Home / server / Questions / 93121
Accepted
davr
Asked: 2009-12-11 10:55:18 +0800 CST

Shorewall / iptables accounting between specific nets?

  • 772

I have two servers on two different IPs, lets say they are: 1.2.3.4 and 5.6.7.8. In addition, they both run some virtual machines, who all have private IPs 10.0.0.*. Now, these two servers only have a single ethernet interface each. I want to track total internet traffic to/from these machines from the outside world, but I do NOT want to count any traffic between the two machines or between the virtual machines. How would I set up an accounting rule, using either shorewall's accounting configuration, or plain iptables rules, to track this?

Currently, I have no way of knowing how much internet bandwidth I'm using, since when I look at the overall stats, it includes traffic between my two servers.

Ideally of course would be to ask the router, but that's not available right now.

iptables

1 Answers

  1. Best Answer

    you could do something like this:

    TRACK_INBOUND="TRACKING_IN"
TRACK_OUTBOUND="TRACKING_OUT"
#Space separated lists of hosts(1.2.3.4),networks(1.2.3.x/y) to separate
TRACKING_IGNORE="1.2.3.4 5.6.7.8"

iptables -N $TRACK_INBOUND
iptables -F $TRACK_INBOUND
iptables -I INPUT -j $TRACK_INBOUND
for ignore in $TRACKING_IGNORE; do
    iptables -A $TRACK_INBOUND -s $ignore -j RETURN
done
iptables -A $TRACK_INBOUND  -j RETURN

iptables -N $TRACK_OUTBOUND
iptables -F $TRACK_OUTBOUND
iptables -I OUTPUT -j $TRACK_OUTBOUND
for ignore in $TRACKING_IGNORE; do
    iptables -A $TRACK_OUTBOUND -d $ignore -j RETURN
done
iptables -A $TRACK_OUTBOUND -j RETURN

    BYTES_IN=$(iptables -L $TRACK_INBOUND -nxv | tail -n 1 | awk '{print$2}')
BYTES_OUT=$(iptables -L $TRACK_OUTBOUND -nxv | tail -n 1 | awk '{print$2}')

    iptables -L $TRACK_INBOUND -nv

Chain TRACKING_IN (4 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all  --  *      *       1.2.3.4              0.0.0.0/0
    0     0 RETURN     all  --  *      *       5.6.7.8              0.0.0.0/0
 123K   15M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

    iptables -L $TRACK_OUTBOUND -nv

Chain TRACKING_OUT (4 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all  --  *      *       0.0.0.0/0            1.2.3.4
    0     0 RETURN     all  --  *      *       0.0.0.0/0            5.6.7.8
 1116  679K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    • 2