OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
[suse-security] IP Accounting with IP Tables

From: Thomas Seliger (CRJLJAKTJORBspammotel.com)
Date: Wed Aug 06 2003 - 11:49:02 CDT

Hi security folks ;)

I hope i dont reinvent the wheel with this or that it is a faq:

The company I work for will connect some servers via a S-DSL line. We
have 16 IP adresses and the setup is like that

-sdsl-line->(ext:SDSLRouter:int)<->(eth0:LinuxFW:eth1-4)<->DMZ1-4

Since i can't not (well i could via the unpassworded serial port ;) )
configure/monitor the router, i want to setup traffic accounting on my
linux firewall.

For now this should only allow me to monitor if the monthly traffic
limit is reached, so it will suffice to count all bytes that enter/leave
through the external interface of the firewall (missing traffic that is
directed directly to the router and adding traffic that is only between
the firewall and the router, but thats ok).

I did the following (eth0 is the ext interface of the fw):

iptables -t mangle -N acc_traffic
iptables -t mangle -I acc_traffic -j RETURN
iptables -t mangle -I PREROUTING -i eth0 -j acc_traffic
iptables -t mangle -A POSTROUTING -o eth0 -j acc_traffic

now i can get the ip traffic byte summary that enters and leaves via
eth0 to SDSL by calling iptables -t mangle -vx -L acc_traffic

a script that is started when the firewall goes up / down and run by
cron every hour can generate and save the used ip traffic.

my short question is: will in effect the performance of the firewall in
a bad way if all packets that enter / leave via eth0 have to pass
through my accounting chain?

is my solution totally dumb (i tried ipac-ng, but was not happy with its
configuration, means i was to dumb to get it to work properly)?

peace,
Tom

p.s.: sorry for my whacky english but it got 33 degree celsius in this
room :p

--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here