Re: lug-bg: Logging of ip traffic
- Subject: Re: lug-bg: Logging of ip traffic
- From: mr700@email.domain.hidden (Doncho N. Gunchev)
- Date: Wed, 16 Jul 2003 03:36:26 +0300
| On Tuesday 15 July 2003 18:45, Nickola Kolev wrote:
| Çäðàñòè,
|
|
| [ êðúö ]
|
| : iptables -N $CHAIN_NAME
| : iptables -N $CHAIN_NAME"_smtp"
| : iptables -N $CHAIN_NAME"_pop"
| : #and then add rules for example this one:
| : #iptables -A $CHAIN_NAME -p tcp --dport 80 -j ACCEPT
| : iptables -A $CHAIN_NAME -p tcp -j ACCEPT
|
| Åòî òóê òè ïàäàò âñè÷êè tcp ïàêåòè è íèùî íå ñòèãà äî ñëåäâàùèòå âåðèãè.
|
| : iptables -A $CHAIN_NAME"_smtp" -p tcp --dport 25 -j ACCEPT
| : iptables -A $CHAIN_NAME"_pop" -p tcp --dport 110 -j ACCEPT
| :
| : iptables -A FORWARD -s $CHAIN_IP -p tcp --dport 25 -j $CHAIN_NAME"_smtp"
| : iptables -A FORWARD -s $CHAIN_IP -p tcp --dport 110 -j $CHAIN_NAME"_pop"
| : iptables -A FORWARD -s $CHAIN_IP -p tcp -j $CHAIN_NAME
|
| [ êðúö ]
|
| Àêî èñêàø ñàìî äà ìåðèø òðàôèê, íå ñëàãàé ACCEPT íàêðàÿ, à íàïèøè
| íåùî òàêîâà:
|
| iptables -A $CHAIN_NAME"_smtp" -p tcp --dport 25
| iptables -A $CHAIN_NAME"_pop" -p tcp --dport 110
| iptables -A $CHAIN_NAME"_pop" -j RETURN
|
| È ñëåä òîâà ñ awk, sed è ò.í. ñè ñúâïàäàø íåîáõîäèìèòå ïîëåòà îò èçõîäà íà
| iptables -Lnvx
Moje bi za nqkogo shte sa interesni slednite idei/razsyjdeniq:
Wmesto w -t filter, accounting-a da se prawi w -t mangle, kydeto principno e
predwideno da se prawqt "magii" s paketite. W mangle ne moje da se REJECT
primerno, no to ne e i neobhodimo za accounting na trafik. Polzata ot
"iznasqneto" na accounting-a w mangle e che po tozi nachin ne se motae okolo
firewall prawilata w filter. Ako trqbwa da se broi i trafik ot/kym mashinata
praweshta accounting-a (ako ima squid primerno), se prawi 1 chain kym kogoto
se preprashtat wsichki paketi ot INPUT, FORWARD i OUTPUT (nqma kak paket da
mine prez poweche ot 1 ot tqh), a inak samo ot FORWARD.
Chainowete PREROUTING i POSTROUTING sa problemni... moite opiti dowedoha do
logwane na trafik ot 2 do 3 pyti poweche... no ne sym doizsledwal koga/kak
tochno taka che nqma da dawam predpolojeniq.
Opitno pone pri mene 'iptables-save -c' se sprawq okolo 3 pyti po-bawno ot
'iptables -t mangle -nxvL'... koeto me nakara da se otkaja ot nego.
Preminawaneto na wseki paket prez wsqko prawilo za golqm broi tzeli otnema
dosta wreme ot procesora i nqma smisyl, taka che moje da se polzwa ideqta ot
ipacsum - da se razdelqt w pod-chains. Moje bi razdelqneto na mreji i
podmreji ima kato plius che ima i logicheski smisyl...
Shte se radwam ako nqkoi spodeli i swoq opit po temata :)
--
Regards,
Doncho N. Gunchev
{ All programmers are optimists -- Frederick P. Brooks, Jr. }
============================================================================
A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers).
http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora
To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
============================================================================
|