RE: IPTables counters

RE: IPTables counters

[George Vieira]

[-- Attachment #1: Type: text/plain, Size: 1540 bytes --]

What I do is put the rule you want to count in the FORWARD chain... even
better use my counting method to be more accurate..
 
$IPTABLES -N COUNT
$IPTABLES -I INPUT 1 -j COUNT
$IPTABLES -I OUTPUT 1 -j COUNT
$IPTABLES -I FORWARD 1 -j COUNT
 
then add all you counters you require into the COUNT chain.. this is what
I'm currently doing for my scripts.. Also I'm rewriting my script to only
flush all chains BUT my counters so I don't lose them when I rerun my
firewall.. still in testing.......

thanks,
George Vieira
Systems Manager
Citadel Computer Systems P/L
http://www.citadelcomputer.com.au <http://www.citadelcomputer.com.au/> 

-----Original Message-----
From: Dotan Lior [mailto:Lior.Dotan@innowave-ws.com]
Sent: Tuesday, 09 July 2002 11:41 PM
To: 'netfilter@lists.samba.org'
Subject: IPTables counters



Hello, 

I have a simple setup. A linux RH7.3 box doing NAT and connected to the
internet with one windows2000 client sitting behind it. I've set up iptables
to NAT the windows internal address to a legal IP address.

So far it works well, However when I inspect the NAT table with "iptables -L
-t nat -v -n -x", 
the bytes counter shows extremely low values. I've transfer a 200Kb file via
FTP on the windows 
client, but the counter was less than 100 bytes. It seems as if only the
first packet of a connection 
is listed. 
Is there a way to see the real bytes count? Also I would to know the number
of bytes that traveled 
on both ways (from the client and to the client), is that also possible
using iptables? 

Thanks. 


[-- Attachment #2: Type: text/html, Size: 3400 bytes --]

Re: IPTables counters

[Antony Stone]

On Tuesday 09 July 2002 2:41 pm, Dotan Lior wrote:

> Hello,
>
> So far it works well, However when I inspect the NAT table with "iptables
> -L -t nat -v -n -x", the bytes counter shows extremely low values. I've
> transfer a 200Kb file via FTP on the windows client, but the counter was
> less than 100 bytes. It seems as if only the first packet of a connection
> is listed.

That is correct.   Only the first packet goes through the listed NAT rules - 
the others go directly via the connection tracking table and not through the 
rules (for efficiency).

> Is there a way to see the real bytes count? Also I would to know the number
> of bytes that traveled on both ways (from the client and to the client), is
> that also possible using iptables?

Yes, simply look at the filter table (ie the default one) instead of the NAT 
table.

*All* packets pass through your filtering rules (that's why you need the 
rules for ESTABLISHED and RELATED packets), so just use

iptables -L -n -v -x without the -t nat option.

Remember you can create rules without targets if you want to see the 
packet/byte counters for them without doing anything else:

eg iptables -A FORWARD -i eth0
iptables -A FORWARD -i eth1

 

Antony.

IPTables counters

[Dotan Lior]

[-- Attachment #1: Type: text/plain, Size: 717 bytes --]

Hello,

I have a simple setup. A linux RH7.3 box doing NAT and connected to the
internet with one windows2000 client sitting behind it. I've set up iptables
to NAT the windows internal address to a legal IP address.
So far it works well, However when I inspect the NAT table with "iptables -L
-t nat -v -n -x", 
the bytes counter shows extremely low values. I've transfer a 200Kb file via
FTP on the windows
client, but the counter was less than 100 bytes. It seems as if only the
first packet of a connection
is listed.
Is there a way to see the real bytes count? Also I would to know the number
of bytes that traveled
on both ways (from the client and to the client), is that also possible
using iptables?

Thanks.

[-- Attachment #2: Type: text/html, Size: 1384 bytes --]