Differences

This shows you the differences between two versions of the page.

--- linux:iptables [2013/08/08 11:45]
a old revision restored
+++ linux:iptables [2013/10/25 15:16] (current)
a add Per user traffic accounting (moved from linux:networking)
@@ Line 1: / Line 1: @@
-====== Linux firewalling (netfilter/iptables stuff) ======
+====== Linux filtering / firewalling (netfilter/iptables stuff) ======
@@ Line 52: / Line 52: @@
-=====Strategy for penalising IPs with too many  simultaneous sessions  =====
+===== Per user traffic accounting =====
+Modern times require you to know how much traffic each user on a system is generating. A lightweight and unobtrusive way to do it is:
+<code bash>
+iptables -A PREROUTING -t mangle -j CONNMARK --restore-mark
+for interesting user in /etc/passwd #implementation dependent
+do
+        #mark all user packets with their uid
+        iptables -A OUTPUT -t mangle -m owner --uid-owner $uid -j MARK --set-mark $uid
+        iptables -A OUTPUT -t mangle -m owner --uid-owner $uid -j CONNMARK --save-mark
+        #add rules to count packets
+        iptables -A PREROUTING -t mangle -m mark --mark $uid -m comment --comment "count $user"
+        iptables -A POSTROUTING -t mangle -m mark --mark $uid -m comment --comment "count $user"
+done
+</code>
+Integrating this with existing firewall rules is left as an excercise for the reader.
+Observing counters is as easy as
+<code bash>
+watch "iptables -nvL PREROUTING -t mangle; echo; iptables -nvL POSTROUTING -t mangle"
+</code>
+Or you can parse them periodically and store values somewhere for further processing.
+This method identifies which user caused some traffic only for the traffic that is initiated on the machine. Traffic that originates on a remote system is not caught. I haven't yet found a way to make this work for this case too.
+Tested on rhel6.
+===== Strategy for penalising IPs with too many  simultaneous sessions  =====
 Something like this (eth0 is the user's network):