the firewall rules, so we won't focus on it, but we will discuss what you can discover about the nature of your network traffic using this feature.
The general syntax for IP accounting with ipfwadm is:
# ipfwadm -A [
The direction argument is new. This is simply coded as in, out, or both. These directions are from the perspective of the linux machine itself, so in means data coming into the machine from a network connection and out means data that is being transmitted by this host on a network connection. The both direction is the sum of both the incoming and outgoing directions.
The general command syntax for ipchains and iptables is:
# ipchains -A
# iptables -A
The ipchains and iptables commands allow you to specify direction in a manner more consistent with the firewall rules. IP Firewall Chains doesn't allow you to configure a rule that aggregates both directions, but it does allow you to configure rules in the forward chain that the older implementation did not. We'll see the difference that makes in some examples a little later.
The commands are much the same as firewall rules, except that the policy rules do not apply here. We can add, insert, delete, and list accounting rules. In the case of ipchains and iptables, all valid rules are accounting rules, and any command that doesn't specify the
The rule specification parameters for IP accounting are the same as those used for IP firewall. These are what we use to define precisely what network traffic we wish to count and total.
Accounting by Address
Let's work with an example to illustrate how we'd use IP accounting.
Imagine we have a Linux-based router that serves two departments at the Virtual Brewery. The router has two Ethernet devices,
Let's also imagine that for billing purposes we want to know the total traffic generated by each of the departments across the serial link, and for management purposes we want to know the total traffic generated between the two departments.
The following table shows the interface addresses we will use in our example:
| iface | address | netmask |
|---|---|---|
| eth0 | 172.16.3.0 | 255.255.255.0 |
| eth1 | 172.16.4.0 | 255.255.255.0 |
To answer the question, 'How much data does each department generate on the PPP link?', we could use a rule that looks like this:
# ipfwadm -A both -a -W ppp0 -S 172.16.3.0/24 -b
# ipfwadm -A both -a -W ppp0 -S 172.16.4.0/24 -b
or:
# ipchains -A input -i ppp0 -d 172.16.3.0/24
# ipchains -A output -i ppp0 -s 172.16.3.0/24
# ipchains -A input -i ppp0 -d 172.16.4.0/24
# ipchains -A output -i ppp0 -s 172.16.4.0/24
and with iptables:
# iptables -A FORWARD -i ppp0 -d 172.16.3.0/24
# iptables -A FORWARD -o ppp0 -s 172.16.3.0/24
# iptables -A FORWARD -i ppp0 -d 172.16.4.0/24
# iptables -A FORWARD -o ppp0 -s 172.16.4.0/24
The first half of each of these set of rules say, 'Count all data traveling in either direction across the interface named ppp0 with a source or destination (remember the function of the
To answer the second question, 'How much data travels between the two departments?', we need a rule that looks like this:
# ipfwadm -A both -a -S 172.16.3.0/24 -D 172.16.4.0/24 - b
or:
# ipchains -A forward -s 172.16.3.0/24 -d 172.16.4.0/24 - b
or:
# iptables -A FORWARD -s 172.16.3.0/24 -d 172.16.4.0/24
# iptables -A FORWARD -s 172.16.4.0/24 -d 172.16.3.0/24
These rules will count all datagrams with a source address belonging to one of the department networks and a destination address belonging to the other.
Accounting by Service Port
Okay, let's suppose we also want a better idea of exactly what sort of traffic is being carried across our PPP link. We might, for example, want to know how much of the link the FTP, smtp, and World Wide Web services are consuming.
A script of rules to enable us to collect this information might look like:
#!/bin/sh
# Collect FTP, smtp and www volume statistics for data carried on our
# PPP link using ipfwadm
#
ipfwadm -A both -a -W ppp0 -P tcp -S 0/0 ftp ftp-data
ipfwadm -A both -a -W ppp0 -P tcp -S 0/0 smtp
ipfwadm -A both -a -W ppp0 -P tcp -S 0/0 www
