I'm working with connbytes to limit the number of traffic(in/out) for a client in my network, but to no avail.
For example if i would like to limit all trafic(not restricted to one client) i could use:
iptables -A INPUT -m connbytes --connbytes 10000:100000 -j DROP
How i would especify an ip?
How can i reset this counter every month?
Thank you
Full Version: Traffic counter for an internal client
none of you know about this?
Maybe something like:
replacing x.x.x.x with the IP you want to have as the source IP to monitor. Unless it's a destination IP, then change -s to -d.
CODE
iptables -A INPUT -s x.x.x.x -m connbytes --connbytes 10000:100000 -j DROP
replacing x.x.x.x with the IP you want to have as the source IP to monitor. Unless it's a destination IP, then change -s to -d.
iptables-save and iptables-restore will reset counters
QUOTE
iptables-save and iptables-restore will reset counters
For me to use these commands i will have to work with other iptables.
Is there a way for me to reset the counter in a direct way?
I'm not sure how more direct you can get than using iptables-save and iptables-restore 
However, if iptables is configured correctly, on an rpm distro, you can probably just do this with:
or restart the service in the gui if you prefer not to use the command line. Make sure that /etc/sysconfig/iptables is configured to save any rules when it shuts down. Also, if for example you wanted to restart the service at the end of the month for example, if you were monitoring for a month, then you'd schedule a job in /etc/cron.monthly to restart the service for you. Then just sit back and never have to reset it yourself.
However, if iptables is configured correctly, on an rpm distro, you can probably just do this with:
CODE
service iptables restart
or restart the service in the gui if you prefer not to use the command line. Make sure that /etc/sysconfig/iptables is configured to save any rules when it shuts down. Also, if for example you wanted to restart the service at the end of the month for example, if you were monitoring for a month, then you'd schedule a job in /etc/cron.monthly to restart the service for you. Then just sit back and never have to reset it yourself.
Thanks for the tip.
I used this script for connbytes:
iptables -A INPUT -s 198.168.1.196 -m connbytes --connbytes 3000000: -j DROP
but my connection kept going.
Do you see anything missing?
I used this script for connbytes:
iptables -A INPUT -s 198.168.1.196 -m connbytes --connbytes 3000000: -j DROP
but my connection kept going.
Do you see anything missing?
Hey ianw1974, what do you think?
Looking at iptables man page:
it looks OK, so I don't know why as I've never tried it.
CODE
connbytes
Match by how many bytes or packets a connection (or one of the two
flows constituting the connection) have tranferred so far, or by aver-
age bytes per packet.
The counters are 64bit and are thus not expected to overflow;)
The primary use is to detect long-lived downloads and mark them to be
scheduled using a lower priority band in traffic control.
The transfered bytes per connection can also be viewed through
/proc/net/ip_conntrack and accessed via ctnetlink
[!] --connbytes from:[to]
match packets from a connection whose packets/bytes/average
packet size is more than FROM and less than TO bytes/packets. if
TO is omitted only FROM check is done. "!" is used to match
packets not falling in the range.
Match by how many bytes or packets a connection (or one of the two
flows constituting the connection) have tranferred so far, or by aver-
age bytes per packet.
The counters are 64bit and are thus not expected to overflow;)
The primary use is to detect long-lived downloads and mark them to be
scheduled using a lower priority band in traffic control.
The transfered bytes per connection can also be viewed through
/proc/net/ip_conntrack and accessed via ctnetlink
[!] --connbytes from:[to]
match packets from a connection whose packets/bytes/average
packet size is more than FROM and less than TO bytes/packets. if
TO is omitted only FROM check is done. "!" is used to match
packets not falling in the range.
it looks OK, so I don't know why as I've never tried it.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.