-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 02/16/2017 08:38 AM, Simon Hobson wrote: > I wrote: > >> I've had accounting (counting traffic by IP) running for ages on >> other routers (ethernet interfaces), but I'm struggling to to get >> it going on a newer one with a PPPoE interface. Everything looks >> OK in terms of the iptables rules setup - but I'm just not >> getting reasonable figures. Does anyone know if there's anything >> special about PPP interfaces for this ? >> >> System is Debian Wheezy, running as a VM under Xen, and with >> Shorewall 4.5.5.3 >> >> >> Anyone see something silly I've overlooked (that's my usual >> problem, too close, can't see things right in front of me) ? > > Ah, I think I may have spotted the issue. There is another key > difference between this router and the others - this one is doing > NAT (combination of masq and DNAT rules). I've observed that if I > send traffic (eg sustained pings with large packets) to an address > the router answers - then I see sensible amounts of traffic > counted. If I DNAT all traffic on an IP to an internal host, then I > see no traffic counted. So it looks like the accounting is done > before outbound masq, and after inbound DNAT rules - hence the > rules using the outside addresses just don't match. > > Is there any way to fix this ? >
Partially. With ACCOUNTING_TABLE=mangle, rules in the PREROUTING section of the accounting file are traversed prior to DNAT. Unfortunately, rules in the POSTROUTING section are still traversed before SNAT/MASQUERADE. See http://www.shorewall.org/NetfilterOverview.html. - -Tom - -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJYpePXAAoJEJbms/JCOk0QX+gQAIn4ISmz+5ISk3zQCvtkWv/B 7SWzF2CneLRnE9UYRNsMEFNLGfABeekCZt9SOPVCvCYKKP1lCL3wD9/XPQKR008k TAtNVkyUh1Le/KBDTUAZ3ppXMt4Y6xrBWPaA2cAx8tL+op3aSOU2JZTf5F3cVo4K nVyLgj2yMPcmuJG/6M0E2YknUWULy1ML849HDPVKoZ7xpnGm/OVYW6iC4G6puvGs BCFPYUQFzFcGtKmodkymZYlgf926zuiBYdlr/th5rX3CJJRZcwtvpwHMEYCCIQi/ BTgWbryDbrHu+4w998koj2fEJjCxZce+avPXxzR22Pe858WdD1b/KOr50NHP4NWs HeAieW68bgT/7b0Kusbg6F1cX6iEjprBpAx2t8r5v9hx+GW9y5PcuQc14sjo/BcW AGjSTzJJYQV0nqMZSnYI0nSTA4HgeOQttx/xM/O3Q0Um9XZWa1vcJSew28K3hd1N bsnlaSfrjZ4OrPnBUt7uuq4q467H/S2vzb7gtuLZ12Sl1dbfVLUMfVWqpDyfIw2b Z4bMBVlwb+7rLNUCdLlM+2Gg8HMeSJeSJ158XmNuVeYsB648MjYAywtghCAIyFxe C01C1XzSQEWLlMV9Zja4CWZTBl0UFpUAN7CUtnXOmg25kFH/Xc4pBjEBW0pRqXA7 xYQmZd4bwRbO3ovGttDu =/fNG -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
