* Counting Connections
@ 2009-01-14 8:28 Peter Renzland
2009-01-14 8:49 ` Artūras Šlajus
0 siblings, 1 reply; 3+ messages in thread
From: Peter Renzland @ 2009-01-14 8:28 UTC (permalink / raw
To: netfilter
I can count packets and bytes, by LAN IP and direction, with something
like this:
LAN="192.168.0"; Hosts="100 102 103 105 108 120 122 124 126 130 132"
for SD in s d; do
iptables -N traffic_$SD
iptables -I FORWARD -j traffic_$SD
for IP in $HOSTS; do
iptables -A traffic_$SD -$SD $LAN.$IP
done
done
I would also like to count connections (those that have been tracked),
just like the packets and bytes that have been moved.
Can someone please show me how that can be done?
I should mention that the routers I am working with are stuck with
Netfilter 1.3.7 on Linux 2.4.20.
Thanks!
Peter
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Counting Connections
2009-01-14 8:28 Counting Connections Peter Renzland
@ 2009-01-14 8:49 ` Artūras Šlajus
2009-01-17 18:08 ` Peter Renzland
0 siblings, 1 reply; 3+ messages in thread
From: Artūras Šlajus @ 2009-01-14 8:49 UTC (permalink / raw
To: Peter Renzland; +Cc: netfilter
Peter Renzland wrote:
> I would also like to count connections (those that have been tracked),
> just like the packets and bytes that have been moved.
> Can someone please show me how that can be done?
New connections? -m state --state NEW should work.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Counting Connections
2009-01-14 8:49 ` Artūras Šlajus
@ 2009-01-17 18:08 ` Peter Renzland
0 siblings, 0 replies; 3+ messages in thread
From: Peter Renzland @ 2009-01-17 18:08 UTC (permalink / raw
To: Artūras Šlajus; +Cc: netfilter
On 09 Jan 14, at 03:49 , Artūras Šlajus wrote:
> Peter Renzland wrote:
>> I would also like to count connections (those that have been
>> tracked), just like the packets and bytes that have been moved.
>> Can someone please show me how that can be done?
> New connections? -m state --state NEW should work.
I *finally* figured this out. :-)
At first I thought that this could only count packets and bytes, but I
want to count connections, not packets and bytes. Well, since each
connection is started by exactly one packet, the number of such
packets is the number of connections that I seek. Very clever.
Thanks!!!
So, to count all connections:
iptables -N conncount
iptables -I FORWARD -j conncount
iptables -A conncount -m state --state NEW
And I can even count over-limit connection attempts:
iptables -N connover
iptables -I FORWARD -p tcp --syn -m iprange --src-range $IP1-$IP2 -m
connlimit --connlimit-above 100 -j connover
iptables -I FORWARD -p ! tcp -m iprange --src-range $IP1-$IP2 -m
connlimit --connlimit-above 50 -j connover
iptables -A connover -j REJECT
Does that look about right?
(Do I really need that "--syn"?)
Thanks.
Peter
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2009-01-17 18:08 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-01-14 8:28 Counting Connections Peter Renzland
2009-01-14 8:49 ` Artūras Šlajus
2009-01-17 18:08 ` Peter Renzland
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.