subject:"\[LARTC\] traffic state monitoring"

Re: [LARTC] traffic state monitoring

2003-02-25 Thread mingching.tiew

Below:-

- Original Message -
From: "Brad Davidson" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, February 26, 2003 12:15 AM
Subject: Re: [LARTC] traffic state monitoring

> >is there any difference with one
> > of these  :-
> >
> > iptables -t nat -I PREROUTING -p tcp --dport 21
> >   -m state --state NEW,ESTABLISHED,RELATED
> >
> > iptables  -I FORWARD -p tcp --dport 21
> >   -m state --state NEW,ESTABLISHED,RELATED
>
> I could be wacky, but at this early hour of the morning my foggy brain is
> noticing a few things.
>
> -Neither of these rules jump to anything.

There is no need to jump to anything. The rules are added for traffic
analysis. All that I am interested is the iptables counters for each rule.
A rule without jump can be safely inserted ( even on top of the ruleset !)
into a chain without disrupted anything and yet able to provide traffic
statistics of interest to me.

> -The second rule is not attached to any table, which I don't think is
> possible...
>

Aha, no tables mentioned it means 'filter' table. That's a standard behavior
of iptables.

> For the first rule, I believe that rules in the nat table only apply to
> getting things mangled. Specifying the state in there would mean that only
> things in that state get mangled (dnat, snat, etc), based on the rules
> following it. Other packets would just have done with them whatever
> happens to packets aren't associated with a session (arent claimed by NAT,
> or any listening socket)
>

Aha I thought I understood 30% of what you say here but after after doing it
again and again, I must say I don't know what you are talking about.

> The second rule would catch packets that are to be forwarded (for nat, or
> for normal routing) that meet the specified requirements. What happens
> once it's caught depends on what you jump to
>
There is no need to jump to anything as I mentioned earlier.

But perhaps I would like to rephrase my question now, considering that I am
getting cold response: how do I find out the traffic stats going thru a ftp
or
h323 session ( considering  that these applications create new connections
which might not be using the same port etc ) ?

Should it be :-

 iptables  -I FORWARD -p tcp --dport 21
-m state --state NEW,ESTABLISHED,RELATED

or

is this already sufficient :-

  iptables  -I FORWARD -p tcp --dport 21

Actually I am thinking of a new problem now, how do I do a traffic control
on a
ftp session directly ? Is 'tc filter' sufficient ? Is it able to do
connection tracking ?

___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] traffic state monitoring

2003-02-25 Thread Brad Davidson

>is there any difference with one
> of these  :-
>
> iptables -t nat -I PREROUTING -p tcp --dport 21
>   -m state --state NEW,ESTABLISHED,RELATED
>
> iptables  -I FORWARD -p tcp --dport 21
>   -m state --state NEW,ESTABLISHED,RELATED

I could be wacky, but at this early hour of the morning my foggy brain is
noticing a few things.

-Neither of these rules jump to anything.
-The second rule is not attached to any table, which I don't think is
possible...

For the first rule, I believe that rules in the nat table only apply to
getting things mangled. Specifying the state in there would mean that only
things in that state get mangled (dnat, snat, etc), based on the rules
following it. Other packets would just have done with them whatever
happens to packets aren't associated with a session (arent claimed by NAT,
or any listening socket)

The second rule would catch packets that are to be forwarded (for nat, or
for normal routing) that meet the specified requirements. What happens
once it's caught depends on what you jump to

Remember, I'm just an amateur, havent had my coffee yet, (insert other
pithy excuse for my being wrong here).


___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

[LARTC] traffic state monitoring

2003-02-25 Thread mingching.tiew

It seems that the state monitoring ( -m state --state  ) is valid in
various tables and chains. My question is does it make any difference?

Say I need to monitor all the traffic that are started from from an 
application, even if it is using dynamic ports, where I put the 
state monitoring, PREROUTING , FORWARD or others ?

For example, assuming a ftp packet is entering eth1 and get DNAT-ed
into an internal server 192.168.0.99 at PREROUTING and then
gotten forward at FORWARD chain, is there any difference with one
of these  :-

iptables -t nat -I PREROUTING -p tcp --dport 21 
  -m state --state NEW,ESTABLISHED,RELATED

iptables  -I FORWARD -p tcp --dport 21 
  -m state --state NEW,ESTABLISHED,RELATED



___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] traffic state monitoring

Re: [LARTC] traffic state monitoring

[LARTC] traffic state monitoring

3 matches

Site Navigation

Mail list logo

Footer information