http
in_ext do connected
in_ext accepts tcp smtp -s $DEMON_SMTP_NET; ssh;
in_ext mirror all portmap; netbios-ns; netbios-dgm; netbios-ssn; ftp; printer; telnet
in_ext log "DROPPING:in_ext "
in_ext drop
out_ext do connected
out_ext do allow_out
out_ext log "DROPPING:out_ext "
out_ext drop
