I have a linux firewall setup with 3 zones:
– green for LAN (192.168.0.0/24)
– blue for WLAN (192.168.1.0/24)
– orange for DMZ (192.168.2.0/24)
All zones have systems running and I want to know what traffic to external each system is producing. Doing some test there was/must always be some internal traffic because vnstat on the external device showed different traffic accounts.
Doing some reseach I ended up with something like this (example for one internal IP and only for upload):
/sbin/iptables -N TRAFFICFILTERUP
/sbin/iptables -I OUTPUT -j TRAFFICFILTERUP
/sbin/iptables -A TRAFFICFILTERUP -d 127.0.0.0/8 -j RETURN
/sbin/iptables -A TRAFFICFILTERUP -d 192.168.0.0/24 -j RETURN
/sbin/iptables -A TRAFFICFILTERUP -d 192.168.1.0/24 -j RETURN
/sbin/iptables -A TRAFFICFILTERUP -d 192.168.2.0/24 -j RETURN
/sbin/iptables -A TRAFFICFILTERUP -j LOG
/sbin/iptables -N TRAFFICUP
/sbin/iptables -A TRAFFICFILTERUP -j TRAFFICUP
/sbin/iptables -A TRAFFICUP -s 192.168.2.1
Results:
iptables -L TRAFFICUP -nvx
Chain TRAFFICUP (1 references)
pkts bytes target prot opt in out source destination
0 0 all -- * * 192.168.2.1 0.0.0.0/0
iptables -L TRAFFICFILTERUP -nvx
Chain TRAFFICFILTERUP (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 127.0.0.0/8
0 0 RETURN all -- * * 0.0.0.0/0 192.168.0.0/24
0 0 RETURN all -- * * 0.0.0.0/0 192.168.1.0/24
1349 271065 RETURN all -- * * 0.0.0.0/0 192.168.2.0/24
402 171503 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4
401 171249 TRAFFICUP all -- * * 0.0.0.0/0 0.0.0.0/0
Why is there no traffic in TRAFFICUP? Any suggestions or is the whole approach wrong?
Best Answer
should be