1

I need to keep a running total of the number of bytes passed between my server and a remote server (port unspecific). I would like to keep this running total written in a file. I'm a bit new to IPtables but I'm unsure if I would need to queue all of the matched packets to be processed by a script (don't know python, but a total byte read likely wouldn't be too hard). IPtables seems like it could do this out of the box with a log but the documentation is burying me a little bit. 

iptables -I INPUT 1 -s <remote ip>/8 -j QUEUE ???
iptables -I OUTPUT 1 -d <remote ip>/8 -j QUEUE ???

Any help on pointing it to a python file or a iptables chain that would handle this out of the box would be great.

macmeyers50
  • 111
  • 1

1 Answers1

0

You do not need to specify a jump target. Select the packets you wish to count, done.

-j, --jump target

This specifies the target of the rule; i.e., what to do if the packet matches it. [..]

If this option is omitted in a rule (and -g is not used), then matching the rule will have no effect on the packet's fate, but the counters on the rule will be incremented.

Things to keep in mind:

  • add some explanation for anyone reviewing these rules in the future
  • few own /8 ipv4 blocks, try to be more specific so you do not count neighboring traffic
  • add analogous ipv6 rules
  • NATing or DROPing packets in other tables can result in over- or under-counting, depending on what it is you actually wish to measure
  • depending on your OS, counters in iptables might not be reliably restored after reboot or configuration changes

Example:

iptables -I INPUT 1 -s 192.0.2.1/32 -m comment --comment "billing: example company"
ip6tables -I INPUT 1 -s 2001:db8::1/128 -m comment --comment "billing: example company"
iptables -I OUTPUT 1 -d 192.0.2.1/32 -m comment --comment "billing: example company"
ip6tables -I OUTPUT 1 -d 2001:db8::1/128 -m comment --comment "billing: example company"

Verify with iptables -L | grep example ; ip6tables -L | grep example

anx
  • 8,963
  • 5
  • 24
  • 48
  • I've been trying to do exactly this for the same reason but using `ntop`, so if I can use `nftables` this would be much lower impact, if you're able to help, my question is here... https://serverfault.com/questions/1017986/can-i-limit-the-scope-of-ntop-to-only-monitor-a-specific-connection and I'd be happy to accept a helpful answer :) – oucil May 25 '20 at 16:10