Hi everyone!
First of all: Big thanks to Tom for this great work!!
Now on to my qestion:
I am using Shorewall among other machines on an new server where we
need some kind of accounting.
The script we would like to use for this is iam
(http://intevation.de/iam/).
The docs say:
Alternatively you can use your own iptables script and only add the
''dump'' option, which should do:
DATE=`date ''+%Y%m%d%H%M%S''
echo "START $DATE" >> $DUMPFILE
iptables -vnxZ -L --line-numbers -t filter >> $DUMPFILE
echo "END $DATE" >> $DUMPFILE
What is the right place in the shorewall files to place this?
Thanks in advance,
Christian
On Sun, 21 Apr 2002, Christian Lox wrote:> Hi everyone! > > First of all: Big thanks to Tom for this great work!! > > Now on to my qestion: > > I am using Shorewall among other machines on an new server where we > need some kind of accounting. > > The script we would like to use for this is iam > (http://intevation.de/iam/). > > The docs say: > Alternatively you can use your own iptables script and only add the > ''dump'' option, which should do: > DATE=`date ''+%Y%m%d%H%M%S'' > echo "START $DATE" >> $DUMPFILE > iptables -vnxZ -L --line-numbers -t filter >> $DUMPFILE > echo "END $DATE" >> $DUMPFILE > > What is the right place in the shorewall files to place this? >Presumably in /etc/shorewall/start (you''ll have to create that file). -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Hi, I''ve also been looking at iam. It seems to me that this dump needs to be run from cron every few hours, so the shorewall start file is not the place for it. Probably need to create a shell script containing those few lines and execute that from cron. On a more general note my assessment on using iam is that to get analysis by ip address range requires setting up entries in the hosts file for the different ip address ranges where accounting is required. Accounting by port seems to be impossible (please correct me anyone if I am wrong) because most of the traffic comes through as a single "RELATED,ESTABLISHED'' byte count for a zone2zone chain; and is not broken down by port. If anyone understands what I am talking about and can suggest a work around I would be grateful. Regards, -- John Leach http://osware.net On Sun, 21 Apr 2002 23:30, Tom Eastep wrote:> On Sun, 21 Apr 2002, Christian Lox wrote: > > Now on to my qestion: > > I am using Shorewall among other machines on an new server where we > > need some kind of accounting. > > The script we would like to use for this is iam > > (http://intevation.de/iam/). > > The docs say: > > Alternatively you can use your own iptables script and only add the > > ''dump'' option, which should do: > > DATE=`date ''+%Y%m%d%H%M%S'' > > echo "START $DATE" >> $DUMPFILE > > iptables -vnxZ -L --line-numbers -t filter >> $DUMPFILE > > echo "END $DATE" >> $DUMPFILE > > What is the right place in the shorewall files to place this? > > Presumably in /etc/shorewall/start (you''ll have to create that file). > -TomScanned for viruses at osware.net
On Tue, 23 Apr 2002, John Leach wrote:> Hi, > > I''ve also been looking at iam. > > It seems to me that this dump needs to be run from cron every few hours, so > the shorewall start file is not the place for it. > Probably need to create a shell script containing those few lines and execute > that from cron. > > On a more general note my assessment on using iam is that to get analysis by > ip address range requires setting up entries in the hosts file for the > different ip address ranges where accounting is required. >No -- don''t do that; see below> Accounting by port seems to be impossible (please correct me anyone if I am > wrong) because most of the traffic comes through as a single > "RELATED,ESTABLISHED'' byte count for a zone2zone chain; and is not broken > down by port.Yes -- that''s what stateful firewalls do.> If anyone understands what I am talking about and can suggest a work around I > would be grateful.In /etc/shorewall/start: run_iptables -N account <add all of your CPU-eating accounting rules here> for chain in INPUT OUTPUT FORWARD do run_iptables -I $chain -j account done The accounting rules should NOT have a target and you should use ''run_iptables'' rather than running iptables directly. Example: run_iptables -A account -p tcp --dport 80 -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net