Traffic counter for an internal client

[and_woox]

I'm working with connbytes to limit the number of traffic(in/out) for a client in my network, but to no avail.

For example if i would like to limit all trafic(not restricted to one client) i could use:

 

iptables -A INPUT -m connbytes --connbytes 10000:100000 -j DROP

 

How i would especify an ip?

How can i reset this counter every month?

Thank you

[and_woox]

none of you know about this?

[ianw1974]

Maybe something like:

 

iptables -A INPUT -s x.x.x.x -m connbytes --connbytes 10000:100000 -j DROP

 

replacing x.x.x.x with the IP you want to have as the source IP to monitor. Unless it's a destination IP, then change -s to -d.

[paul]

iptables-save and iptables-restore will reset counters

[and_woox]

iptables-save and iptables-restore will reset counters

For me to use these commands i will have to work with other iptables.

Is there a way for me to reset the counter in a direct way?

[ianw1974]

I'm not sure how more direct you can get than using iptables-save and iptables-restore :unsure:

 

However, if iptables is configured correctly, on an rpm distro, you can probably just do this with:

 

service iptables restart

 

or restart the service in the gui if you prefer not to use the command line. Make sure that /etc/sysconfig/iptables is configured to save any rules when it shuts down. Also, if for example you wanted to restart the service at the end of the month for example, if you were monitoring for a month, then you'd schedule a job in /etc/cron.monthly to restart the service for you. Then just sit back and never have to reset it yourself.

[and_woox]

Thanks for the tip.

I used this script for connbytes:

iptables -A INPUT -s 198.168.1.196 -m connbytes --connbytes 3000000: -j DROP

but my connection kept going.

Do you see anything missing?

[and_woox]

Hey ianw1974, what do you think?

[ianw1974]

Looking at iptables man page:

 

connbytes
   Match by how many bytes or packets a connection  (or  one  of  the  two
   flows  constituting the connection) have tranferred so far, or by aver-
   age bytes per packet.

   The counters are 64bit and are thus not expected to overflow;)

   The primary use is to detect long-lived downloads and mark them  to  be
   scheduled using a lower priority band in traffic control.

   The  transfered  bytes  per  connection  can  also  be  viewed  through
   /proc/net/ip_conntrack and accessed via ctnetlink

   [!] --connbytes from:[to]
		  match packets  from  a  connection  whose  packets/bytes/average
		  packet size is more than FROM and less than TO bytes/packets. if
		  TO is omitted only FROM check is done.  "!"  is  used  to  match
		  packets not falling in the range.

 

it looks OK, so I don't know why as I've never tried it.