Iptables and counters

iptablesnat;traffic

I'm trying to use iptables counters with munin to monitor traffic of hosts on my local subnet. For each host I set up a rule like this:

iptables -I OUTPUT -d $ip

This should count the packets going from firewall to $ip, correct?

I found out that this does not seem to count all packets. I start tcpdump on my router (Linux) and I see packets to $ip that are not counted.

For example I check number of packets for rule to my phone IP. I start tcpdump, refresh Gmail on my phoone, I see packets in tcpdump's output but iptables rule counters are not incremented. Then I open a web page on the same phone and the counters are incremented.

What could be the reason?

Best Answer

The OUTPUT chain is used by packets output from the firewall itself.

The chain you want to use is FORWARD, which is used by packets forwarded by the firewall.

Related Solutions

Iptables and SNAT

Remove the three rules you have above and try adding this:

$IPTABLES -t NAT -A POSTROUTING -s 192.x.y.a -j SNAT 192.x.y.b
$IPTABLES -A FORWARD -s 192.x.y.a -J ACCEPT

And enter the following command:

echo 1 > /proc/sys/net/ipv4/ip_forward

You should also have a rule similar to the following in your firewall:

$IPTABLES -t FILTER -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

That will take care of all established/related connections, instead of making a rule for each one.

Linux – IPtables SNAT eats packets

What am I doing wrong?

Probably nothing. It's the way packets traverse Netfilter.

Check this diagram as a reference:

(Source: Iptables Tutorial 1.2.1 by Oskar Andreasson, 2006)

I cannot find them in the counters of any other chain or table

SNAT is a final Netfilter target, packets will not show up in the same chain afterwards. The POSTROUTING-chain in the nat-table is the absolute final table a packet can traverse the Netfilter-framework. Tcpdump is attached to a fairly ealier stage, I think in mangle/POSTROUTING.

and cannot see them on any interface using tcpdump. That's because tcpdump sees the packet's before they are getting SNATed.

Is something actually going wrong? It sounds like perfectly normal Netfilter-tcpdump-oddities.

Edit: Your SNAT statement happens in the end. Maybe you need to insert it before the -o wanif -j SNAT --to-source $WAN_IP statement. Since I have no more details, I can't tell if it's a mistake or intentional.

Best Answer

Related Solutions

Iptables and SNAT

Linux – IPtables SNAT eats packets

Related Topic