LARTC - Aug 2003 - Performanace fo the Iptables Server

Hi all

I have RH 9.0
PIII with 550Mhz
512MB RAM

working fine with Iptables+TC+HTB

Now i want o make accounting system using ULOG

so i introduced  to send all logs to Mysql
So i can make my own Graphs

iptables -A INPUT -j ULOG
iptables -A FORWARD -j ULOG
iptables -A OUTPUT -j ULOG


the Server is connected to Several Clients

does this server will have any Impact of performance
or this PC can handle Easily

how can caluculate the PC configuration,

any help
hare

With

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

On Wednesday 27 August 2003 07:46, hare ram wrote:
> Hi all
>
> I have RH 9.0
> PIII with 550Mhz
> 512MB RAM
>
> working fine with Iptables+TC+HTB
>
> Now i want o make accounting system using ULOG
>
> so i introduced  to send all logs to Mysql
> So i can make my own Graphs
>
> iptables -A INPUT -j ULOG
> iptables -A FORWARD -j ULOG
> iptables -A OUTPUT -j ULOG
>
>
> the Server is connected to Several Clients
>
> does this server will have any Impact of performance
> or this PC can handle Easily
>
> how can caluculate the PC configuration,
The needed configutation also depends on how many logs you will have and how 
you are going to proces them.  
And do you really want to log everything?  If you are interested in
what''s
going thru your firewall, you can also log the connections.  Or you can 
install ntop on the firewall.

Stef

-- 

stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.oftc.net

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Hi Stef

thanks for the reply

yes i would like to do accounting the source IP
so i need to log them all the traffic,
so i will know each IP how much transfering DATA

with my configuration, is there any performance issue
i may have more than thousands of passing through this firewall or qos
server

so my PC will have any performance issue or,
this configuration need any modification

thanks
hare
----- Original Message -----
From: "Stef Coene" <stef.coene@docum.org>
To: "hare ram" <hareram@sol.net.in>;
<netfilter@lists.samba.org>
Cc: <lartc@mailman.ds9a.nl>
Sent: Wednesday, August 27, 2003 9:00 PM
Subject: Re: [LARTC] Performanace fo the Iptables Server

> On Wednesday 27 August 2003 07:46, hare ram wrote:
> > Hi all
> >
> > I have RH 9.0
> > PIII with 550Mhz
> > 512MB RAM
> >
> > working fine with Iptables+TC+HTB
> >
> > Now i want o make accounting system using ULOG
> >
> > so i introduced  to send all logs to Mysql
> > So i can make my own Graphs
> >
> > iptables -A INPUT -j ULOG
> > iptables -A FORWARD -j ULOG
> > iptables -A OUTPUT -j ULOG
> >
> >
> > the Server is connected to Several Clients
> >
> > does this server will have any Impact of performance
> > or this PC can handle Easily
> >
> > how can caluculate the PC configuration,
> The needed configutation also depends on how many logs you will have and
how
> you are going to proces them.
> And do you really want to log everything?  If you are interested in
what''s
> going thru your firewall, you can also log the connections.  Or you can
> install ntop on the firewall.
>
> Stef
>
> --
>
> stef.coene@docum.org
>  "Using Linux as bandwidth manager"
>      http://www.docum.org/
>      #lartc @ irc.oftc.net
>
>
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

On Wednesday 27 August 2003 19:03, hare ram wrote:
> Hi Stef
>
> thanks for the reply
>
> yes i would like to do accounting the source IP
> so i need to log them all the traffic,
> so i will know each IP how much transfering DATA
>
> with my configuration, is there any performance issue
> i may have more than thousands of passing through this firewall or qos
> server
>
> so my PC will have any performance issue or,
> this configuration need any modification
You don''t have to log each packet to do accounting.  If you create 1
iptables
rule for each src address, you know how many packets and bytes that that src 
address transmitted.

iptables -A INPUT -s 192.168.1.0
iptables -A INPUT -s 192.168.1.1
iptables -A INPUT -s 192.168.1.2

iptables -L -v -n
Chain INPUT (policy DROP 47 packets, 5842 bytes)
 pkts bytes target     prot opt in     out     source   destination
    0     0            all  --  *      *       192.168.1.0          0.0.0.0/0
    0     0            all  --  *      *       192.168.1.1          0.0.0.0/0
    0     0            all  --  *      *       192.168.1.2          0.0.0.0/0

Stef

-- 

stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.oftc.net

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Hi Stef

How about Source and Desitination port, and protocol wise bytes transfer (
like http, ftp, icmp, udp), if i want to track.

next limitation, if the Server goes down, the traffic will be zero, that
will be another Limitation

If i send the all the traffic to Mysql, so i can get the old data to.

may be you can correct me if, i may be wrong thinking

correct me with the best methods to do

hare

----- Original Message -----
From: "Stef Coene" <stef.coene@docum.org>
To: "hare ram" <hareram@sol.net.in>;
<netfilter@lists.samba.org>
Cc: <lartc@mailman.ds9a.nl>
Sent: Wednesday, August 27, 2003 10:47 PM
Subject: Re: [LARTC] Performanace fo the Iptables Server

> On Wednesday 27 August 2003 19:03, hare ram wrote:
> > Hi Stef
> >
> > thanks for the reply
> >
> > yes i would like to do accounting the source IP
> > so i need to log them all the traffic,
> > so i will know each IP how much transfering DATA
> >
> > with my configuration, is there any performance issue
> > i may have more than thousands of passing through this firewall or qos
> > server
> >
> > so my PC will have any performance issue or,
> > this configuration need any modification
> You don''t have to log each packet to do accounting.  If you create
1
iptables
> rule for each src address, you know how many packets and bytes that that
src
> address transmitted.
>
> iptables -A INPUT -s 192.168.1.0
> iptables -A INPUT -s 192.168.1.1
> iptables -A INPUT -s 192.168.1.2
>
> iptables -L -v -n
> Chain INPUT (policy DROP 47 packets, 5842 bytes)
>  pkts bytes target     prot opt in     out     source   destination
>     0     0            all  --  *      *       192.168.1.0
0.0.0.0/0
>     0     0            all  --  *      *       192.168.1.1
0.0.0.0/0
>     0     0            all  --  *      *       192.168.1.2
0.0.0.0/0
>
> Stef
>
> --
>
> stef.coene@docum.org
>  "Using Linux as bandwidth manager"
>      http://www.docum.org/
>      #lartc @ irc.oftc.net
>
>
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

On Wednesday 27 August 2003 19:31, hare ram wrote:
> Hi Stef
>
> How about Source and Desitination port, and protocol wise bytes transfer (
> like http, ftp, icmp, udp), if i want to track.
>
> next limitation, if the Server goes down, the traffic will be zero, that
> will be another Limitation
Not true.  If you record the counters each 5 minutes, you loose max 5 minutes 
of counters.  You can record the difference between the 2 reads and discard 
negative values.
> If i send the all the traffic to Mysql, so i can get the old data to.
>
> may be you can correct me if, i may be wrong thinking
>
> correct me with the best methods to do
If you really want it very detailed (src/dst - address/port), you indeed have 
to log it to mysql or so.
You can calulcate the number of updates you have to do mysql and simulate this 
on a test box.

Stef

-- 

stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.oftc.net

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Hi Stef

Thats right, if i make cron job run every 5min, so i will loose only 5min of
data.

i was not understand
" You can record the difference between the 2 reads and discard
negative values. "

you mean to say first 5min and next 5min bytes increasing ok
if not i will discard and take new values you mean.

If i make the log to mysql, so it will be 24hours right
is there anything i can make every 5min dump the data to Mysql using ULOG


hare
----- Original Message -----
From: "Stef Coene" <stef.coene@docum.org>
To: "hare ram" <hareram@sol.net.in>;
<netfilter@lists.samba.org>
Cc: <lartc@mailman.ds9a.nl>
Sent: Wednesday, August 27, 2003 11:11 PM
Subject: Re: [LARTC] Performanace fo the Iptables Server

> On Wednesday 27 August 2003 19:31, hare ram wrote:
> > Hi Stef
> >
> > How about Source and Desitination port, and protocol wise bytes
transfer
(
> > like http, ftp, icmp, udp), if i want to track.
> >
> > next limitation, if the Server goes down, the traffic will be zero,
that
> > will be another Limitation
> Not true.  If you record the counters each 5 minutes, you loose max 5
minutes
> of counters.  You can record the difference between the 2 reads and
discard
> negative values.
>
> > If i send the all the traffic to Mysql, so i can get the old data to.
> >
> > may be you can correct me if, i may be wrong thinking
> >
> > correct me with the best methods to do
> If you really want it very detailed (src/dst - address/port), you indeed
have
> to log it to mysql or so.
> You can calulcate the number of updates you have to do mysql and simulate
this
> on a test box.
>
> Stef
>
> --
>
> stef.coene@docum.org
>  "Using Linux as bandwidth manager"
>      http://www.docum.org/
>      #lartc @ irc.oftc.net
>
>
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Hi Hare

This has been a subject of some interest to me, so if I can give couple
of points that may be of use --

1) Harald Welte has ulog target in iptables which sends traffic to
MySQL. If you need summary statistics by protocol, than you may want to
fiddle with the source; however

2) iptables does not give you wire level accounting -- if you''re trying
to account for what was sent over the wire (or if that''s what your
billing or being billed for), than ulog is not the appropriate tool. 
You''ll need to look at iptraf/libpcap/MySQL. We''re currently
designing
such a tool based on libpcap and are building from scratch -- trying to
convince bosses to put it into the public domain ...

