4

I plan to use iptables to measure my Internet traffic (inspired by Peter Krumins' great article http://www.catonmat.net/blog/traffic-accounting-with-iptables).

The computer which is intended to measure traffic currently forwards all LAN traffic to and from the Internet.

I tried to figure out in which chains all transferred bytes (upload+download) are counted. The filter FORWARD chain is the only chain with more than a Megabyte after opening several websites (it shows 17M). It seems to be the download (+ upload maybe).

But the following observation made me suspicious:

me@computer:~$ sudo iptables -vL -t raw
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
me@computer:~$ sudo iptables -vL -t raw
Chain PREROUTING (policy ACCEPT 34 packets, 2244 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 16 packets, 2664 bytes)
 pkts bytes target     prot opt in     out     source               destination

Even though I visited some websites, the raw PREROUTING chain still had 0 bytes when running sudo iptables -vL -t raw the first time (the first run of sudo iptables -vL -t raw stood out by its long execution time of more than a second). A few seconds later, both raw chains had more than 2000 bytes.

To me, it seems to be starting to count after the first query and missing all earlier bytes.

I expected the raw PREROUTING chain to count all bytes of forwarded LAN traffic, because the following flow chart suggests that: http://stuffphilwrites.com/2014/09/iptables-processing-flowchart

ideaboxer
  • 43
  • 6
  • 2
    First, add the -n option to remove all the DNS queries and speed up the answer ! iptables -vnL -t raw – Dom May 25 '17 at 16:49
  • I get the same result, though only on older Linux versions (don't know why, yet). What distro and version are you using to generate the above results? – MadHatter May 27 '17 at 21:20

1 Answers1

8

I have been able to reproduce zeros in the counters on the first run of iptables --list --verbose -t raw. And the reason in my case simply was that the iptable_raw had not been loaded until I ran the command.

Since I don't need the raw table in my setup that module is usually not loaded, and it wasn't until I ran that command, that the module was loaded.

By running rmmod iptable_raw I can unload the module, and the next time I run iptables --list --verbose -t raw the counters have reset to zero.

That is all working as intended. And I guess that is the same which happened to you. If you create rules in the raw table the module will be automatically loaded, and if you don't need any rules in that table, there is no need to load the module.

For listing current rules I recommend using iptables-save which will output the rules in a format that can be loaded back with iptables-restore. It will show all the relevant details of your current rules, and it will not load any additional modules, it will show just those which are currently loaded.

The delay the first time you ran the command could be explained by a number of different reasons, it is hard to say exactly which one was the case for you. But one possibility is that the disk which the module needed to be loaded from had been spun down while idle and you needed to wait for that disk to spin up.

kasperd
  • 30,455
  • 17
  • 76
  • 124