Shorewall users - Mar 2007 - Capturing / Blocking Internet usage from particular IPs

Hi,

I am using shorewall 3.0.5  on Fedora Core 4. Is that possible that i can
capture / monitor traffic usage (internet usage) from any particular IP and
if required i can block his traffic based on condition ? any help greatly
appriciated.

-- 
Regards,

Asim Ahmed


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Asim Ahmed Khan wrote:
> Hi,
>  
> I am using shorewall 3.0.5  on Fedora Core 4. Is that possible that i
> can capture / monitor traffic usage (internet usage) from any particular
> IP and if required i can block his traffic based on condition ? any help
> greatly appriciated.
From http://www.shorewall.net/Introduction.html:

	Shorewall is not a daemon. Once Shorewall has configured Netfilter, 	
	it''s job is complete and there is no “Shorewall process” left
	running in your system.

It follows that Shorewall itself cannot monitor anything.

If you have an external application that monitors traffic and decides that
it wants to block traffic from a particular address, it can do so by using
the "shorewall drop" or "shorewall reject" commands.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

On Fri, Mar 30, 2007 at 09:26:28AM -0700, Tom Eastep
wrote:
> Asim Ahmed Khan wrote:
> > Hi,
> >  
> > I am using shorewall 3.0.5  on Fedora Core 4. Is that possible that i
> > can capture / monitor traffic usage (internet usage) from any
particular
> > IP and if required i can block his traffic based on condition ? any
help
> > greatly appriciated.
> 
> From http://www.shorewall.net/Introduction.html:
> 
> 	Shorewall is not a daemon. Once Shorewall has configured Netfilter, 	
> 	it''s job is complete and there is no ?Shorewall process? left
> 	running in your system.
> 
> It follows that Shorewall itself cannot monitor anything.
> 
> If you have an external application that monitors traffic and decides that
> it wants to block traffic from a particular address, it can do so by using
> the "shorewall drop" or "shorewall reject" commands.
Although if you''re just blocking an IP address entirely, and
you''re
doing a lot of them (few hundred or more), it''s far more efficient to
use a null route (netfilter itself is quite slow compared to the
routing table).

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Hi Tom,

thanx for your suggestion. Being not-very-clever in linux, i would
appriciate if you or anyone else can suggest me some thing through that i
can find out which user on my network is consuming / utilizing heavy
internet bandwidth. This is my major problem to find out which user on my
network is choking bandwidth pipe. I m using shorewall 3.0.5 on Fedora Core
4.

* One more thing, if anybody can guide me on: I want to upgrade to latest
version of shorewall (3.4.1), is there any compatibility / upgrade issues
while upgrade or after upgradation ? and this command is suffice to do it:
rpm -uvh shorewall-x.x.x ?

regards,

-Asim.


On 3/30/07, Tom Eastep <teastep@shorewall.net>
wrote:
>
> Asim Ahmed Khan wrote:
> > Hi,
> >
> > I am using shorewall 3.0.5  on Fedora Core 4. Is that possible that i
> > can capture / monitor traffic usage (internet usage) from any
particular
> > IP and if required i can block his traffic based on condition ? any
help
> > greatly appriciated.
>
> From http://www.shorewall.net/Introduction.html:
>
>        Shorewall is not a daemon. Once Shorewall has configured Netfilter,
>        it''s job is complete and there is no "Shorewall
process" left
>        running in your system.
>
> It follows that Shorewall itself cannot monitor anything.
>
> If you have an external application that monitors traffic and decides that
> it wants to block traffic from a particular address, it can do so by using
> the "shorewall drop" or "shorewall reject" commands.
>
> -Tom
> --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
>
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net''s Techsay panel and you''ll get the
chance to share
> your
> opinions on IT & business topics through brief surveys-and earn cash
>
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
>

-- 
Regards,

Asim Ahmed Khan
Contact : 0345-2109368


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

On Sat, Mar 31, 2007 at 02:26:17PM +0500, Asim Ahmed Khan
wrote:
> thanx for your suggestion. Being not-very-clever in linux, i would
> appriciate if you or anyone else can suggest me some thing through that i
> can find out which user on my network is consuming / utilizing heavy
> internet bandwidth. This is my major problem to find out which user on my
> network is choking bandwidth pipe. I m using shorewall 3.0.5 on Fedora Core
> 4.
    (3 years later) you can try to use iptraf in the router to see
what''s going
on. I think you can also use it in a workstation and it will capture all the
traffic in the net, but I''m not sure. hope it helps.

