Hack 65 Collect Statistics with Firewall Rules

figs/expert.gif figs/hack65.gif

Make your firewall ruleset do the work for you when you want to collect statistics.

If you want to start collecting statistics on your network traffic but dread setting up SNMP, you don't have to worry. You can use the firewalling code in your operating system to collect statistics for you.

For instance, if you were using Linux, you could use iptables commands similar to the following to keep track of bandwidth consumed by a particular machine that passes traffic through your firewall:

# iptables -N KRYTEN && iptables -A KRYTEN -j ACCEPT

# iptables -N KRYTEN_IN && iptables -A KRYTEN_IN -j KRYTEN

# iptables -N KRYTEN_OUT && iptables -A KRYTEN_OUT -j KRYTEN

# iptables -A FORWARD -s -j KRYTEN_OUT

# iptables -A FORWARD -d -j KRYTEN_IN

This leverages the packet and byte counters associated with each iptables rule to provide input and output bandwidth statistics for traffic forwarded through the firewall. It works by first defining a chain named KRYTEN, which is named after the host that the statistics will be collected on. This chain contains an unconditional accept rule and will be used to quickly add up the total bandwidth that kryten consumes. To itemize the downstream bandwidth kryten is using, another chain is created called KRYTEN_IN. This chain contains only one rule, which is to unconditionally jump to the KRYTEN chain in order for the inbound bandwidth to be added with the outbound bandwidth being consumed. Similarly, the KRYTEN_OUT chain tallies outbound bandwidth being consumed and then jumps to the KRYTEN chain so that the outbound bandwidth will be added to the inbound bandwidth being consumed. Finally, rules are added to the FORWARD chain that direct the packet to the correct chain, depending on whether it's coming from or going to kryten.

After applying these rules, you can then view the total bandwidth (inbound and outbound) consumed by kryten by running a command like this:

# iptables -vx -L KRYTEN

Chain kryten (2 references)

 pkts   bytes target   prot opt in   out   source   destination

  442   46340 ACCEPT   all  --  any  any   anywhere anywhere

You can easily parse out the bytes field, and thereby generate graphs with RRDtool [Hack #62], by using a command like this:

# iptables -vx -L KRYTEN | egrep -v 'Chain|pkts' | awk '{print $2}'

To get the inbound or outbound bandwidth consumed, just replace KRYTEN with KRYTEN_IN or KRYTEN_OUT, respectively. Of course, you don't have to limit your statistic collection criteria to just per-computer bandwidth usage. You can collect statistics on anything that you can create an iptables rule for, including ports, MAC addresses, or just about anything else that passes through your network.