This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
linux:iptables [2013/08/08 11:45]
a old revision restored
linux:iptables [2013/10/25 15:16] (current)
a add Per user traffic accounting (moved from linux:networking)
Line 1: Line 1:
-====== Linux firewalling (netfilter/iptables stuff) ======+====== Linux filtering / firewalling (netfilter/iptables stuff) ======
Line 52: Line 52:
-=====Strategy for penalising IPs with too many  simultaneous sessions  =====+===== Per user traffic accounting ===== 
 +Modern times require you to know how much traffic each user on a system is generating. A lightweight and unobtrusive way to do it is: 
 +<code bash> 
 +iptables -A PREROUTING -t mangle -j CONNMARK --restore-mark 
 +for interesting user in /etc/passwd #implementation dependent 
 +        #mark all user packets with their uid 
 +        iptables -A OUTPUT -t mangle -m owner --uid-owner $uid -j MARK --set-mark $uid 
 +        iptables -A OUTPUT -t mangle -m owner --uid-owner $uid -j CONNMARK --save-mark 
 +        #add rules to count packets 
 +        iptables -A PREROUTING -t mangle -m mark --mark $uid -m comment --comment "count $user"  
 +        iptables -A POSTROUTING -t mangle -m mark --mark $uid -m comment --comment "count $user" 
 +Integrating this with existing firewall rules is left as an excercise for the reader. 
 +Observing counters is as easy as 
 +<code bash> 
 +watch "iptables -nvL PREROUTING -t mangle; echo; iptables -nvL POSTROUTING -t mangle" 
 +Or you can parse them periodically and store values somewhere for further processing. 
 +This method identifies which user caused some traffic only for the traffic that is initiated on the machine. Traffic that originates on a remote system is not caught. I haven't yet found a way to make this work for this case too. 
 +Tested on rhel6. 
 +===== Strategy for penalising IPs with too many  simultaneous sessions  =====
 Something like this (eth0 is the user's network): Something like this (eth0 is the user's network):
linux/iptables.1375955110.txt.gz · Last modified: 2013/08/08 11:45 by a
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0 ipv6 ready