mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-24 16:43:21 +01:00
eea857540b
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@965 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
228 lines
11 KiB
XML
Executable File
228 lines
11 KiB
XML
Executable File
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
|
<article>
|
|
<articleinfo>
|
|
<title>Shorewall Traffic Accounting</title>
|
|
|
|
<authorgroup>
|
|
<author>
|
|
<firstname>Tom</firstname>
|
|
|
|
<surname>Eastep</surname>
|
|
</author>
|
|
</authorgroup>
|
|
|
|
<pubdate>2003-12-06</pubdate>
|
|
|
|
<copyright>
|
|
<year>2003</year>
|
|
|
|
<holder>Thomas M. Eastep</holder>
|
|
</copyright>
|
|
|
|
<legalnotice>
|
|
<para>Permission is granted to copy, distribute and/or modify this
|
|
document under the terms of the GNU Free Documentation License, Version
|
|
1.2 or any later version published by the Free Software Foundation; with
|
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
|
Texts. A copy of the license is included in the section entitled "<ulink
|
|
url="GnuCopyright.htm">GNU Free Documentation License</ulink>".</para>
|
|
</legalnotice>
|
|
</articleinfo>
|
|
|
|
<para>Shorewall Traffic Accounting support was added in Shorewall release
|
|
1.4.7.</para>
|
|
|
|
<para>Shorewall accounting rules are described in the file
|
|
/etc/shorewall/accounting. By default, the accounting rules are placed in a
|
|
chain called "accounting" and can thus be displayed using
|
|
"shorewall show accounting". All traffic passing into, out of or
|
|
through the firewall traverses the accounting chain including traffic that
|
|
will later be rejected by interface options such as "tcpflags" and
|
|
"maclist". If your kernel doesn't support the connection
|
|
tracking match extension (Kernel 2.4.21) then some traffic rejected under
|
|
'norfc1918' will not traverse the accounting chain.</para>
|
|
|
|
<para>The columns in the accounting file are as follows:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para><emphasis role="bold">ACTION </emphasis>- What to do when a match
|
|
is found. Possible values are:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>COUNT- Simply count the match and continue trying to match the
|
|
packet with the following accounting rules </para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>DONE- Count the match and don't attempt to match any
|
|
following accounting rules. </para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis><chain></emphasis> - The name of a chain to
|
|
jump to. Shorewall will create the chain automatically. If the name
|
|
of the chain is followed by ":COUNT" then a COUNT rule
|
|
matching this rule will automatically be added to <chain>.
|
|
Chain names must start with a letter, must be composed of letters
|
|
and digits, and may contain underscores ("_") and periods
|
|
("."). Beginning with Shorewall version 1.4.8, chain names
|
|
man also contain embedded dashes ("-") and are not required
|
|
to start with a letter.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis role="bold">CHAIN</emphasis> - The name of the chain
|
|
where the accounting rule is to be added. If empty or "-" then
|
|
the "accounting" chain is assumed.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis role="bold">SOURCE</emphasis> - Packet Source. The name
|
|
of an interface, an address (host or net) or an interface name followed
|
|
by ":" and a host or net address.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis role="bold">DESTINATION</emphasis> - Packet Destination
|
|
Format the same as the SOURCE column. </para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis role="bold">PROTOCOL</emphasis> - A protocol name (from
|
|
/etc/protocols) or a protocol number. </para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis role="bold">DEST PORT</emphasis> - Destination Port
|
|
number. Service name from /etc/services or port number. May only be
|
|
specified if the protocol is TCP or UDP (6 or 17). </para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para> <emphasis role="bold">SOURCE PORT</emphasis>- Source Port number.
|
|
Service name from /etc/services or port number. May only be specified if
|
|
the protocol is TCP or UDP (6 or 17).</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>In all columns except ACTION and CHAIN, the values
|
|
"-","any" and "all" are treated as wild-cards.</para>
|
|
|
|
<para>The accounting rules are evaluated in the Netfilter 'filter'
|
|
table. This is the same environment where the 'rules' file rules are
|
|
evaluated and in this environment, DNAT has already occurred in inbound
|
|
packets and SNAT has not yet occurred on outbound ones.</para>
|
|
|
|
<para>Accounting rules are not stateful -- each rule only handles traffic in
|
|
one direction. For example, if eth0 is your internet interface and you have
|
|
a web server in your DMZ connected to eth1 then to count HTTP traffic in
|
|
both directions requires two rules: </para>
|
|
|
|
<programlisting> #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE
|
|
# PORT PORT
|
|
DONE - eth0 eth1 tcp 80
|
|
DONE - eth1 eth0 tcp - 80</programlisting>
|
|
|
|
<para>Associating a counter with a chain allows for nice reporting. For
|
|
example:</para>
|
|
|
|
<programlisting> #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE
|
|
# PORT PORT
|
|
web:COUNT - eth0 eth1 tcp 80
|
|
web:COUNT - eth1 eth0 tcp - 80
|
|
web:COUNT - eth0 eth1 tcp 443
|
|
web:COUNT - eth1 eth0 tcp - 443
|
|
DONE web</programlisting>
|
|
|
|
<para>Now "shorewall show web" will give you a breakdown of your web
|
|
traffic:</para>
|
|
|
|
<programlisting> [root@gateway shorewall]# shorewall show web
|
|
Shorewall-1.4.6-20030821 Chain web at gateway.shorewall.net - Wed Aug 20 09:48:56 PDT 2003
|
|
|
|
Counters reset Wed Aug 20 09:48:00 PDT 2003
|
|
|
|
Chain web (4 references)
|
|
pkts bytes target prot opt in out source destination
|
|
11 1335 tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
|
|
18 1962 tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:80
|
|
0 0 tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
|
|
0 0 tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:443
|
|
29 3297 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
|
|
[root@gateway shorewall]#</programlisting>
|
|
|
|
<para>Here is a slightly different example:</para>
|
|
|
|
<programlisting> #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE
|
|
# PORT PORT
|
|
web - eth0 eth1 tcp 80
|
|
web - eth1 eth0 tcp - 80
|
|
web - eth0 eth1 tcp 443
|
|
web - eth1 eth0 tcp - 443
|
|
COUNT web eth0 eth1
|
|
COUNT web eth1 eth0</programlisting>
|
|
|
|
<para>Now "shorewall show web" simply gives you a breakdown by input
|
|
and output:</para>
|
|
|
|
<programlisting> [root@gateway shorewall]# shorewall show accounting web
|
|
Shorewall-1.4.6-20030821 Chains accounting web at gateway.shorewall.net - Wed Aug 20 10:27:21 PDT 2003
|
|
|
|
Counters reset Wed Aug 20 10:24:33 PDT 2003
|
|
|
|
Chain accounting (3 references)
|
|
pkts bytes target prot opt in out source destination
|
|
8767 727K web tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
|
|
0 0 web tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
|
|
11506 13M web tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:80
|
|
0 0 web tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:443
|
|
|
|
Chain web (4 references)
|
|
pkts bytes target prot opt in out source destination
|
|
8767 727K all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0
|
|
11506 13M all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0
|
|
[root@gateway shorewall]#</programlisting>
|
|
|
|
<para>Here's how the same example would be constructed on an HTTP server
|
|
(READ THAT FOLKS -- IT SAYS <emphasis role="underline">SERVER</emphasis>. If
|
|
you want to account for web browsing, you have to reverse the rules below)
|
|
with only one interface (eth0):</para>
|
|
|
|
<programlisting> #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE
|
|
# PORT PORT
|
|
web - eth0 - tcp 80
|
|
web - - eth0 tcp - 80
|
|
web - eth0 - tcp 443
|
|
web - - eth0 tcp - 443
|
|
COUNT web eth0
|
|
COUNT web - eth0</programlisting>
|
|
|
|
<para>Note that with only one interface, only the SOURCE (for input rules)
|
|
or the DESTINATION (for output rules) is specified in each rule.</para>
|
|
|
|
<para>Here's the output:</para>
|
|
|
|
<programlisting> [root@mail shorewall]# shorewall show accounting web Shorewall-1.4.7
|
|
Chains accounting web at mail.shorewall.net - Sun Oct 12 10:27:21 PDT 2003
|
|
|
|
Counters reset Sat Oct 11 08:12:57 PDT 2003
|
|
|
|
Chain accounting (3 references)
|
|
pkts bytes target prot opt in out source destination
|
|
8767 727K web tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
|
|
11506 13M web tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:80
|
|
0 0 web tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
|
|
0 0 web tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:443
|
|
|
|
Chain web (4 references)
|
|
pkts bytes target prot opt in out source destination
|
|
8767 727K all -- eth0 * 0.0.0.0/0 0.0.0.0/0
|
|
11506 13M all -- * eth0 0.0.0.0/0 0.0.0.0/0
|
|
[root@mail shorewall]#</programlisting>
|
|
</article> |