Another week, another project !
I'm trying to adapt our local setup to collect data at a remote site. Here
we don't have the opportunity to put our own router in, so I'm trying to
make a small logging box with three NICs.
eth0 and eth1 are connected to a bridge with no IP - this will allow the box to
be inserted between the site and it's internet connection, but the box
itself won't be visible to the outside world.
eth2 is connected to the internal network.
I seem to have most things sorted, but the accounting is a bit of a headache.
Probably something simple I've overlooked !
According to various bits I've read, such
ashttp://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html, and the image it links
to at the
end,http://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg
I believe I should be seeing traffic bridged between eth0 and eth1 being trapped
by the FORWARD chain and thus fed into the accounting chain. But I'm not
seeing any stats :
# iptables -v -n -L accounting
Chain accounting (3 references)
pkts bytes target prot opt in out source destination
60622 13M account-ip all -- * * 0.0.0.0/0 0.0.0.0/0
60622 13M acc-serv all -- * * 0.0.0.0/0 0.0.0.0/0
# iptables -v -n -L account-ip
Chain account-ip (1 references)
pkts bytes target prot opt in out source destination
0 0 total-ip all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 total-ip all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 total-ip all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 total-ip all -- * eth1 0.0.0.0/0 0.0.0.0/0
10656 926K total-ip all -- eth2 * 0.0.0.0/0 0.0.0.0/0
11090 746K total-ip all -- * eth2 0.0.0.0/0 0.0.0.0/0
I'll only be looking at eth0, the other interfaces are only included for
testing/diagnostics.
# cat zones
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
br ipv4
# cat interfaces
#ZONE INTERFACE OPTIONS
FORMAT 2
net eth2
br eth0 bridge
br eth1 bridge
# cat accounting
#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/
# PORT(S) PORT(S) GROUP
account-ip - - -
total-ip:COUNT account-ip eth0 -
total-ip:COUNT account-ip - eth0
total-ip:COUNT account-ip eth1 -
total-ip:COUNT account-ip - eth1
total-ip:COUNT account-ip eth2 -
total-ip:COUNT account-ip - eth2
DONE total-ip
#INCLUDE accounting.ip
#INCLUDE accounting.service
# ifconfig
br0 Link encap:Ethernet HWaddr ****************
inet6 addr: fe80::***************/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:336545 errors:0 dropped:0 overruns:0 frame:0
TX packets:719 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:31324276 (29.8 MiB) TX bytes:60862 (59.4 KiB)
eth0 Link encap:Ethernet HWaddr ****************
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:689133 errors:0 dropped:2889 overruns:0 frame:0
TX packets:384860 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:153833458 (146.7 MiB) TX bytes:51262116 (48.8 MiB)
Interrupt:10 Base address:0x1000
eth1 Link encap:Ethernet HWaddr ****************
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:387244 errors:0 dropped:2891 overruns:0 frame:0
TX packets:645353 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:51810105 (49.4 MiB) TX bytes:145675913 (138.9 MiB)
Interrupt:11 Base address:0x1400
eth2 Link encap:Ethernet HWaddr ****************
inet addr:192.168.1.150 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::***************/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:326447 errors:0 dropped:0 overruns:0 frame:0
TX packets:264068 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:28529244 (27.2 MiB) TX bytes:22452128 (21.4 MiB)
Interrupt:15 Base address:0x1800
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
# brctl show
bridge name bridge id STP enabled interfaces
br0 8000.************ no eth0
eth1
------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnnow-d2d
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
On 1/23/13 8:31 AM, "Simon Hobson" <linux@thehobsons.co.uk> wrote:>Another week, another project ! > >I''m trying to adapt our local setup to collect data at a remote site. >Here we don''t have the opportunity to put our own router in, so I''m >trying to make a small logging box with three NICs. >eth0 and eth1 are connected to a bridge with no IP - this will allow the >box to be inserted between the site and it''s internet connection, but the >box itself won''t be visible to the outside world. >eth2 is connected to the internal network. > >I seem to have most things sorted, but the accounting is a bit of a >headache. Probably something simple I''ve overlooked ! > >According to various bits I''ve read, such >ashttp://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html, and the image >it links to at the >end,http://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-fl >ow.svg I believe I should be seeing traffic bridged between eth0 and eth1 >being trapped by the FORWARD chain and thus fed into the accounting >chain. But I''m not