<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Shorewall Traffic Accounting</title><link rel="stylesheet" href="html.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.73.2" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title"><a id="id257527"></a>Shorewall Traffic Accounting</h2></div><div><div class="authorgroup"><div class="author"><h3 class="author"><span class="firstname">Tom</span> <span class="surname">Eastep</span></h3></div></div></div><div><p class="copyright">Copyright © 2003-2006 Thomas M. Eastep</p></div><div><div class="legalnotice"><a id="id292634"></a><p>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_self">GNU Free Documentation
License</a></span>”.</p></div></div><div><p class="pubdate">2008/12/15</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#Basics">Accounting Basics</a></span></dt><dt><span class="section"><a href="#Bridge">Accounting with Bridges</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 4.0 and
later. If you are running a version of Shorewall earlier than Shorewall
4.0.0 then please see the documentation for that
release</strong></span>.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Basics"></a>Accounting Basics</h2></div></div></div><p>Shorewall accounting rules are described in the file
<code class="filename">/etc/shorewall/accounting</code>. By default, the
accounting rules are placed in a chain called “<span class="quote">accounting</span>”
and can thus be displayed using “<span class="quote">shorewall[-lite] show
accounting</span>”. All traffic passing into, out of, or through the
firewall traverses the accounting chain including traffic that will later
be rejected by interface options such as “<span class="quote">tcpflags</span>” and
“<span class="quote">maclist</span>”. If your kernel doesn't support the connection
tracking match extension (Kernel 2.4.21) then some traffic rejected under
“<span class="quote">norfc1918</span>” will not traverse the accounting chain.</p><p>The columns in the accounting file are as follows:</p><div class="itemizedlist"><ul type="disc"><li><p><span class="bold"><strong>ACTION </strong></span>- What to do when a
match is found. Possible values are:</p><div class="itemizedlist"><ul type="circle"><li><p>COUNT- Simply count the match and continue trying to match
the packet with the following accounting rules</p></li><li><p>DONE- Count the match and don't attempt to match any
following accounting rules.</p></li><li><p><span class="emphasis"><em><chain></em></span> - The name of a chain;
Shorewall will create the chain automatically if it doesn't
already exist. A jump to this chain will be generated from
the chain specified by the CHAIN column. If the name of the chain
is followed by “<span class="quote">:COUNT</span>” then a COUNT rule matching
this entry will automatically be added to <chain>. Chain
names must start with a letter, must be composed of letters and
digits, and may contain underscores (“<span class="quote">_</span>”) and periods
(“<span class="quote">.</span>”). Beginning with Shorewall version 1.4.8, chain
names may also contain embedded dashes (“<span class="quote">-</span>”) and are
not required to start with a letter.</p></li><li><p>COMMENT - (Shorewall-perl only) - The remainder of the line
is treated as a comment which is <a class="ulink" href="configuration_file_basics.htm#COMMENT" target="_self">attached to subsequent
rules</a> until another COMMENT line is found or until the end
of the file is reached. To stop adding comments to rules, use a
line with only the word COMMENT.</p></li></ul></div></li><li><p><span class="bold"><strong>CHAIN</strong></span> - The name of the chain
where the accounting rule is to be added. If empty or “<span class="quote">-</span>”
then the “<span class="quote">accounting</span>” chain is assumed (see <a class="link" href="#Bridge" title="Accounting with Bridges">below</a> for exceptions).</p></li><li><p><span class="bold"><strong>SOURCE</strong></span> - Packet Source. The
name of an interface, an address (host or net), or an interface name
followed by “<span class="quote">:</span>” and a host or net address.</p></li><li><p><span class="bold"><strong>DESTINATION</strong></span> - Packet
Destination. Format the same as the SOURCE column.</p></li><li><p><span class="bold"><strong>PROTOCOL</strong></span> - A protocol name (from
<code class="filename">/etc/protocols</code>), a protocol number or
“<span class="quote">ipp2p</span>”. For “<span class="quote">ipp2p</span>”, your kernel and
iptables must have ipp2p match support from <a class="ulink" href="http://www.netfilter.org" target="_self">Netfilter
