Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
linux:iptables [2013/08/12 16:07] zagi old revision restored |
linux:iptables [2013/10/25 15:16] (current) a add Per user traffic accounting (moved from linux:networking) |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Linux firewalling (netfilter/ | + | ====== Linux filtering / firewalling (netfilter/ |
Line 52: | Line 52: | ||
- | =====Strategy for penalising IPs with too many simultaneous sessions | + | ===== Per user traffic accounting ===== |
+ | |||
+ | Modern times require you to know how much traffic each user on a system is generating. A lightweight and unobtrusive way to do it is: | ||
+ | <code bash> | ||
+ | iptables -A PREROUTING -t mangle -j CONNMARK --restore-mark | ||
+ | for interesting user in /etc/passwd # | ||
+ | do | ||
+ | #mark all user packets with their uid | ||
+ | iptables -A OUTPUT -t mangle -m owner --uid-owner $uid -j MARK --set-mark $uid | ||
+ | iptables -A OUTPUT -t mangle -m owner --uid-owner $uid -j CONNMARK --save-mark | ||
+ | #add rules to count packets | ||
+ | iptables -A PREROUTING -t mangle -m mark --mark $uid -m comment --comment "count $user" | ||
+ | iptables -A POSTROUTING -t mangle -m mark --mark $uid -m comment --comment "count $user" | ||
+ | done | ||
+ | </ | ||
+ | |||
+ | Integrating this with existing firewall rules is left as an excercise for the reader. | ||
+ | |||
+ | Observing counters is as easy as | ||
+ | <code bash> | ||
+ | watch " | ||
+ | </ | ||
+ | Or you can parse them periodically and store values somewhere for further processing. | ||
+ | |||
+ | This method identifies which user caused some traffic only for the traffic that is initiated on the machine. Traffic that originates on a remote system is not caught. I haven' | ||
+ | |||
+ | Tested on rhel6. | ||
+ | |||
+ | |||
+ | ===== Strategy for penalising IPs with too many simultaneous sessions | ||
Something like this (eth0 is the user's network): | Something like this (eth0 is the user's network): |