-- 
(Not so) Random fortune:
A programming language is low level when its programs require attention to the
irrelevant.

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Marcos Dione wrote:
> On Sat, Mar 31, 2007 at 02:26:17PM +0500, Asim Ahmed Khan wrote:
>> thanx for your suggestion. Being not-very-clever in linux, i would
>> appriciate if you or anyone else can suggest me some thing through that
i
>> can find out which user on my network is consuming / utilizing heavy
>> internet bandwidth. This is my major problem to find out which user on
my
>> network is choking bandwidth pipe. I m using shorewall 3.0.5 on Fedora
Core
>> 4.
> 
>     (3 years later) you can try to use iptraf in the router to see
what''s going
> on. I think you can also use it in a workstation and it will capture all
the
> traffic in the net, but I''m not sure. hope it helps.
> 
ntop also works well.

- -
Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFGFXULO/MAbZfjDLIRAoYqAKCmqD2CFjtgkxaVCe6eFypwJRMXAQCfeWXQ
TrmuA0x1wKgkE9X83LXsmDo=l695
-----END PGP SIGNATURE-----

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

I recommend using vnstat (with the -rx eth0 or tx eth0 options to show
quick-and-dirty bandwidth graphs for the respective interfaces) to see if
there''s a problem, iptraf to work out who''s doing it, and ntop
to find out
what they''re doing(nice shiny protocol and user breakdown via web
page).
I''ve monitored the ''net usage at several restricted-bandwidth
events (LAN
parties for example), and that''s done just fine. If someone''s
hogging all
the bandwidth, add a DROP rule for their IP address on all protocols (DROP
net    lan:11.22.33.44 all - - if I remember correctly), restart shorewall
(or you can learn how to manually add DROP-style rules to iptables, which
doesn''t require a shorewall restart which can sometimes interrupt
traffic),
and wait for the wailing and gnashing of teeth.

Also, if you''re running dhcpd on the same box, you can look in the dhcp
leases file to figure out the machine name of the culprit - always useful if
you''re potentially in the same room as them (not sure if this applies
to
you).

Hope this helps,

Jan

On 05/04/07, Tom Eastep <teastep@shorewall.net>
wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Marcos Dione wrote:
> > On Sat, Mar 31, 2007 at 02:26:17PM +0500, Asim Ahmed Khan wrote:
> >> thanx for your suggestion. Being not-very-clever in linux, i would
> >> appriciate if you or anyone else can suggest me some thing through
that
> i
> >> can find out which user on my network is consuming / utilizing
heavy
> >> internet bandwidth. This is my major problem to find out which
user on
> my
> >> network is choking bandwidth pipe. I m using shorewall 3.0.5 on
Fedora
> Core
> >> 4.
> >
> >     (3 years later) you can try to use iptraf in the router to see
> what''s going
> > on. I think you can also use it in a workstation and it will capture
all
> the
> > traffic in the net, but I''m not sure. hope it helps.
> >
>
> ntop also works well.
>
> - -
> Tom
> - --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (GNU/Linux)
> Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org
>
> iD8DBQFGFXULO/MAbZfjDLIRAoYqAKCmqD2CFjtgkxaVCe6eFypwJRMXAQCfeWXQ
> TrmuA0x1wKgkE9X83LXsmDo> =l695
> -----END PGP SIGNATURE-----
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net''s Techsay panel and you''ll get the
chance to share
> your
> opinions on IT & business topics through brief surveys-and earn cash
>
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

On Fri, Apr 06, 2007 at 09:38:31PM +0100, Jan Mulders
wrote:
> parties for example), and that''s done just fine. If
someone''s hogging all
> the bandwidth, add a DROP rule for their IP address on all protocols (DROP
> net    lan:11.22.33.44 all - - if I remember correctly), restart shorewall
> (or you can learn how to manually add DROP-style rules to iptables, which
> doesn''t require a shorewall restart which can sometimes interrupt
traffic),
> and wait for the wailing and gnashing of teeth.
The command to remember is:

ip route add prohibit 1.2.3.4

The routing table is massively more efficient than netfilter (O(log
log N) instead of O(N)), and this arranges for everybody to
automatically get the right error messages - remote hosts get ICMP
"communication administratively prohibited".

As a general rule, if something can be done with the routing table, it
should be done there. Netfilter is stupid and slow by comparison
(although it can do far more weird stuff, like NAT).

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV