On Wed, 21 Jul 2004 19:37:48 +0200 Raffaele D'Elia wrote: > I run a debian stable firewall, and I need to account ip data that > travels through it. > > I've looked at ipac-ng, but I think it doesn't works well with the > FORWARD chain. > > How can I do accounting using iptables just like ipac-ng does on the > FORWARD chain?
Would something like my homegrown solution be of any use as a starting point? http://vbc.dyndns.org/~carlos/share/index.html (the netaccount bit) It uses the PREROUTING and POSTROUTING chains of the iptables mangle table, thus catching all traffic (I hope :) going through the specified network interface. You could adapt the rules to the FORWARD chain (mangle table), for your purposes. # IPTABLES - Packet traversal of chains/tables: # # (network) # v # mangle PREROUTING # | # nat PREROUTING # / \ # / \ # mangle INPUT \ # | | # filter INPUT | # v | # ,-----------. mangle FORWARD # | local | | # | processes | filter FORWARD # `-----------~ | # v | # mangle OUTPUT | # | | # nat OUTPUT | # | | # filter OUTPUT / # \ / # \ / # mangle POSTROUTING # | # nat POSTROUTING # v # (network) A simple 'iptables -L' executed regularly enables you to keep a record on the traffic, keeping in mind that a reboot will zero the counts. HTH -- Carlos Sousa http://vbc.dyndns.org/
