Another week, another project ! I'm trying to adapt our local setup to collect data at a remote site. Here we don't have the opportunity to put our own router in, so I'm trying to make a small logging box with three NICs. eth0 and eth1 are connected to a bridge with no IP - this will allow the box to be inserted between the site and it's internet connection, but the box itself won't be visible to the outside world. eth2 is connected to the internal network. I seem to have most things sorted, but the accounting is a bit of a headache. Probably something simple I've overlooked ! According to various bits I've read, such ashttp://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html, and the image it links to at the end,http://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg I believe I should be seeing traffic bridged between eth0 and eth1 being trapped by the FORWARD chain and thus fed into the accounting chain. But I'm not seeing any stats : # iptables -v -n -L accounting Chain accounting (3 references) pkts bytes target prot opt in out source destination 60622 13M account-ip all -- * * 0.0.0.0/0 0.0.0.0/0 60622 13M acc-serv all -- * * 0.0.0.0/0 0.0.0.0/0 # iptables -v -n -L account-ip Chain account-ip (1 references) pkts bytes target prot opt in out source destination 0 0 total-ip all -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 total-ip all -- * eth0 0.0.0.0/0 0.0.0.0/0 0 0 total-ip all -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 total-ip all -- * eth1 0.0.0.0/0 0.0.0.0/0 10656 926K total-ip all -- eth2 * 0.0.0.0/0 0.0.0.0/0 11090 746K total-ip all -- * eth2 0.0.0.0/0 0.0.0.0/0 I'll only be looking at eth0, the other interfaces are only included for testing/diagnostics. # cat zones #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 br ipv4 # cat interfaces #ZONE INTERFACE OPTIONS FORMAT 2 net eth2 br eth0 bridge br eth1 bridge # cat accounting #ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/ # PORT(S) PORT(S) GROUP account-ip - - - total-ip:COUNT account-ip eth0 - total-ip:COUNT account-ip - eth0 total-ip:COUNT account-ip eth1 - total-ip:COUNT account-ip - eth1 total-ip:COUNT account-ip eth2 - total-ip:COUNT account-ip - eth2 DONE total-ip #INCLUDE accounting.ip #INCLUDE accounting.service # ifconfig br0 Link encap:Ethernet HWaddr **************** inet6 addr: fe80::***************/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:336545 errors:0 dropped:0 overruns:0 frame:0 TX packets:719 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:31324276 (29.8 MiB) TX bytes:60862 (59.4 KiB) eth0 Link encap:Ethernet HWaddr **************** UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:689133 errors:0 dropped:2889 overruns:0 frame:0 TX packets:384860 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:153833458 (146.7 MiB) TX bytes:51262116 (48.8 MiB) Interrupt:10 Base address:0x1000 eth1 Link encap:Ethernet HWaddr **************** UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:387244 errors:0 dropped:2891 overruns:0 frame:0 TX packets:645353 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:51810105 (49.4 MiB) TX bytes:145675913 (138.9 MiB) Interrupt:11 Base address:0x1400 eth2 Link encap:Ethernet HWaddr **************** inet addr:192.168.1.150 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::***************/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:326447 errors:0 dropped:0 overruns:0 frame:0 TX packets:264068 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:28529244 (27.2 MiB) TX bytes:22452128 (21.4 MiB) Interrupt:15 Base address:0x1800 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) # brctl show bridge name bridge id STP enabled interfaces br0 8000.************ no eth0 eth1 ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnnow-d2d _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
On 1/23/13 8:31 AM, "Simon Hobson" <linux@thehobsons.co.uk> wrote:>Another week, another project ! > >I''m trying to adapt our local setup to collect data at a remote site. >Here we don''t have the opportunity to put our own router in, so I''m >trying to make a small logging box with three NICs. >eth0 and eth1 are connected to a bridge with no IP - this will allow the >box to be inserted between the site and it''s internet connection, but the >box itself won''t be visible to the outside world. >eth2 is connected to the internal network. > >I seem to have most things sorted, but the accounting is a bit of a >headache. Probably something simple I''ve overlooked ! > >According to various bits I''ve read, such >ashttp://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html, and the image >it links to at the >end,http://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-fl >ow.svg I believe I should be seeing traffic bridged between eth0 and eth1 >being trapped by the FORWARD chain and thus fed into the accounting >chain. But I''m not seeing any