Re: data usage metering by IP on openwrt.

[Matthew Cengia]

On 2013-09-17 23:45, Jeremy Visser wrote:
> On 09/17/2013 10:23 PM, Matthew Cengia wrote:
> > Given you're running Kamikaze, you're unlikely to have the
> > iptables-utils package installed (you may be able to install it, giving
> > you the iptables-save and iptables-restore commands; a script using
> > these would be quicker), so in its absense:
> 
> I should probably mention at this point that custom firewall rules for
> OpenWrt should be entered as iptables commands in /etc/firewall.user
> (basically a glorified shell script, but it gets called at the
> appropriate point during network initialisation).
> 
> I would *not* encourage the use of iptables-{save,restore} on OpenWrt,
> as you will be overwriting the existing rules, and any network interface
> changes will not be reflected in the firewall structure if you're
> modifying an old and shaggy iptables dump.
> 
> If you absolutely *insist* on loading your rules with iptables-restore
> (NOT recommended), you should probably disable the built-in firewall
> script (I'll leave doing that as an exercise to the reader
> *cough*/etc/init.d/firewall disable*cough*).

Yes, care must be taken in this instance, and you make a couple of good
points here. It's worth remembering that running iptables-restore
needn't blow away your entire ruleset, specifically when passed '-n'.

Historically, I had something like this in /etc/firewall.rules:

  iptables -N log_incoming
  iptables -N log_outgoing
  {
    echo '*filter'
    ip=1
    while [ "$ip" -lt 255 ]; do
      echo "-A log_incoming -d 192.168.2.$ip"
      echo "-A log_outgoing -s 192.168.2.$ip"
      let ip=ip+1
    done
    echo 'COMMIT'
  } | iptables-restore -n
  iptables -I FORWARD -j log_incoming
  iptables -I FORWARD -j log_outgoing

This saves *lots* of time because you're only running 5 iptables
commands instead of over 200, and given that each change made using
'iptables' basicaly reads, edits, and write the full table every time,
this is much neater. Also, worth noting is that at least in this
instance, it's not necessary to specify a network interface.

-- 
Regards,
Matthew Cengia

signature.asc
Description: Digital signature

_______________________________________________
luv-main mailing list
luv-main@luv.asn.au
http://lists.luv.asn.au/listinfo/luv-main