seeing any stats : > ># iptables -v -n -L accounting >Chain accounting (3 references) >pkts bytes target prot opt in out source destination >60622 13M account-ip all -- * * 0.0.0.0/0 0.0.0.0/0 >60622 13M acc-serv all -- * * 0.0.0.0/0 0.0.0.0/0 ># iptables -v -n -L account-ip >Chain account-ip (1 references) >pkts bytes target prot opt in out source destination > 0 0 total-ip all -- eth0 * 0.0.0.0/0 0.0.0.0/0 > 0 0 total-ip all -- * eth0 0.0.0.0/0 0.0.0.0/0 > 0 0 total-ip all -- eth1 * 0.0.0.0/0 0.0.0.0/0 > 0 0 total-ip all -- * eth1 0.0.0.0/0 0.0.0.0/0 >10656 926K total-ip all -- eth2 * 0.0.0.0/0 0.0.0.0/0 >11090 746K total-ip all -- * eth2 0.0.0.0/0 0.0.0.0/0 > >I''ll only be looking at eth0, the other interfaces are only included for >testing/diagnostics.Hi Simon, Please post your interfaces and hosts files. Thanks, -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnnow-d2d
On 01/23/2013 10:18 AM, Tom Eastep wrote:> On 1/23/13 8:31 AM, "Simon Hobson" <linux@thehobsons.co.uk> wrote: > >> Another week, another project ! >> >> I''m trying to adapt our local setup to collect data at a remote site. >> Here we don''t have the opportunity to put our own router in, so I''m >> trying to make a small logging box with three NICs. >> eth0 and eth1 are connected to a bridge with no IP - this will allow the >> box to be inserted between the site and it''s internet connection, but the >> box itself won''t be visible to the outside world. >> eth2 is connected to the internal network. >> >> I seem to have most things sorted, but the accounting is a bit of a >> headache. Probably something simple I''ve overlooked ! >> >> According to various bits I''ve read, such >> ashttp://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html, and the image >> it links to at the >> end,http://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-fl >> ow.svg I believe I should be seeing traffic bridged between eth0 and eth1 >> being trapped by the FORWARD chain and thus fed into the accounting >> chain. But I''m not seeing any stats : >> >> # iptables -v -n -L accounting >> Chain accounting (3 references) >> pkts bytes target prot opt in out source destination >> 60622 13M account-ip all -- * * 0.0.0.0/0 0.0.0.0/0 >> 60622 13M acc-serv all -- * * 0.0.0.0/0 0.0.0.0/0 >> # iptables -v -n -L account-ip >> Chain account-ip (1 references) >> pkts bytes target prot opt in out source destination >> 0 0 total-ip all -- eth0 * 0.0.0.0/0 0.0.0.0/0 >> 0 0 total-ip all -- * eth0 0.0.0.0/0 0.0.0.0/0 >> 0 0 total-ip all -- eth1 * 0.0.0.0/0 0.0.0.0/0 >> 0 0 total-ip all -- * eth1 0.0.0.0/0 0.0.0.0/0 >> 10656 926K total-ip all -- eth2 * 0.0.0.0/0 0.0.0.0/0 >> 11090 746K total-ip all -- * eth2 0.0.0.0/0 0.0.0.0/0 >> >> I''ll only be looking at eth0, the other interfaces are only included for >> testing/diagnostics. > > Hi Simon, > > Please post your interfaces and hosts files. >I ask, because what it looks like is that you have not defined eth0 and eth1 to Shorewall as bridge ports. So compiler is generating ''-i'' and ''-o'' matches for eth0 which never match when eth0 is a port on a bridge. To define it as a bridge port, in your interfaces file: z br0 - bridge - br0:eth0 Also note that even if you do define eth0 to be a bridge port, when you place ''eth0'' in the DEST column, it will only account for traffic forwarded from another port on the bridge. That behavior has been in place since Kernel version 2.6.21. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnnow-d2d
Tom Eastep wrote:>> Please post your interfaces and hosts files.No hosts, interfaces was in the original message. # cat interfaces #ZONE INTERFACE OPTIONS FORMAT 2 net eth2 br eth0 bridge br eth1 bridge>I ask, because what it looks like is that you have not defined eth0 and >eth1 to Shorewall as bridge ports. So compiler is generating ''-i'' and >''-o'' matches for eth0 which never match when eth0 is a port on a bridge. > >To define it as a bridge port, in your interfaces file: > >z br0 - bridge >- br0:eth0That''ll be it then. Something to try in the morning. I thought it would be something simple !>Also note that even if you do define eth0 to be a bridge port, when you >place ''eth0'' in the DEST column, it will only account for traffic >forwarded from another port on the bridge. That behavior has been in >place since Kernel version 2.6.21.That''s OK, it''s all I''m interested in - in fact there won''t (or shouldn''t) be any other traffic. ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnnow-d2d
Tom Eastep wrote:>I ask, because what it looks like is that you have not defined eth0 and >eth1 to Shorewall as bridge ports. So compiler is generating ''-i'' and >''-o'' matches for eth0 which never match when eth0 is a port on a bridge. > >To define it as a bridge port, in your interfaces file: > >z br0 - bridge >- br0:eth0Yes, that was it. Sorted now. ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnnow-d2d