stats : > ># iptables -v -n -L accounting >Chain accounting (3 references) >pkts bytes target prot opt in out source destination >60622 13M account-ip all -- * * 0.0.0.0/0 0.0.0.0/0 >60622 13M acc-serv all -- * * 0.0.0.0/0 0.0.0.0/0 ># iptables -v -n -L account-ip >Chain account-ip (1 references) >pkts bytes target prot opt in out source destination > 0 0 total-ip all -- eth0 * 0.0.0.0/0 0.0.0.0/0 > 0 0 total-ip all -- * eth0 0.0.0.0/0 0.0.0.0/0 > 0 0 total-ip all -- eth1 * 0.0.0.0/0 0.0.0.0/0 > 0 0 total-ip all -- * eth1 0.0.0.0/0 0.0.0.0/0 >10656 926K total-ip all -- eth2 * 0.0.0.0/0 0.0.0.0/0 >11090 746K total-ip all -- * eth2 0.0.0.0/0 0.0.0.0/0 > >I''ll only be looking at eth0, the other interfaces are only included for >testing/diagnostics.Hi Simon, Please post your interfaces and hosts files. Thanks, -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnnow-d2d
On 01/23/2013 10:18 AM, Tom Eastep wrote:> On 1/23/13 8:31 AM, "Simon Hobson" <linux@thehobsons.co.uk> wrote: > >> Another week, another project ! >> >> I''m trying to adapt our local setup to collect data at a remote site. >> Here we don''t have the opportunity to put our own router in, so I''m >> trying to make a small logging box with three NICs. >> eth0 and eth1 are connected to a bridge with no IP - this will allow the >> box to be inserted between the site and it''s internet connection, but the >> box itself won''t be visible to the outside world. >> eth2 is connected to the internal network. >> >> I seem to have most things sorted, but the accounting is a bit of a >> headache. Probably something simple I''ve overlooked ! >> >> According to various bits I''ve read, such >> ashttp://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html, and the image >> it links to at the >> end,http://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-fl >> ow.svg I believe I should be seeing traffic bridged between eth0 and eth1 >> being trapped by the FORWARD chain and thus fed into the accounting >> chain. But I''m not seeing any stats : >> >> # iptables -v -n -L accounting >> Chain accounting (3 references) >> pkts bytes target prot opt in out source destination >> 60622 13M account-ip all -- * * 0.0.0.0/0 0.0.0.0/0 >> 60622 13M acc-serv all -- * * 0.0.0.0/0 0.0.0.0/0 >> # iptables -v -n -L account-ip >> Chain account-ip (1 references) >> pkts bytes target prot opt in out source destination >> 0 0 total-ip all -- eth0 * 0.0.0.0/0 0.0.0.0/0 >> 0 0 total-ip all -- * eth0 0.0.0.0/0 0.0.0.0/0 >> 0 0 total-ip all -- eth1 * 0.0.0.0/0 0.0.0.0/0 >> 0 0 total-ip all -- * eth1 0.0.0.0/0 0.0.0.0/0 >> 10656 926K total-ip all -- eth2 * 0.0.0.0/0 0.0.0.0/0 >> 11090 746K total-ip all -- * eth2 0.0.0.0/0 0.0.0.0/0 >> >> I''ll only be looking at eth0, the other interfaces are only included for >> testing/diagnostics. > > Hi Simon, > > Please post your interfaces and hosts files. >I ask, because what it looks like is that you have not defined eth0 and eth1 to Shorewall as bridge ports. So compiler is generating ''-i'' and ''-o'' matches for eth0 which never match when eth0 is a port on a bridge. To define it as a bridge port, in your interfaces file: z br0 - bridge - br0:eth0 Also note that even if you do define eth0 to be a bridge port, when you place ''eth0'' in the DEST column, it will only account for traffic forwarded from another port on the bridge. That behavior has been in place since Kernel version 2.6.21. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnnow-d2d
Tom Eastep wrote:>> Please post your interfaces and hosts files.No hosts, interfaces was in the original message. # cat interfaces #ZONE INTERFACE OPTIONS FORMAT 2 net eth2 br eth0 bridge br eth1 bridge>I ask, because what it looks like is that you have not defined eth0 and >eth1 to Shorewall as bridge ports. So compiler is generating ''-i'' and >''-o'' matches for eth0 which never match when eth0 is a port on a bridge. > >To define it as a bridge port, in your interfaces file: > >z br0 - bridge >- br0:eth0That''ll be it then. Something to try in the morning. I thought it would be something simple !>Also note that even if you do define eth0 to be a bridge port, when you >place ''eth0'' in the DEST column, it will only account for traffic >forwarded from another port on the bridge. That behavior has been in >place since Kernel version 2.6.21.That''s OK, it''s all I''m interested in - in fact there won''t (or shouldn''t) be any other traffic. ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnnow-d2d
Tom Eastep wrote:>I ask, because what it looks like is that you have not defined eth0 and >eth1 to Shorewall as bridge ports. So compiler is generating ''-i'' and >''-o'' matches for eth0 which never match when eth0 is a port on a bridge. > >To define it as a bridge port, in your interfaces file: > >z br0 - bridge >- br0:eth0Yes, that was it. Sorted now. ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnnow-d2d