Re: Accounting on a firewall

[Raffaele D'Elia]

I'm working on something similar, but I'm stuck in early planning stage.
I'm looking for something like ipac-ng (I love its data handling), but I 
need to get data from any rule I like (ie a .conf file with itemname -> 
table/chain/rulenumber mapping).
Probably I have to change something in fetchipac...

I'll look netaccount's source looking for hints; is it open source, 
isn't it?

Thanks.
Radel
Carlos Sousa wrote:
On Wed, 21 Jul 2004 19:37:48 +0200 Raffaele D'Elia wrote:
I run a debian stable firewall, and I need to account ip data that 
travels through it.

I've looked at ipac-ng, but I think it doesn't works well with the 
FORWARD chain.

How can I do accounting using iptables just like ipac-ng does on the 
FORWARD chain?

Would something like my homegrown solution be of any use as a starting
point?
   http://vbc.dyndns.org/~carlos/share/index.html (the netaccount bit)
It uses the PREROUTING and POSTROUTING chains of the iptables mangle
table, thus catching all traffic (I hope :) going through the specified
network interface.
You could adapt the rules to the FORWARD chain (mangle table), for
your purposes.
# IPTABLES - Packet traversal of chains/tables:
# 
#             (network)
#                 v
#          mangle PREROUTING
#                 |
#             nat PREROUTING
#             /        \
#            /          \
#   mangle INPUT         \
#         |               |
#   filter INPUT          |
#         v               |
#  ,-----------.    mangle FORWARD
#  |   local   |          |
#  | processes |    filter FORWARD
#  `-----------~          |
#         v               |
#   mangle OUTPUT         |
#         |               |
#      nat OUTPUT         |
#         |               |
#   filter OUTPUT        /
#            \          /
#             \        /
#          mangle POSTROUTING
#                 |
#             nat POSTROUTING
#                 v
#             (network)

A simple 'iptables -L' executed regularly enables you to keep a record
on the traffic, keeping in mind that a reboot will zero the counts.
HTH
**************************************************************************
Questo messaggio puo' contenere informazioni di carattere estremamente
riservato e confidenziale.
Qualora non foste i destinatari, vogliate immediatamente informarci
con lo stesso mezzo ed eliminare il messaggio, con gli eventuali allegati,
senza trattenerne copia. Qualsivoglia utilizzo non autorizzato del
contenuto di questo messaggio costituisce violazione dell'obbligo di non
prendere cognizione della corrispondenza tra altri soggetti, salvo piu'
grave illecito, ed espone il responsabile alle relative conseguenze civili
e penali.
This message is being sent from Starcom Italia Srl and may
contain information which is confidential or privileged.  If you are not
the intended recipient, please advise the sender immediately by reply
e-mail and delete this message and any attachments without retaining a
copy. Any unauthorized use of the content of this message is a breach of
your duty to respect the confidentiality of the correspondence between
other persons and can expose the responsible party to civil and/or
criminal penalties, and may constitute a more serious offense.
**************************************************************************