1

I have a router, with firewall (with drop policy), nats, services.

  1. I want to account all factual traffic (inputed before firewal, outputed by services, and passed firewall in forwarding), with its "actual" src/dst (i.e before SNAT, and after DNAT).

  2. Also (with less priority) I might want to see traffic that was blocked by firewall (with rule or policy of input filter and forward filter).

What is correct place to put accounting rule? How to differentiate accepted and rejected traffic?

QwiglyDee
  • 111
  • 2

1 Answers1

2
  1. There is three main chains to catch all traffic - INPUT, OUTPUT, and FORWARD - put appropriate rules in all of them to see any kind of traffic.
  2. There is no direct way to do this. There is no chain (by default) to catch dropped/rejected traffic and no any flag in the packet itself to signify that it will be dropped. So, you need to create custom chain and direct all rejected traffic into it instead of just DROP/REJECT. Then, inside of that chain, mark these packets somehow, for example changing TOS field into 255, then put them into -j NETFLOW, and finally -j DROP/REJECT. Of course, you should clean value 255 from TOS field of legitimate packets too.
catpnosis
  • 190
  • 5
  • I can not put -j NETFLOW in forward chain, because there are accept/reject firewall rules there. I need to make separate chain with single rule and replace the firewall rules with -j accept_and_account. Or, alternatively, i can put the netflow rule at start of postrouting chain, catching both forward and output traffic at once. Question is - will i lose some information there? – QwiglyDee Jul 18 '16 at 16:12
  • @qMax With accept_and_account approach you will need to add final accept_and_account rule to the FORWARD chain (assuming default policy is ACCEPT). I don't understand your POSTROUTING idea. It's useless to put accounting rules into nat table. Mangle's POSTROUTING [is before nat](http://inai.de/images/nf-packet-flow.png), so you will possible miss some nat translations. – catpnosis Jul 18 '16 at 20:02
  • @qMax Put REJECT rules into FORWARD chain *first*, then NETFLOW, and then ACCEPT rules (or just drop them at all, as they are meaningless in this case). – catpnosis Jul 18 '16 at 20:05
  • I have DROP policy in FORWARD – QwiglyDee Jul 19 '16 at 20:42