Patch_o_matic_ng</a>.</p></li><li><p><span class="bold"><strong>DEST PORT</strong></span> - Destination Port
number. Service name from <code class="filename">/etc/services</code> or port
number. May only be specified if the protocol is TCP or UDP (6 or
17). If the PROTOCOL is “<span class="quote">ipp2p</span>”, then this column is
interpreted as an ipp2p option without the leading “<span class="quote">--</span>”
(default “<span class="quote">ipp2p</span>”). For a list of value ipp2p options, as
root type <span class="command"><strong>iptables -m ipp2p --help</strong></span>.</p></li><li><p><span class="bold"><strong>SOURCE PORT</strong></span>- Source Port
number. Service name from /etc/services or port number. May only be
specified if the protocol is TCP or UDP (6 or 17).</p></li><li><p><span class="bold"><strong>USER/GROUP</strong></span> - This column may
only be non-empty if the CHAIN is OUTPUT. The column may
contain:</p><pre class="programlisting">[!][<user name or number>][:<group name or number>][+<program name>]</pre><p>When this column is non-empty, the rule applies only if the
program generating the output is running under the effective
<user> and/or <group> specified (or is NOT running under
that id if “<span class="quote">!</span>” is given).</p><p>Examples:</p><table class="simplelist" border="0" summary="Simple list"><tr><td>joe #program must be run by joe</td></tr><tr><td>:kids #program must be run by a member of the
“<span class="quote">kids</span>” group.</td></tr><tr><td>!:kids #program must not be run by a member of the
“<span class="quote">kids</span>” group</td></tr><tr><td>+upnpd #program named upnpd (This feature was removed from
Netfilter in kernel version 2.6.14).</td></tr></table></li><li><p><span class="bold"><strong>MARK</strong></span> - Only count packets with
particular mark values.
</p><pre class="programlisting">[!]<value>[/<mask>][:C]</pre><p>
Defines a test on the existing packet or connection mark. The rule will
match only if the test returns true.</p><p>If you don’t want to define a test but need to specify anything
in the following columns, place a “<span class="quote">-</span>” in this field.</p><table class="simplelist" border="0" summary="Simple list"><tr><td>! — Inverts the test (not equal)</td></tr><tr><td><value> — Value of the packet or connection
mark.</td></tr><tr><td><mask> — A mask to be applied to the mark before
testing.</td></tr><tr><td>:C — Designates a connection mark. If omitted, the packet
mark’s value is tested. This option is only supported by
Shorewall-perl.</td></tr></table></li></ul></div><p>In all columns except ACTION and CHAIN, the values
“<span class="quote">-</span>”, “<span class="quote">any</span>” and “<span class="quote">all</span>” are treated as
wild-cards.</p><p>The accounting rules are evaluated in the Netfilter
“<span class="quote">filter</span>” table. This is the same environment where the
“<span class="quote">rules</span>” file rules are evaluated and in this environment,
DNAT has already occurred in inbound packets and SNAT has not yet occurred
on outbound packets.</p><p>Accounting rules are not stateful -- each rule only handles traffic
in one direction. For example, if eth0 is your Internet interface, and you
have a web server in your DMZ connected to eth1, then to count HTTP
traffic in both directions requires two rules:</p><pre class="programlisting"> #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE
# PORT PORT
DONE - eth0 eth1 tcp 80
DONE - eth1 eth0 tcp - 80</pre><p>Associating a counter with a chain allows for nice reporting. For
example:</p><pre class="programlisting"> #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE
# PORT PORT
web:COUNT - eth0 eth1 tcp 80
web:COUNT - eth1 eth0 tcp - 80
web:COUNT - eth0 eth1 tcp 443
web:COUNT - eth1 eth0 tcp - 443
DONE web</pre><p>Now <span class="command"><strong>shorewall show web</strong></span> (or <span class="command"><strong>shorewall-lite
show web</strong></span> for Shorewall Lite users) will give you a breakdown
of your web traffic:</p><pre class="programlisting"> [root@gateway shorewall]# shorewall show web
Shorewall-1.4.6-20030821 Chain web at gateway.shorewall.net - Wed Aug 20 09:48:56 PDT 2003
Counters reset Wed Aug 20 09:48:00 PDT 2003
Chain web (4 references)
pkts bytes target prot opt in out source destination
11 1335 tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
18 1962 tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:80
0 0 tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:443
29 3297 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
