Ipt_account module

Version 0.1.6

Piotr Gasidlo

The primary function of the ipt_account module is to account traffic passing thru or in/out a router.

Tip

Polska dokumentacja jest dostępna tutaj

Table of Contents
1. Instalation
1.1. Getting files
1.2. Compilation and installation
2. Usage
2.1. Adding rules
2.2. Viewing statistics
2.3. Saving and loading counters
List of Tables
2-1. Contents of procfs entry
List of Examples
2-1. Creating rules
2-2. Viewing statistics
2-3. Modifing counters
2-4. Saving counters
2-5. Loading counters

Chapter 1. Instalation

1.1. Getting files

To be able to use ipt_account, you need to get these files:

Note

Korzystając z CVS można pobrać patch-o-matic i iptables z najnowszą wersją ipt_account. W takim przypadku nakładanie powyższych łat jest zbyteczne.

1.2. Compilation and installation

Note

This section contains step-by-step instruction of compiling and installing new kernel and iptables with ipt_account support. Instruction is based on 2.6.7 kernel. Installation using other kernel (aspecialy from 2.4.x tree) may slightly differ.

Being in directory, where downloaded files are placed, enter following commands: 

# tar xvfj patch-o-matic-ng-20040621.tar.bz2
# cd patch-o-matic-ng*
# cat ../ipt_account-patch-o-matic-ng.diff | patch -p1
# cd ..
# tar xvfj iptables-1.2.11.tar.bz2
# tar xvfj linux-2.6.7.tar.bz2
# export KERNEL_DIR=`pwd`/linux-2.6.7
# export IPTABLES_DIR=`pwd`/iptables-1.2.11
# cd patch-o-matic-ng
# ./runme account
Accept installation of ipt_account by pressing 'y'.

Now, configure kernel by entering following commands: 

# cd linux-2.6.7
# make menuconfig
From menu choose: 
Device Drivers  --->
  Networking support  --->
    Networking options  --->
      [*] Network packet filtering (replaces ipchains)  --->
        IP: Netfilter Configuration  --->
          <M> account match support
          [ ]   account debugging output
Do not enable "account debugging output". It is only helpfull if you want to debug the module.

After finishing configuration, compile new kernel and install it. 

# make
# cp arch/i386/boot/bzImage /boot/vmlinuz-2.6.7
# cp System.map /boot/System.map-2.6.7
# cd ..

Important

After successful installation do not forget to update bootloader (LILO or GRUB) configuration.

Compile and install iptables. Iptables helper libraries will be installed in /lib/iptables. 

# cd iptables-1.2.11
# cat ../ipt-account-iptables.diff | patch -p1
# chmod +x extensions/.account-test
# make install KERNEL_DIR=../linux-2.6.7 PREFIX=
# cd ..
Finally, restart system and using bootloader choose new kernel with ipt_account support.

Chapter 2. Usage

2.1. Adding rules

First, rules accounting traffic must be created.

To gather traffic statistics for network 192.168.0.0/24 passing thru the router and traffic statistics to WWW server (installed on router) for the same network as before use the following commands.

Example 2-1. Creating rules

# iptables -A FORWARD -m account --aaddr 192.168.0.0/24 --aname mynetwork (1)
# iptables -A INPUT -p tcp --dport 80 -m account --aaddr 192.168.0.0/24 --aname myserver --ashort(2)
# iptables -A OUTPUT -p tcp --dport 80 -m account --aaddr 192.168.0.0/24 --aname myserver --ashort(3)
(1)
Gather traffic statistics for network 192.168.0.0/24 passing thru the router.
(2)
Gather traffic statistics to WWW server (installed on router) for network 192.168.0.0/24. Because of --ashort parameter module will gather only total statistics (without each protocol statistics).
(3)
Gather traffic statistics from WWW server (installed on router) to network 192.168.0.0/24. Because table 'myserver' already exists will be used again.

Important

To use existing table in many rules, check whether network address/netmask is the same in all rules. If network address/netmask differs, new rule won't be created.

