How-To use iptables as a Bandwidth monitoring tool ######################################################################### # Searchable Keywords: iptables bandwidth # #########################################################################

Summary: You wouldn't think you could actually use iptables to monitor bandwidth, ports interfaces and more. If you have a machine that has iptables and you are already behind a firewall and don't need any special filtering done for that host and sometimes even if you do. This method could give a cheap and easy way to monitor bandwidth, ports or interfaces. ------- Setup the rules to collect the data -------- Our example will monitor will 3 interfaces on a Red Hat host. - # uname -a Linux linuxhost.mydomain.com 2.6.18-194.el5 #1 SMP Mon Mar 29 22:10:29 EDT 2010 x86_64 x86_64 x86_64 GNU/Linux - # rpm -qa |grep iptable iptables-1.3.5-5.3.el5_4.1 iptables-ipv6-1.3.5-5.3.el5_4.1 - # chkconfig --list iptables iptables 0:off 1:off 2:off 3:on 4:off 5:on 6:off - You can run these from the cmd line or you can put them in a script. - Once you run them from the cmd line you can make them permmant by running "iptables-save" of you can flush them away with "iptables -F" Create out new chains: [root@linuxhost iptables-bw]# iptables -N interf-1 [root@linuxhost iptables-bw]# iptables -N interf-2 [root@linuxhost iptables-bw]# iptables -N interf-3 Append to the INPUT chain to jump to the new chains: NOTE: the "-i" option can only be used on chains INPUT, FORWARD and PREROUTING [root@linuxhost iptables-bw]# iptables -A INPUT -i eth0 -j interf-1 [root@linuxhost iptables-bw]# iptables -A INPUT -i eth1 -j interf-2 [root@linuxhost iptables-bw]# iptables -A INPUT -i eth2 -j interf-3 [root@linuxhost iptables-bw]# iptables -A OUTPUT -j interf-1 [root@linuxhost iptables-bw]# iptables -A OUTPUT -j interf-2 [root@linuxhost iptables-bw]# iptables -A OUTPUT -j interf-3 Associate a IP/interface: [root@linuxhost iptables-bw]# iptables -A interf-1 -d 172.23.18.184/32 [root@linuxhost iptables-bw]# iptables -A interf-2 -d 172.23.18.185/32 [root@linuxhost iptables-bw]# iptables -A interf-3 -d 172.23.18.190/32 [root@linuxhost iptables-bw]# iptables -A interf-1 -s 172.23.18.184/32 [root@linuxhost iptables-bw]# iptables -A interf-2 -s 172.23.18.185/32 [root@linuxhost iptables-bw]# iptables -A interf-3 -s 172.23.18.190/32 List our new rules: [root@linuxhost iptables-bw]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination interf-1 all -- anywhere anywhere interf-2 all -- anywhere anywhere interf-3 all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination interf-1 all -- anywhere anywhere interf-2 all -- anywhere anywhere interf-3 all -- anywhere anywhere Chain interf-1 (2 references) target prot opt source destination all -- anywhere linuxhost all -- linuxhost anywhere Chain interf-2 (2 references) target prot opt source destination all -- anywhere linuxhost-2 all -- linuxhost-2 anywhere Chain interf-3 (2 references) target prot opt source destination all -- anywhere linuxhost-3 all -- linuxhost-3 anywhere List only the INPUT stats: Note the "pkts" and "bytes" columns [root@linuxhost iptables-bw]# iptables -v -n -L INPUT Chain INPUT (policy ACCEPT 25922 packets, 3509K bytes) pkts bytes target prot opt in out source destination 880 109K interf-1 all -- * * 0.0.0.0/0 0.0.0.0/0 868 106K interf-2 all -- * * 0.0.0.0/0 0.0.0.0/0 852 101K interf-3 all -- * * 0.0.0.0/0 0.0.0.0/0 List only the OUTPUT stats: Note the "pkts" and "bytes" columns [root@linuxhost iptables-bw]# iptables -v -n -L OUTPUT Chain OUTPUT (policy ACCEPT 14500 packets, 1987K bytes) pkts bytes target prot opt in out source destination 426 40038 interf-1 all -- * * 0.0.0.0/0 0.0.0.0/0 418 39418 interf-2 all -- * * 0.0.0.0/0 0.0.0.0/0 411 38754 interf-3 all -- * * 0.0.0.0/0 0.0.0.0/0 NOTE: the same princple can be applied linux firewalls using the FORWARD chain to collect stats on interface use. Say for departments or subnets you need to log usage of or have quotas on. --------- A script to display the statistics --------- #----------------------------------------------------------------# #!/bin/sh ######################################################### # Author: Gary Keen # # Date: 3/14/11 # # Descritption: A script to run iptables # # list against the existing iptables # # rule set. This script is dependant # # on the iptables rules in order to # # monitor IP traffic and usage. # # # # NOTE: See iptable rules for configuration that # # support this monitoring tool. Please feel free # # to tweak this script to fit what stats you wish # # to see. # # INFS="INPUT OUTPUT" I included these chains because # # they display holistic stats on the host. # # To reset the stats you can accomplish this in # # several ways. 1) saving the rules and then # # restarting iptables. # # ######################################################### # IPTBLS=/sbin/iptables echo echo "Current iptables chains for IP interfaces" $IPTBLS -L INPUT | grep interf | awk '{print $1}' INFS=`$IPTBLS -L INPUT | grep interf | awk '{print $1}'` echo echo " We will now display the current packets and bytes." echo " for each interface." echo sleep 3 while true do echo "#=============================================================#" for INF in $INFS INPUT OUTPUT do echo $INF $IPTBLS -v -n -L $INF echo sleep 4 done done #----------------------------------------------------------------# --- Results of script --- NOTE: packets and bytes on the left side. You can reset these stats by restarting iptables. Wed Apr 13 01:52:06 PDT 2011 This shows the incoming IP traffic through network interfaces Chain interf-1 (2 references) pkts bytes target prot opt in out source destination 1095M 1078G all -- * * 0.0.0.0/0 172.23.14.180 436M 1037G all -- * * 172.23.14.180 0.0.0.0/0 Wed Apr 13 01:54:06 PDT 2011 This shows the incoming IP traffic through network interfaces Chain interf-2 (2 references) pkts bytes target prot opt in out source destination 0 0 all -- * * 0.0.0.0/0 172.23.14.181 300 14088 all -- * * 172.23.14.181 0.0.0.0/0 Wed Apr 13 01:56:06 PDT 2011 This shows the incoming IP traffic through network interfaces Chain interf-3 (2 references) pkts bytes target prot opt in out source destination 0 0 all -- * * 0.0.0.0/0 172.23.14.182 300 14088 all -- * * 172.23.14.182 0.0.0.0/0 Wed Apr 13 01:58:06 PDT 2011 This shows the incoming IP traffic through network interfaces Chain interf-4 (2 references) pkts bytes target prot opt in out source destination 315 14796 all -- * * 0.0.0.0/0 172.23.14.183 300 14088 all -- * * 172.23.14.183 0.0.0.0/0