[Shorewall-users] per host accounting

Mon, 28 Sep 2009 10:26:13 -0700 

Hi all,

I want to do some per-host accounting on shorewall 4.2.8 to find out
where all the Internet bandwidth usage is going.  This gets kinda
interesting though because I have some virtual/tunnel interfaces on the
shorewall machine.  Specifically I have an 6to4 tunnel as well as
openvpn.

Assumptions: internet interface is eth0.1
             local machines are on br-lan

So first the basics.  It seems that accounting rules of the sort will
account for standard internet usage:

acc_pc:COUNT    -       eth0.1          br-lan:10.75.22.1
acc_pc:COUNT    -       br-lan:10.75.22.1 eth0.1
DONE    acc_pc
acc_j_lt:COUNT  -       eth0.1          br-lan:10.75.22.208
acc_j_lt:COUNT  -       br-lan:10.75.22.208 eth0.1
DONE    acc_j_lt
acc_linux:COUNT -       eth0.1          br-lan:10.75.22.3
acc_linux:COUNT -       br-lan:10.75.22.3 eth0.1
DONE    acc_linux
DONE    -       -               eth0.1
DONE    -       eth0.1          -

This gives me individual chains for each machine as well as an overall
usage of eth0.1 so that I can see if there is something happening that I
am not accounting for.

But now, how are interfaces like tun0 (openvpn) and my "Link
encap:IPv6-in-IPv4" being handled?  They are certainly not going to be
covered by the above rules.  Do I need to add a:

acc_pc:COUNT    -       tun0            br-lan:10.75.22.1
acc_pc:COUNT    -       br-lan:10.75.22.1 tun0

for the openvpn traffic (which ultimately uses eth0.1) as well as:

acc_pc:COUNT    -       sixxs           br-lan:10.75.22.1
acc_pc:COUNT    -       br-lan:10.75.22.1 sixxs

for the "encap:IPv6-in-IPv4" interface?  But shorewall doesn't know
about the "sixxs" interface.

Is there a better way to do all of this?

How can I figure out if I have any "leaks"?  i.e. traffic that is not
being accounted for.  Probably some kind of logging rule might be
appropriate but given that I want all eth0.1 to fall through to the
final two "DONE" rules so that I get a total for the interface, it's not
clear to me where I could log traffic that does not get accounted for by
one of the previous rules/chains.

Thanx,
b.

Attachment: signature.asc
Description: This is a digitally signed message part

------------------------------------------------------------------------------
Come build with us! The BlackBerry® Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9-12, 2009. Register now!
http://p.sf.net/sfu/devconf
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to