On 01/23/2013 10:18 AM, Tom Eastep wrote: > On 1/23/13 8:31 AM, "Simon Hobson" <[email protected]> wrote: > >> Another week, another project ! >> >> I'm trying to adapt our local setup to collect data at a remote site. >> Here we don't have the opportunity to put our own router in, so I'm >> trying to make a small logging box with three NICs. >> eth0 and eth1 are connected to a bridge with no IP - this will allow the >> box to be inserted between the site and it's internet connection, but the >> box itself won't be visible to the outside world. >> eth2 is connected to the internal network. >> >> I seem to have most things sorted, but the accounting is a bit of a >> headache. Probably something simple I've overlooked ! >> >> According to various bits I've read, such >> ashttp://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html, and the image >> it links to at the >> end,http://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-fl >> ow.svg I believe I should be seeing traffic bridged between eth0 and eth1 >> being trapped by the FORWARD chain and thus fed into the accounting >> chain. But I'm not seeing any stats : >> >> # iptables -v -n -L accounting >> Chain accounting (3 references) >> pkts bytes target prot opt in out source destination >> 60622 13M account-ip all -- * * 0.0.0.0/0 0.0.0.0/0 >> 60622 13M acc-serv all -- * * 0.0.0.0/0 0.0.0.0/0 >> # iptables -v -n -L account-ip >> Chain account-ip (1 references) >> pkts bytes target prot opt in out source destination >> 0 0 total-ip all -- eth0 * 0.0.0.0/0 0.0.0.0/0 >> 0 0 total-ip all -- * eth0 0.0.0.0/0 0.0.0.0/0 >> 0 0 total-ip all -- eth1 * 0.0.0.0/0 0.0.0.0/0 >> 0 0 total-ip all -- * eth1 0.0.0.0/0 0.0.0.0/0 >> 10656 926K total-ip all -- eth2 * 0.0.0.0/0 0.0.0.0/0 >> 11090 746K total-ip all -- * eth2 0.0.0.0/0 0.0.0.0/0 >> >> I'll only be looking at eth0, the other interfaces are only included for >> testing/diagnostics. > > Hi Simon, > > Please post your interfaces and hosts files. >
I ask, because what it looks like is that you have not defined eth0 and eth1 to Shorewall as bridge ports. So compiler is generating '-i' and '-o' matches for eth0 which never match when eth0 is a port on a bridge. To define it as a bridge port, in your interfaces file: z br0 - bridge - br0:eth0 Also note that even if you do define eth0 to be a bridge port, when you place 'eth0' in the DEST column, it will only account for traffic forwarded from another port on the bridge. That behavior has been in place since Kernel version 2.6.21. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnnow-d2d
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
