Linux bandwidth and iptables

Craig Routledge webstuff-MKqfGmd6cJs0gtvRndBQZNBPR1lH4CV8 at public.gmane.org
Wed Dec 29 23:51:02 UTC 2004 

On 12/28/2004 05:15:02 PM, Teddy Mills wrote:
> INPUT CHAIN:
> 
>  49M 3325M ACCEPT     all  --  lo     any     localhost             
> anywhere           22M 4449M ACCEPT     tcp  --  any    any      
> anywhere             anywhere           state RELATED,ESTABLISHED
>   
> ********************************************************************************************
>  Q1. Why is 4449M (TCP-established) on 22M packets larger than 3325M(all  
> packets) on 49M packets?
> ********************************************************************************************

The first rule (all) matches all traffic on the loopback interface only.
The second rule (tcp) matches all traffic using the TCP protocol,  
regardless of whether it is local or remote.

Neither is matching all traffic.

> ********************************************************************************************
>  Q2. Same here: Why is 12GB (TCP-established) on 22M packets larger than  
> 3325M(all packets) on 49M packets?
> ********************************************************************************************

Same reason as above.

> Q3. Can run this iptables -L -v every day for a week and compare the  
> numbers?
>    Will that be accurate?

If you have a rule that logs all traffic (accepted or not), it should.
Note the --exact option.

> Q4. This is kind of a crude raw format. Is there something with finer  
> granularity?

You can specify rules to match any kind of packet you wish to track.
iptables -L -v will then pick up the stats.

You can also send this to syslog via the LOG target prior to any other  
action on that match.  This will create BIG log files because it logs each  
packet.  Something like logwatch will condense it for you, but remember to  
rotate your raw logs often enough.

Or you could use a different tool entirely....

Various Intrusion Detection Systems, such as snort, will undoubtedly  
provide such information and can spot other miscreant behaviour.

> Q5. And easy to setup? (this machine is mission critical)

Well, "man iptables" isn't the best place to start.  I'd suggest reading  
some online or magazine tutorials on iptables first, to get the basic flow  
of things figured out.

--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml

More information about the Legacy mailing list