After executing above commands you will see new entries in the procfs /proc/net/ipt_account/ directory: 

# ls -laR /proc/net/ipt_account/
/proc/net/ipt_account/:
total 0
dr-xr-xr-x    2 root     root            0 Jul 17 19:28 .
dr-xr-xr-x    4 root     root            0 Jul 17 19:28 ..
-rw-r--r--    1 root     root            0 Jul 17 19:28 mynetwork
-rw-r--r--    1 root     root            0 Jul 17 19:28 myserver

2.2. Viewing statistics

Contents of /proc/net/ipt_account/mynetwork file are described below:

Example 2-2. Viewing statistics

# cat /proc/net/ipt_account/mynetwork
ip = 192.168.0.0 bytes_src = 8009371355 7979197249 25417729 4756377 0 packets_src = 14844174 14600134 186011 58029 0 bytes_dest = 17568766197 17540073337 25092213 3600647 0 packets_dest = 17462235 17236701 182662 42872 0
ip = 192.168.0.1 bytes_src = 702 0 702 0 0 packets_src = 9 0 9 0 0 bytes_dest = 0 0 0 0 0 packets_dest = 0 0 0 0 0
ip = 192.168.0.2 bytes_src = 133164609 133071748 92441 420 0 packets_src = 2548317 2547888 422 7 0 bytes_dest = 7331211760 7331210800 540 420 0 packets_dest = 4928417 4928404 6 7 0
ip = 192.168.0.3 bytes_src = 0 0 0 0 0 packets_src = 0 0 0 0 0 bytes_dest = 0 0 0 0 0 packets_dest = 0 0 0 0 0
ip = 192.168.0.4 bytes_src = 168821 0 168821 0 0 packets_src = 2043 0 2043 0 0 bytes_dest = 180 0 180 0 0 packets_dest = 2 0 2 0 0
ip = 192.168.0.5 bytes_src = 147593 0 147593 0 0 packets_src = 1324 0 1324 0 0 bytes_dest = 0 0 0 0 0 packets_dest = 0 0 0 0 0
...

Table 2-1. Contents of procfs entry

ColumnMeaning
ipIP of the host
bytes_src statistics in bytes for "outgoing" traffic of that host. The first number (8009371355) is the total, the second one (7979197249) is TCP, the third one (25417729) UDP, the fourth one (4756377) is ICMP and finally the fifth one (0) is traffic for all other protocols.
packets_srcsame as before but in packets instead of bytes.
bytes_deststatystyki odebranych bajtów przez komputer o danym IP. Znaczenie poszczególnych liczb jak powyżej.
packets_deststatistics for "incoming" traffic of that host. Like the second column all values are in bytes.
timeczas ostatniej modyfikacji wiersza w sekundach

Note

If table was created using --ashort parameter, you will see only total traffic statistics (without protocols). 

# cat /proc/net/ipt_account/myserver
ip = 192.168.0.0 bytes_src = 12309123 packets_src = 123145 bytes_dest = 3252355 packets_dest = 242132
...

Note

First row (with network address) contains sum of all statistics for network/netmask.

2.3. Saving and loading counters

The counters inside table can be freely set. For example, entering the following command will change counters for 192.168.0.251 host.

Example 2-3. Modifing counters

# echo "ip = 192.168.0.251 bytes_src = 1 2 3 4 5 packets_src = 6 7 8 9 0 bytes_dest = 1 2 3 4 5 packets_dest = 6 7 8 9 0" > /proc/net/ipt_account/mynetwork

This feature can be used to save counter values before router reboot, and than restore them after reboot.

Example 2-4. Saving counters

# cat /proc/net/ipt_account/myserver > myserver.save

Example 2-5. Loading counters

# while read line; do echo $line > /proc/net/ipt_account/myserver; done < myserver.save

Important

Counters must be loaded in row-by-row order. Do not use: 

# cat myserver.save > /proc/net/ipt_account/myserver
This won't work.