[linux] Ip accounting
bodik
bodik na inmail.sk
Úterý Leden 14 19:19:52 CET 2003
Ahoj,
Uz som to prehodil, bohuzial, nevyznam sa v tom velmi, a ohladne accountingu s iptables som nenasiel na webe nic :(
Tu je vypis z rc.masq_firewall:
IPTABLES="/sbin/iptables"
#externa ip
EXTIF="eth1"
#maskovana siet
INTIF="eth0"
echo " clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
echo " FWD: Allow all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG
a tu z rc.accounting :
EXTERNAL_INTERFACE="eth1"
IPTABLES="iptables"
INTERNAL_HOSTS=" 192.168.0.1 192.168.0.2 192.168.0.3 "
for HOST in $INTERNAL_HOSTS; do
echo "Creating Chain for $HOST"
$IPTABLES -N $HOST
# incoming jump rule
$IPTABLES -A FORWARD -o $EXTERNAL_INTERFACE -d $HOST -j $HOST
# outgoing jump rule
$IPTABLES -A FORWARD -i $EXTERNAL_INTERFACE -s $HOST -j $HOST
# incoming accounting chain
$IPTABLES -A $HOST -o $EXTERNAL_INTERFACE -d $HOST
# outgoing accounting chain
$IPTABLES -A $HOST -i $EXTERNAL_INTERFACE -s $HOST
done;
iptables -L -nvx vypise:
Chain INPUT (policy ACCEPT 554 packets, 50657 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
661 441423 ACCEPT all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
782 90770 ACCEPT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4
0 0 192.168.0.1 all -- * eth1 0.0.0.0/0 192.168.0.1
0 0 192.168.0.1 all -- eth1 * 192.168.0.1 0.0.0.0/0
0 0 192.168.0.2 all -- * eth1 0.0.0.0/0 192.168.0.2
0 0 192.168.0.2 all -- eth1 * 192.168.0.2 0.0.0.0/0
0 0 192.168.0.3 all -- * eth1 0.0.0.0/0 192.168.0.3
0 0 192.168.0.3 all -- eth1 * 192.168.0.3 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 381 packets, 115048 bytes)
pkts bytes target prot opt in out source destination
Chain 192.168.0.1 (2 references)
pkts bytes target prot opt in out source destination
0 0 all -- * eth1 0.0.0.0/0 192.168.0.1
0 0 all -- eth1 * 192.168.0.1 0.0.0.0/0
Chain 192.168.0.2 (2 references)
pkts bytes target prot opt in out source destination
0 0 all -- * eth1 0.0.0.0/0 192.168.0.2
0 0 all -- eth1 * 192.168.0.2 0.0.0.0/0
Chain 192.168.0.3 (2 references)
pkts bytes target prot opt in out source destination
0 0 all -- * eth1 0.0.0.0/0 192.168.0.3
0 0 all -- eth1 * 192.168.0.3 0.0.0.0/0
cize procita traffic za cely interface ale jednotlivo uz nie. co tu mam nastavit inac ? pomoze aj odkaz na nejake www.
dakujem
----- Original Message -----
From: "Juraj Bednar" <juraj na bednar.sk>
To: <linux na lists.linux.sk>
Sent: Monday, January 13, 2003 10:40 PM
Subject: Re: [linux] Ip accounting
> Ahoj,
>
> > $IPTABLES -N $HOST
> > $IPTABLES -A FORWARD -o $EXTERNAL_INTERFACE -d $HOST -j HOST
>
> chyba ti $. Ak mas -o $EXTERNAL_INTERFACE, urcite ti to nepojde na host
> $HOST, skor to z neho pride, takze vymenit -o a -d.
>
> > $IPTABLES -A FORWARD -i $EXTERNAL_INTERFACE -s $HOST -j $HOST
> > $IPTABLES -A $HOST -o $EXTERNAL_INTERFACE -d $HOST
> > $IPTABLES -A $HOST -i $EXTERNAL_INTERFACE -s $HOST
>
> ...
>
>
> J.
>
>
------------- další část ---------------
HTML příloha byla odstraněna...
URL: http://lists.linux.sk/pipermail/linux/attachments/20030114/6f0fa625/attachment.html
Další informace o konferenci linux