There is also ntop which can gather into MySQL, but I beleive that you
might have to go back a version or two. ntop uses libpcacp, so you''ll
get the wire level you need (http://www.ntop.org)

Ciao

Charles



On Wed, 2003-08-27 at 19:31, hare ram wrote:
> Hi Stef
> 
> How about Source and Desitination port, and protocol wise bytes transfer (
> like http, ftp, icmp, udp), if i want to track.
> 
> next limitation, if the Server goes down, the traffic will be zero, that
> will be another Limitation
> 
> If i send the all the traffic to Mysql, so i can get the old data to.
> 
> may be you can correct me if, i may be wrong thinking
> 
> correct me with the best methods to do
> 
> hare
> 
> ----- Original Message -----
> From: "Stef Coene" <stef.coene@docum.org>
> To: "hare ram" <hareram@sol.net.in>;
<netfilter@lists.samba.org>
> Cc: <lartc@mailman.ds9a.nl>
> Sent: Wednesday, August 27, 2003 10:47 PM
> Subject: Re: [LARTC] Performanace fo the Iptables Server
> 
> 
> > On Wednesday 27 August 2003 19:03, hare ram wrote:
> > > Hi Stef
> > >
> > > thanks for the reply
> > >
> > > yes i would like to do accounting the source IP
> > > so i need to log them all the traffic,
> > > so i will know each IP how much transfering DATA
> > >
> > > with my configuration, is there any performance issue
> > > i may have more than thousands of passing through this firewall
or qos
> > > server
> > >
> > > so my PC will have any performance issue or,
> > > this configuration need any modification
> > You don''t have to log each packet to do accounting.  If you
create 1
> iptables
> > rule for each src address, you know how many packets and bytes that
that
> src
> > address transmitted.
> >
> > iptables -A INPUT -s 192.168.1.0
> > iptables -A INPUT -s 192.168.1.1
> > iptables -A INPUT -s 192.168.1.2
> >
> > iptables -L -v -n
> > Chain INPUT (policy DROP 47 packets, 5842 bytes)
> >  pkts bytes target     prot opt in     out     source   destination
> >     0     0            all  --  *      *       192.168.1.0
> 0.0.0.0/0
> >     0     0            all  --  *      *       192.168.1.1
> 0.0.0.0/0
> >     0     0            all  --  *      *       192.168.1.2
> 0.0.0.0/0
> >
> > Stef
> >
> > --
> >
> > stef.coene@docum.org
> >  "Using Linux as bandwidth manager"
> >      http://www.docum.org/
> >      #lartc @ irc.oftc.net
> >
> >
> 
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Le mer 27/08/2003 à 19:41, Stef Coene a écrit :
> On Wednesday 27 August 2003 19:31, hare ram wrote:
> > Hi Stef
> >
> If you really want it very detailed (src/dst - address/port), you indeed
have
> to log it to mysql or so.
> You can calulcate the number of updates you have to do mysql and simulate
this
> on a test box.
As the mark you can put on the packet is quiet long you can use a mask
system : [IP user][proto].
Next the script has only to split the information contained in the mark.

That''s add a multiplicative factor to the number of rules but
that''s
all. So no need to use mysql.
By the way you will need use connmark to track non linear protocol like
ftp.

BR,
-- 
Eric Leblond
Nufw : http://www.nufw.org

On Wednesday 27 August 2003 19:50, hare ram wrote:
> Hi Stef
>
> Thats right, if i make cron job run every 5min, so i will loose only 5min
> of data.
>
> i was not understand
> " You can record the difference between the 2 reads and discard
> negative values. "
>
> you mean to say first 5min and next 5min bytes increasing ok
> if not i will discard and take new values you mean.
You can also store the difference between 2 readings.  Otherwise your counters 
will increase forever.
> If i make the log to mysql, so it will be 24hours right
> is there anything i can make every 5min dump the data to Mysql using ULOG
You can try to redirect the ULOG to a named pipe or a shell script.  

