On Friday 10 May 2002 6:06 pm, Jos� de Paula Eufr�sio J�nior wrote: > Hello there! > > I'm using a Linux box to make a MASQUERADE from some machines in my > internal network to the internet, and using CBQ/QoS to control the traffic > based in IP numbers.. > > Now I'm searcching a way to collect the statistics from the iptables (or > CBQ) to make some graphics or something and know how much each IP is > consumming...
I do it like this: In my FORWARD chain, instead of ACCEPTing packets which are ESTABLISHED or RELATED, I send them to a user-defined chain called for example PKTCOUNT Then the PKTCOUNT chain contains rules like this: iptables -A PKTCOUNT -s 11.22.33.44 -j ACCEPT iptables -A PKTCOUNT -s 11.22.33.55 - j ACCEPT iptables -A PKTCOUNT -s 11.22.33.66 -j ACCEPT and so on, for each of the IP addresses you're interested in. You could of course use -d if you're more interested in destination addresses, or use both. Then the command iptables -L PKTCOUNT -n -v will show you the number of packets and the number of bytes which have matched on each rule in this chain - ie the number which matched each IP address. I actually have a cron job to do this once a minute and record all the numbers to an IP log file, which I can then parse with a Perl program to produce some pretty graphs. I'm sure mrtg could do this if you wanted to use that instead. I guess if you've already created a set of SNAT or DNAT rules to do the translations you want, then you probably don't even need to create the PKTCOUNT chain - just try doing iptables -L PREROUTING -n -v -t nat and it will tell you how many packets and bytes got translated by each rule. Antony.
