iptables count port 80

[tony.chamberlain at lemko.com]

 I want to measure the amount of traffic (Linux) on port 80 (Tomcat)
 separated by incoming and outgoing. I figure maybe I can do this
 (after creating the chains):

 iptables -A INPUT -d 10.0.0.50 -p tcp -m tcp --dport 80 -j COUNTIN
 iptables -A INPUT -s 10.0.0.50 -p tcp -m tcp --sport 80 -j COUNTOUT
 iptables -A COUNTIN -j ACCEPT
 iptables -A COUNTOUT -j ACCEPT

 and then do an iptables -L -nv tp count the bytes. This gives output
 like this:

 Chain INPUT (policy ACCEPT 510M packets, 26G bytes)
 pkts bytes target prot opt in out source destination
 365 29891 COUNTIN tcp -- * * 0.0.0.0/0 10.0.0.50
 tcp dpt:80
 0 0 COUNTOUT tcp -- * * 10.0.0.50 0.0.0.0/0
 tcp spt:80
 ...
 ...
 Chain COUNTIN (1 references)
 pkts bytes target prot opt in out source destination
 365 29891 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0

 Chain COUNTOUT (1 references)
 pkts bytes target prot opt in out source destination
 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0



 Now a couple questions.

 1. Will this screw up normal TCP/UDP behavior? It does not seem to.

 2. Do I need to do the "ACCEPT" lines? Will normal TCP and IP still
 work? It seems like I need it for 2 reasons:
 1 - So the packets actually get accepted. But maybe they will anyway?
 2 - When I use -Z (like iptables -Z COUNTIN) to zero the chain, if I
 don't have the -j ACCEPT those two chains won't be listed and I can't
 zero the chains. I can zero INPUT but that will zero all INPUT.
 (Now that I think of it, COUNTOUT should be on OUTPUT not INPUT but
 the same question applies)

It is easier to grep "COUNTIN tcp" and get the first 2 fields than
grepping for "Chain COUNTIN", reading 2 lines and then getting
the fields (which I suppose could be done with awk).


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/users/attachments/20080724/944936b7/attachment-0001.html