connection tracking without iptables?
Daniel Chemko
dchemko at smgtec.com
Thu Sep 30 20:19:25 CEST 2004
> Just trying to get an idea of the type and amount of traffic passing
> through a subnet. I've done this before with tcpdump, but that
> required an external parsing program to reconstitute all the
> connections from the tcpdump capture.
The way I track this kind of information is from netfilter/iptables.
In the PREROUTING and POSTROUTING chains, you implement 'null' targets
to add an internal netfilter counter to the packet stream.
# Detect all outgoing web traffic from that subnet
iptables -t mangle -A PREROUTING --source ${mynet}/${mymask} -p tcp
--dport 80
# Return Traffic
iptables -t mangle -A PREROUTING --destination ${mynet}/${mymask} -p tcp
--sport 80
You may find this a little kludgy. I guess it is. The other alternative
is to use IP accounting packages which are pre-built to do this stuff.
You may find http://www.ntop.org/ntop.html or http://www.cacti.net/
useful if you don't feel like doing it yourself.
More information about the netfilter
mailing list