Accounting for national/international traffic
Alistair at nerdnet.ca
Tue Dec 21 19:33:00 CET 2004
On December 21, 2004 03:55 am, Jean Hoderd wrote:
> Here's the situation: in many countries it is customary for IPS's to
> have separate quotas for national/international traffic (in my case the
> limits are 20GB/2GB per month).
> Now, given an IP address, knowing whether it is national or
> international is a solved problem: there are publicly available lists
> with the ranges of national IP addresses.
> The problem: how to keep track of the monthly internet usage divided
> into national/international traffic.
> Please note that I am not interested in enforcing quotas per se (the
> "quota" module, I believe). Rather, I would simply like to know what
> is the total traffic per category since the beginning of the month.
> I have searched netfilter's repository, and it seems that the
> ipt_account module might do the trick. However, since I am still a
> newbie with netfilter, I am having some trouble defining the actual
> rules to make it work. Let us imagine, for instance, that I have n
> ranges of national IP addresses. Adding them to a "national" counter
> seems easy:
> iptables -A INPUT -m account --addr "range1" --aname national
> iptables -A INPUT -m account --addr "range2" --aname national
> iptables -A INPUT -m account --addr "rangen" --aname national
> The question is: how do I implement the logic for all non-matching
> ranges, which should be added to an "international" counter?
> Furthermore, I have already plenty of rules in my firewall, and I wish
> that the traffic accounting would not interfere with them.
You want to have two user chains to do this.
create the 'accounting' chain in which you will account the packets with the
rules you've given, and *AFTER* each accounting rule put a matching rule that
RETURNS the packets to the calling chain. At the end of the 'accounting'
chain add one rule to an 'international' chain that accounts for all non
returned packets. At the end of the 'international chain the packets will
return to the 'accounting' chain and since they are already on the end of
that they will RETURN to the calling chain.
iptables -A accounting -m account --addr 'range1' --aname national
iptables -A accounting -d range1 -j RETURN
iptables -A accounting -m account --addr 'range2' --aname national
iptables -A accounting -d range2 -j RETURN
iptables-A accounting -j international
iptables -A international -m account --aname international
> Thanks in advance for any help you can give me!
> Do you Yahoo!?
> Send a seasonal email greeting and help others. Do good.
More information about the netfilter