Named pipe example :
mkfifo test
echo 1 > test &
echo 2 > test 1
echo 3 > test &
cat test
3
2
1
[1]   Done                    echo 1 >test
[2]-  Done                    echo 2 >test
[3]+  Done                    echo 3 >test

So the numbers 1, 2 and 3 were cached in the named pipe untill the cat command 
was executed.

Stef

-- 

stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.oftc.net

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

>>>>> "Hare" == hare ram <hareram@sol.net.in>
writes:
    Hare> Hi Stef Thats right, if i make cron job run every 5min, so i
    Hare> will loose only 5min of data.

    Hare> i was not understand " You can record the difference between
    Hare> the 2 reads and discard negative values. "

    Hare> you mean to say first 5min and next 5min bytes increasing ok
    Hare> if not i will discard and take new values you mean.

    Hare> If i make the log to mysql, so it will be 24hours right is
    Hare> there anything i can make every 5min dump the data to Mysql
    Hare> using ULOG

...or just use iptables -L -v -z to read the counters afresh each
5 minutes.  -z will zero them out after displaying the current
values.

-- Raju
-- 
Raj Mathur                raju@kandalaya.org      http://kandalaya.org/
       GPG: 78D4 FC67 367F 40E2 0DD5  0FEF C968 D0EF CC68 D17F
                      It is the mind that moves
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Hi Stef

regarding the same topic
if i use

iptables -A INPUT -s 192.168.2.1

iam able to capture packets going fro 192.168.2.1 to any address

how about any address coming to 192.168.2.1
this will be added in to same  rule

or i need to add another Rule

iptables -A INPUT -d 192.168.2.1

hare
----- Original Message -----
From: "Stef Coene" <stef.coene@docum.org>
To: "hare ram" <hareram@sol.net.in>;
<netfilter@lists.samba.org>
Cc: <lartc@mailman.ds9a.nl>
Sent: Wednesday, August 27, 2003 10:47 PM
Subject: Re: [LARTC] Performanace fo the Iptables Server

> On Wednesday 27 August 2003 19:03, hare ram wrote:
> > Hi Stef
> >
> > thanks for the reply
> >
> > yes i would like to do accounting the source IP
> > so i need to log them all the traffic,
> > so i will know each IP how much transfering DATA
> >
> > with my configuration, is there any performance issue
> > i may have more than thousands of passing through this firewall or qos
> > server
> >
> > so my PC will have any performance issue or,
> > this configuration need any modification
> You don''t have to log each packet to do accounting.  If you create
1
iptables
> rule for each src address, you know how many packets and bytes that that
src
> address transmitted.
>
> iptables -A INPUT -s 192.168.1.0
> iptables -A INPUT -s 192.168.1.1
> iptables -A INPUT -s 192.168.1.2
>
> iptables -L -v -n
> Chain INPUT (policy DROP 47 packets, 5842 bytes)
>  pkts bytes target     prot opt in     out     source   destination
>     0     0            all  --  *      *       192.168.1.0
0.0.0.0/0
>     0     0            all  --  *      *       192.168.1.1
0.0.0.0/0
>     0     0            all  --  *      *       192.168.1.2
0.0.0.0/0
>
> Stef
>
> --
>
> stef.coene@docum.org
>  "Using Linux as bandwidth manager"
>      http://www.docum.org/
>      #lartc @ irc.oftc.net
>
>
>
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Hi folks,

I would like to know if IMQ (http://trash.net/~kaber/imq/) is going to be
ported to the 2.6 kernel or there is something else?

Thanks

Remus


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

On Wednesday 03 September 2003 10:09, Remus wrote:
> Hi folks,
>
> I would like to know if IMQ (http://trash.net/~kaber/imq/) is going to be
> ported to the 2.6 kernel or there is something else?
I just took a quick look at the imq patch and I don''t think
it''s difficult to
port it to 2.6.  As far as I know, there are not much changes in the network 
code. 
Have you tried to apply the patch?

Stef

-- 

stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.oftc.net

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Hi,

Not yet, but I will try soon.

Remus



> On Wednesday 03 September 2003 10:09, Remus wrote:
> > Hi folks,
> >
> > I would like to know if IMQ (http://trash.net/~kaber/imq/) is going to
be
> > ported to the 2.6 kernel or there is something else?
> I just took a quick look at the imq patch and I don''t think
it''s difficult
to
> port it to 2.6.  As far as I know, there are not much changes in the
network
> code.
> Have you tried to apply the patch?
>
> Stef
>
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/