added 3369 characters in body

Source Link

edited Jun 23, 2015 at 11:37

11
3

My intention is to monitor traffic from/to wan. To achieve that, i want to calculate outgoing and ingoing bytes/second, with iptables counters as data source. Unluckily, I'm not able to understand what to do with FORWARD chain, although I'm aware of INPUT and OUTPUT. I'm focusing on iptables because it actually shows only IPV4 packets and bytes since I don't need Ethernet ones. My configuration scheme is: modem -> OpenWrt router

If possibleAnd here's my /etc/config/firewall file:

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fe80::/10'
        option src_port '547'
        option dest_ip 'fe80::/10'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'

config forwarding
        option dest 'wan'
        option src 'lan'

If possible, please provide me an answer that works also with OpenWrt-based access points, not only routers. Thank you!

My intention is to monitor traffic from/to wan. Unluckily, I'm not able to understand what to do with FORWARD chain, although I'm aware of INPUT and OUTPUT. I'm focusing on iptables because it actually shows only IPV4 packets and bytes since I don't need Ethernet ones.

If possible, please provide me an answer that works also with OpenWrt-based access points, not only routers. Thank you!

My intention is to monitor traffic from/to wan. To achieve that, i want to calculate outgoing and ingoing bytes/second, with iptables counters as data source. Unluckily, I'm not able to understand what to do with FORWARD chain, although I'm aware of INPUT and OUTPUT. I'm focusing on iptables because it actually shows only IPV4 packets and bytes since I don't need Ethernet ones. My configuration scheme is: modem -> OpenWrt router

And here's my /etc/config/firewall file:

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fe80::/10'
        option src_port '547'
        option dest_ip 'fe80::/10'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'

config forwarding
        option dest 'wan'
        option src 'lan'

If possible, please provide me an answer that works also with OpenWrt-based access points, not only routers. Thank you!

added 3 characters in body

Source Link

edited Jun 21, 2015 at 20:51

LivingSilver94

11
3

My intention is to monitor traffic from/to wan. Unluckily, I'm not able to understand what to do with FORWARD chain, although I'm aware of INPUT and OUTPUT. I'm focusing on iptables because it actually shows only IPV4 packets and bytes since I don't need Ethernet ones.

If possible, please provide me an answer that works also with OpenWrt-based access points, not only routers. Thank you!

Source Link

asked Jun 21, 2015 at 20:44

LivingSilver94

11
3

How to get RX and TX bytes querying iptables?

My intention is monitor traffic from/to wan. Unluckily, I'm not able to understand what to do with FORWARD chain, although I'm aware of INPUT and OUTPUT. I'm focusing on iptables because it actually shows only IPV4 packets and bytes since I don't need Ethernet ones.

If possible, please provide me an answer that works also with OpenWrt-based access points, not only routers. Thank you!

Stack Exchange Network

Return to Question

How to get RX and TX bytes querying iptables?