ipchains question
andrew at bishop.dropbear.id.au
andrew at bishop.dropbear.id.au
Tue Nov 6 14:55:25 EST 2001
I replied earlier, but forgot to send it to the list. Oops.
Anyway, here's a more complete reply :)
On Tue, 6 Nov 2001 Antti.Roppola at brs.gov.au wrote:
[...]
> # Create an accounting chain to count traffic over ppp0
> $IPCHAINS -N log-ppp
> $IPCHAINS -A log-ppp -i ppp0
>
> # Set the first rule in the input chain to detect anything going
> # over ppp0 (Internet) and flick it to the accounting chain
> $IPCHAINS -A input -i ppp0 -j log-ppp
Ok, this will work, but it's not all necessary.
(Oh, and that last one probably should be changed from '-A' (append to
chain) to '-I 1' (insert at the start of the chain)
If you just want one number to count the incoming traffic, just
$IPCHAINS -A input -i ppp0. No need for another chain. (no -j means
you'll just fall through the rule)
If you want more info (e.g. you want to detail by port no.), you can do
what you did, create a chain, and jump to it. But there's no need to put
the rule on that chain that you do ($IPCHAINS -A log-ppp -i ppp0), as
you're only jumping to that chain for traffic over the pp0 interface...
> Do I need to grab anything else? Or will this catch everything going
> in/out over the PPP connection?
And finally, because you're only adding to the input chain, you'll only
catch traffic coming *in* over that interface. To count traffic going
out, add something similar to the output chain (probably jumping to a
different chain, so the in/out counts aren't mixed...)
The way I do my accounting rules is to not use interface, but rather
source/dest ip address (and also for the actual blocking rules). This
way, the rules can stay on the chains, whether the ppp interface is up or
not (good for security too - no race conditions when the interface comes
up, no chance of unfortunate incidents if for some reason ip-up.local
isn't run or something). You may want to look at that instead.
Andrew
More information about the linux
mailing list