Tom, I was reading the page titled ''About My Network'' and had a question regarding your static NAT configuration and how it works with MRTG. Are you able to create seperate MRTG graphs for each address (alias) entry in /etc/shorewall/nat? I am only able to obtain an MRTG bandwidth graph for the primary IP address of the graph. Since tx/rx metric are not recorded for an IP Alias, how would I create chains to monitor incoming/outgoing traffic with MTRG on a static nat entry? Cheers, Pauly
On Sat, 2003-08-09 at 08:54, paul@freestylenetworks.com wrote:> > Are you able to create seperate MRTG graphs for each address (alias) > entry in /etc/shorewall/nat?I''ve never tried since I''m uninterested in having the traffic analyzed that way.> > I am only able to obtain an MRTG bandwidth graph for the primary IP > address of the graph. > Since tx/rx metric are not recorded for an IP Alias, how would I > create chains to monitor incoming/outgoing traffic with MTRG on a > static nat entry?There is a contributed tool at ftp://shorewall.net/pub/shorewall/mrtg that may help; I''ve not used it personally. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom, Thanks for the link....The main reason I would like to have this detail is because my monthly bandwidth as gone up significantly in the last month (streaming media....cha ching$$). As a result, I need to track my transfer individualy on 13 different IP''s. it appears there is not quick way to track packets/bytes on a alias interface. Is it possible to create an iptables chain (lets say net2alias) that would show packets/bytes on each alias? (much like net2fw and loc2fw). Cheers, Paul Seniuk Freestyle Networks -----Original Message----- From: teastep [mailto:teastep@shorewall.net] Sent: Saturday, August 09, 2003 10:15 AM To: Paul Seniuk Cc: shorewall-users Subject: Re: [Shorewall-users] static NAT On Sat, 2003-08-09 at 08:54, paul@freestylenetworks.com wrote:> > Are you able to create seperate MRTG graphs for each address (alias) > entry in /etc/shorewall/nat?I''ve never tried since I''m uninterested in having the traffic analyzed that way.> > I am only able to obtain an MRTG bandwidth graph for the primary IP > address of the graph. > Since tx/rx metric are not recorded for an IP Alias, how would I > create chains to monitor incoming/outgoing traffic with MTRG on a > static nat entry?There is a contributed tool at ftp://shorewall.net/pub/shorewall/mrtg that may help; I''ve not used it personally. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Sat, 2003-08-09 at 10:22, paul@freestylenetworks.com wrote:> > Is it possible to create an iptables chain (lets say net2alias) that > would show packets/bytes on each alias? > (much like net2fw and loc2fw).Shorewall won''t do that for you -- but using extension scripts you can do pretty much anything you like to modify the Shorewall-generated ruleset. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Sat, 9 Aug 2003, Tom Eastep wrote:> > Shorewall won''t do that for you -- but using extension scripts you can > do pretty much anything you like to modify the Shorewall-generated > ruleset. >The version of Shorewall in the /Shorewall CVS project contains a rather crude IP accounting facility. You define the categories of traffic that you want counted (packets and bytes) in /etc/shorewall/accounting and the you can display the counters and rules using "shorewall show accounting". Install today''s snapshot then overlay /usr/share/shorewall/firewall with the firewall file from CVS and move the "accounting" file from CVS to /etc/shorewall/accounting. Basic instructions for setting up the file are contained therein. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Sat, 9 Aug 2003, Tom Eastep wrote:> > Install today''s snapshot then overlay /usr/share/shorewall/firewall with > the firewall file from CVS and move the "accounting" file from CVS to > /etc/shorewall/accounting. Basic instructions for setting up the file > are contained therein. >Oh -- and when setting up your /etc/shorewall/accounting file, forget that you even have static NAT. Count packets/bytes to/from the external interface and each of the 13 internal systems. The accounting is done in Netfilter''s ''filter'' table which means that DNAT has already been applied on input packets and SNAT hasn''t yet been applied on output packets. In other words, the IP addresses of your alias interfaces will match neither the source nor destination address of any of the internet traffic generated by the gang of 13... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
I''ve just checked in a correction to the ''firewall'' script; it was generating an invalid rule when an interface name alone appeared in the DESTINATION column in the accounting file. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net