[gentoo-user] iptraf vs iptables (mangle & access)

[gentoo-user] iptraf vs iptables (mangle & access)

[CapSel]

[-- Attachment #1: Type: text/plain, Size: 847 bytes --]

I'm trying to count bandwidth and number of packets on my router with rules
like:

iptables -t mangle -A PREROUTING -i eth0 -j stats
iptables -t mangle -A POSTROUTING -o eth0 -j stats

iptables -t mangle -A stats -p tcp -s $ip -j ACCEPT
iptables -t mangle -A stats -p udp -s $ip -j ACCEPT
iptables -t mangle -A stats -p icmp -s $ip -j ACCEPT

iptables -t mangle -A stats -p tcp -d $ip -j ACCEPT
iptables -t mangle -A stats -p udp -d $ip -j ACCEPT
iptables -t mangle -A stats -p icmp -d $ip -j ACCEPT

Chain stats has policy set to ACCEPT.

My script reads these values every minute and sets them to zero.
The problem is that numbers of packets are more than twice greater than
iptraf shows, but bandwidth seems to be correct. Of course I divide those
numbers by 60 to get value per second.

Why this difference is so big, what could I done wrong?

[-- Attachment #2: Type: text/html, Size: 914 bytes --]

[gentoo-user] Re: iptraf vs iptables (mangle & access)

[CapSel]

[-- Attachment #1: Type: text/plain, Size: 1001 bytes --]

Values taken from ifconfig shows same values as my firewall :)
Why

On 3/1/07, CapSel <capsel@gmail.com> wrote:
>
> I'm trying to count bandwidth and number of packets on my router with
> rules like:
>
> iptables -t mangle -A PREROUTING -i eth0 -j stats
> iptables -t mangle -A POSTROUTING -o eth0 -j stats
>
> iptables -t mangle -A stats -p tcp -s $ip -j ACCEPT
> iptables -t mangle -A stats -p udp -s $ip -j ACCEPT
> iptables -t mangle -A stats -p icmp -s $ip -j ACCEPT
>
> iptables -t mangle -A stats -p tcp -d $ip -j ACCEPT
> iptables -t mangle -A stats -p udp -d $ip -j ACCEPT
> iptables -t mangle -A stats -p icmp -d $ip -j ACCEPT
>
> Chain stats has policy set to ACCEPT.
>
> My script reads these values every minute and sets them to zero.
> The problem is that numbers of packets are more than twice greater than
> iptraf shows, but bandwidth seems to be correct. Of course I divide those
> numbers by 60 to get value per second.
>
> Why this difference is so big, what could I done wrong?
>

[-- Attachment #2: Type: text/html, Size: 1303 bytes --]

Re: [gentoo-user] iptraf vs iptables (mangle & access)

[Boyd Stephen Smith Jr.]

[-- Attachment #1: Type: text/plain, Size: 1410 bytes --]

On Thursday 01 March 2007, CapSel <capsel@gmail.com> wrote 
about '[gentoo-user] iptraf vs iptables (mangle & access)':
> I'm trying to count bandwidth and number of packets on my router with
> rules like:
>
> iptables -t mangle -A PREROUTING -i eth0 -j stats
> iptables -t mangle -A POSTROUTING -o eth0 -j stats
>
> iptables -t mangle -A stats -p tcp -s $ip -j ACCEPT
> iptables -t mangle -A stats -p udp -s $ip -j ACCEPT
> iptables -t mangle -A stats -p icmp -s $ip -j ACCEPT
>
> iptables -t mangle -A stats -p tcp -d $ip -j ACCEPT
> iptables -t mangle -A stats -p udp -d $ip -j ACCEPT
> iptables -t mangle -A stats -p icmp -d $ip -j ACCEPT
>
> Chain stats has policy set to ACCEPT.
>
> My script reads these values every minute and sets them to zero.
> The problem is that numbers of packets are more than twice greater than
> iptraf shows, but bandwidth seems to be correct.

That would be correct, since every forwarded packet passes though both the 
pre-routing and post-routing chains, so you are counting every packet (at 
least those that are not dropped in the FORWARD chain) twice.

-- 
Boyd Stephen Smith Jr.                     ,= ,-_-. =. 
bss03@volumehost.net                      ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy           `-'(. .)`-' 
http://iguanasuicide.org/                      \_/     
New GPG Key!  Old key expires 2007-03-25.  Upgrade NOW!

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] iptraf vs iptables (mangle & access)

[CapSel]

[-- Attachment #1: Type: text/plain, Size: 920 bytes --]

On 3/1/07, Boyd Stephen Smith Jr. <bss03@volumehost.net> wrote:
>
> That would be correct, since every forwarded packet passes though both the
> pre-routing and post-routing chains, so you are counting every packet (at
> least those that are not dropped in the FORWARD chain) twice.


I don't fully understand how is that possible that my rules count packet
twice, could you explain it more briefly?

I specified -i eth0 in PREROUTING and -o eth0 in POSTROUTING. Isn't this
correct way to count packets only once? ...and I'm getting values only from
chain 'stat', which is called only from PREROUTING and POSTROUTING with
specified network interface respectively to direction (-i/-o eth0).
So in my opinion a packet traveling through the router to my network passes
only once through 'stats' as it is accepted only in PREROUTING with -i eth0,
and not in POSTROUTING with -o eth0, as it goes out from eth1. Am I correct?

[-- Attachment #2: Type: text/html, Size: 1240 bytes --]

Re: [gentoo-user] iptraf vs iptables (mangle & access)

[CapSel]

[-- Attachment #1: Type: text/plain, Size: 1824 bytes --]

On 3/2/07, Daniel Iliev <danny@ilievnet.com> wrote:
>
> CapSel wrote:
> > On 3/1/07, *Boyd Stephen Smith Jr.* <bss03@volumehost.net
> > <mailto:bss03@volumehost.net>> wrote:
> >
> >     That would be correct, since every forwarded packet passes though
> >     both the
> >     pre-routing and post-routing chains, so you are counting every
> >     packet (at
> >     least those that are not dropped in the FORWARD chain) twice.
> >
> >
> > I don't fully understand how is that possible that my rules count
> > packet twice, could you explain it more briefly?
> >
> > I specified -i eth0 in PREROUTING and -o eth0 in POSTROUTING. Isn't
> > this correct way to count packets only once? ...and I'm getting values
> > only from chain 'stat', which is called only from PREROUTING and
> > POSTROUTING with specified network interface respectively to direction
> > (-i/-o eth0).
> > So in my opinion a packet traveling through the router to my network
> > passes only once through 'stats' as it is accepted only in PREROUTING
> > with -i eth0, and not in POSTROUTING with -o eth0, as it goes out from
> > eth1. Am I correct?
>
>
> Perhaps this packet travel diagram will help:
>
> http://www.linuxnetmag.com/share/issue9/iptables3.jpg


To be totally sure - when packet arrives from internet to eth0 it passes
through PREROUTING as packet "that comes from eth0", then it travels across
FORWARD as packet "that comes from eth0 toward eth1", and finally it goes to
POSTROUTING as packet "that wants to come out through eth1"? And if I have
rules:

-t mangle -A PREROUTING -i eth0 -j stats
-t mangle -A POSTROUTING -o eth0 -j stats
(there are no other rules that jumps to stats, and these are only rules in
mangle table)

how many times the packet would pass through 'stats'?

>From witch places on this diagram iptraf takes values?

[-- Attachment #2: Type: text/html, Size: 2565 bytes --]