The IP accounting features of the Linux kernel allow you to collect and analyze some network usage data. The data collected comprises the number of packets and the number of bytes accumulated since the figures were last reset. You may specify a variety of rules to categorize the figures to suit your purpose. This option has been removed in kernel 2.1.102 because the old ipfwadm-based firewalling was replaced by ``ipfwchains''.
Kernel Compile Options:
Networking options ---> [*] IP: accounting |
After you have compiled and installed the kernel, you need to use the ipfwadm command to configure IP accounting. There are many different ways of breaking down the accounting information. I've picked a simple example of what might be useful. You should read the ipfwadm man page for more information.
Scenario: You have a ethernet network that is linked to the Internet via a PPP link. On the ethernet, you have a machine that offers a number of services. You are interested in knowing how much traffic is generated by each of ftp (and world wide web traffic), as well as total tcp and udp traffic.
You might use a command set that looks like the following (shown as a shell script):
#!/bin/sh # # Flush the accounting rules ipfwadm -A -f # # Set shortcuts localnet=44.136.8.96/29 any=0/0 # Add rules for local ethernet segment ipfwadm -A in -a -P tcp -D $localnet ftp-data ipfwadm -A out -a -P tcp -S $localnet ftp-data ipfwadm -A in -a -P tcp -D $localnet www ipfwadm -A out -a -P tcp -S $localnet www ipfwadm -A in -a -P tcp -D $localnet ipfwadm -A out -a -P tcp -S $localnet ipfwadm -A in -a -P udp -D $localnet ipfwadm -A out -a -P udp -S $localnet # # Rules for default ipfwadm -A in -a -P tcp -D $any ftp-data ipfwadm -A out -a -P tcp -S $any ftp-data ipfwadm -A in -a -P tcp -D $any www ipfwadm -A out -a -P tcp -S $any www ipfwadm -A in -a -P tcp -D $any ipfwadm -A out -a -P tcp -S $any ipfwadm -A in -a -P udp -D $any ipfwadm -A out -a -P udp -S $any # # List the rules ipfwadm -A -l -n # |
The names ``ftp-data'' and ``www'' refer to lines in /etc/services. The last command lists each of the Accounting rules and displays the collected totals.
An important point to note when analyzing IP accounting is that totals for all rules that match will be incremented. To obtain differential figures, you need to perform appropriate maths. For example, if I wanted to know how much data was not ftp or www, I would subtract the individual totals from the rule that matches all ports.
root# ipfwadm -A -l -n IP accounting rules pkts bytes dir prot source destination ports 0 0 in tcp 0.0.0.0/0 44.136.8.96/29 * -> 20 0 0 out tcp 44.136.8.96/29 0.0.0.0/0 20 -> * 10 1166 in tcp 0.0.0.0/0 44.136.8.96/29 * -> 80 10 572 out tcp 44.136.8.96/29 0.0.0.0/0 80 -> * 252 10943 in tcp 0.0.0.0/0 44.136.8.96/29 * -> * 231 18831 out tcp 44.136.8.96/29 0.0.0.0/0 * -> * 0 0 in udp 0.0.0.0/0 44.136.8.96/29 * -> * 0 0 out undp 44.136.8.96/29 0.0.0.0/0 * -> * 0 0 in tcp 0.0.0.0/0 0.0.0.0/0 * -> 20 0 0 out tcp 0.0.0.0/0 0.0.0.0/0 20 -> * 10 1166 in tcp 0.0.0.0/0 0.0.0.0/0 * -> 80 10 572 out tcp 0.0.0.0/0 0.0.0.0/0 80 -> * 253 10983 in tcp 0.0.0.0/0 0.0.0.0/0 * -> * 231 18831 out tcp 0.0.0.0/0 0.0.0.0/0 * -> * 0 0 in udp 0.0.0.0/0 0.0.0.0/0 * -> * 0 0 out udp 0.0.0.0/0 0.0.0.0/0 * -> * |
The new accounting code is accessed via ``IP Firewall Chains''. See the IP chains home page for more information. You'll now need to use ipchains instead of ipfwadm to configure your filters. (From Documentation/Changes in the latest kernel sources).