[root@gateway shorewall]#</pre><p>Here is a slightly different example:</p><pre class="programlisting"> #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE
# PORT PORT
web - eth0 eth1 tcp 80
web - eth1 eth0 tcp - 80
web - eth0 eth1 tcp 443
web - eth1 eth0 tcp - 443
COUNT web eth0 eth1
COUNT web eth1 eth0</pre><p>Now <span class="command"><strong>shorewall show web</strong></span> (or <span class="command"><strong>shorewall-lite
show web</strong></span> for Shorewall Lite users) simply gives you a
breakdown by input and output:</p><pre class="programlisting"> [root@gateway shorewall]# shorewall show accounting web
Shorewall-1.4.6-20030821 Chains accounting web at gateway.shorewall.net - Wed Aug 20 10:27:21 PDT 2003
Counters reset Wed Aug 20 10:24:33 PDT 2003
Chain accounting (3 references)
pkts bytes target prot opt in out source destination
8767 727K web tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 web tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:443</pre><pre class="programlisting">
11506 13M web tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:80
0 0 web tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:443
Chain web (4 references)
pkts bytes target prot opt in out source destination
8767 727K all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0
11506 13M all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0
[root@gateway shorewall]#</pre><p>Here's how the same example would be constructed on an HTTP server
with only one interface (eth0).</p><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p>READ THE ABOVE CAREFULLY -- IT SAYS <span class="bold"><strong>SERVER</strong></span>. If you want to account for web browsing,
you have to reverse the rules below.</p></div><pre class="programlisting"> #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE
# PORT PORT
web - eth0 - tcp 80
web - - eth0 tcp - 80
web - eth0 - tcp 443
web - - eth0 tcp - 443
COUNT web eth0
COUNT web - eth0</pre><p>Note that with only one interface, only the SOURCE (for input rules)
or the DESTINATION (for output rules) is specified in each rule.</p><p>Here's the output:</p><pre class="programlisting"> [root@mail shorewall]# shorewall show accounting web Shorewall-1.4.7
Chains accounting web at mail.shorewall.net - Sun Oct 12 10:27:21 PDT 2003
Counters reset Sat Oct 11 08:12:57 PDT 2003
Chain accounting (3 references)
pkts bytes target prot opt in out source destination
8767 727K web tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
11506 13M web tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:80
0 0 web tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 web tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:443
Chain web (4 references)
pkts bytes target prot opt in out source destination
8767 727K all -- eth0 * 0.0.0.0/0 0.0.0.0/0
11506 13M all -- * eth0 0.0.0.0/0 0.0.0.0/0
[root@mail shorewall]#</pre><p>For an example of integrating Shorewall Accounting with MRTG, see
<a class="ulink" href="http://www.nightbrawler.com/code/shorewall-stats/" target="_self">http://www.nightbrawler.com/code/shorewall-stats/</a>.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Bridge"></a>Accounting with Bridges</h2></div></div></div><p>The structure of the accounting rules changes slightly when there
are <a class="ulink" href="bridge-Shorewall-perl.html" target="_self">bridges</a> defined in the
Shorewall configuration. Because of the restrictions imposed by Netfilter
in kernel 2.6.21 and later, output accounting rules must be segregated
from forwarding and input rules. To accomplish this separation,
Shorewall-perl creates two accounting chains:</p><div class="itemizedlist"><ul type="disc"><li><p><span class="bold"><strong>accounting</strong></span> - for input and
forwarded traffic.</p></li><li><p><span class="bold"><strong>accountout</strong></span> - for output
traffic.</p></li></ul></div><p>If the CHAIN column contains “<span class="quote">-</span>”, then:</p><div class="itemizedlist"><ul type="disc"><li><p>If the SOURCE column in a rule includes the name of the firewall
zone (e.g., $FW), then the default chain to insert the rule into is
<span class="bold"><strong>accountout</strong></span> only.</p></li><li><p>Otherwise, if the DEST in the rule is <span class="bold"><strong>any</strong></span> or <span class="bold"><strong>all</strong></span> or
0.0.0.0/0, then the rule is added to both <span class="bold"><strong>accounting</strong></span> and <span class="bold"><strong>accountout</strong></span>.</p></li><li><p>Otherwise, the rule is added to <span class="bold"><strong>accounting</strong></span> only.</p></li></ul></div></div></div></body></html>
