[prev in list] [next in list] [prev in thread] [next in thread]
List: netfilter
Subject: Re: (Ab)using iptables to record byte count per IP?
From: Robert Nichols <rnicholsNOSPAM () comcast ! net>
Date: 2009-01-09 17:10:08
Message-ID: gk80dh$4gs$1 () ger ! gmane ! org
[Download RAW message or body]
Richard Hartmann wrote:
> On Fri, Jan 9, 2009 at 12:50, Artūras Šlajus <x11@arturaz.net> wrote:
>
>> iptables -A ACCOUNTING -s your_user_ip -j ACCEPT
>> iptables -A ACCOUNTING -d your_user_ip -j ACCEPT
>
> Doesn't that mean that I am bypassing the rest of the
> firewall rules?
Yes, it would. Just leave off the "-j ACCEPT" or use "-j RETURN" if
you want to bypass the rest of the ACCOUNTING chain. There is no
requirement that a rule have a target. I have a couple of rules
like that in my "mangle" table PREROUTING and POSTROUTING chains,
and they work just fine.
You'll want to use iptables with the "-x" flag when reading the
counters so that you get exact counts and not numbers like "14G".
--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic