Usage monitor via iptables

Discussion in 'Tarifa Firmware' started by bhbattaglin, Feb 4, 2006.

  1. bhbattaglin

    bhbattaglin Network Guru Member

    I would like to set up some basic (Internet bytes in/out for each local ip and/or mac ID) network usage monitoring.

    This article "Bandwidth monitoring with iptables" looked like a relatively easy way to do this.

    I as of yet I could not get the iptables function to work as described in the article mostly because the byte and packet counts don't seem right for FORWARD or for "sub-chains"

    I used the commands:
    #iptables -N userA
    #iptables -A FORWARD
    #iptables -A FORWARD -d -j userA (my subnet mask is
    #iptables -A FORWARD -s -j userA
    #iptables -A userA -d (one ipaddress I want to monitor)
    #iptables -A userA -s

    I use
    #iptables -L -v -n
    to get results.

    Are there any known implementation issues with iptables (especially byte and packet counts) on the WRT54GL using Tarifa?
    Any other ideas?
  2. jchuit

    jchuit Network Guru Member

    ../router/iptables/iptables.c (incoming log)

    Yes, there are some problems, this is due to the size in the variables. Some are repaired in Tofu solution for ../router/iptables/iptables.c (incoming log).

    I tested the above commands, and I got some output in Forward, but at the moment I can't see if it is 100% correct data.


    Remark: The solution is a from Tofu, the problem is the 64 bit divide function in Libc, this divide function is not working throught something in the makefile, when C library optimization is enabled.
  3. bhbattaglin

    bhbattaglin Network Guru Member

    The Thibor solultion?

    Sorry but you lost me.
    What is the Thibor soltion?
    Does it work with Tarifa?
    How/should I get/install it?
  4. jchuit

    jchuit Network Guru Member

    The solution for the incoming log is included in this build.

    The hyperwrt firmware (thibor) comes with the upgraded iptables, the Tarifa firmware uses the original iptables.

  5. jchuit

    jchuit Network Guru Member

    iptables -nvL

    Some info:

    For the iptables, all programs are in the /proc/net/ directory.

    There are some differences with the manual mentioned, if you use iptables -nvL in the end the chain will be build.
    But first some flushing is needed: iptables -F, iptables -X


    Edit: before building a chain first do a cleanup:

    iptables -F
    iptables -X

    iptables -N userA
    iptables -A FORWARD
    iptables -A FORWARD -d -j userA
    iptables -A FORWARD -s -j userA
    iptables -A userA -d
    iptables -A userA -s

    iptables -nvL

    And now you will have a chain for the data usage for the userA.
  6. bhbattaglin

    bhbattaglin Network Guru Member

    iptables working with Tarifa B017

    That seems to work. :D

    In fact it seems that:
    iptables -N userA
    iptables -A FORWARD
    iptables -A FORWARD -d -j userA
    iptables -A FORWARD -s -j userA

    is sufficient.
    Can you tell me when /tmp gets cleared?
    Can you tell me when the iptables get reset? (they seem to lose the chains after awhile.

  7. jchuit

    jchuit Network Guru Member

    firewall: iptables-save iptable-restore

    That's good to hear......

    Now about the other questions:

    The router has two types of memory, this is the NVRAM (4 Mbyte)and the Ram (16 Mbyte).

    The data in NVRAM stored is non-volatile:
    In the NVRAM is a boot loader+cfe settings (512kbyte=Read only) and the firmware stored, this means there is max 3.5 Mbyte=Read and Write), max. firmware size is limited to 3.0 Mbyte.
    This firmware is mainly stored in the squash (v2.1) file system.

    The data in RAM is volatile:
    The Ram is used as memory to run the programs and store data, in the background, a Ramdisk is used to save configs and statistics to a virtual disc. (/tmp.......)
    This data is only lost after a restart of the router.

    In the (../rc) router control, the main events are handled. After an event, like getting a new ip for you internet service provider, some services need a restart. Some services are then stopped and restarted and also the iptables (firewall) will then be rebuild.

    Some handy files:
    The firewall saves data like iptables-save: /tmp/.ipt /tmp/.rule
    /tmp/hosts and import them with iptables-restore.

    Last edited: Aug 26, 2013
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice