Difference between revisions of "Traffic accounting with iptables"
(Adding this article to Networking and HOWTO category) |
(VPS->VE, some spelling/grammar/wording fixes) |
||
| Line 1: | Line 1: | ||
| − | Suppose you need to know how much traffic | + | Suppose you need to know how much traffic your [[VE]]s eat. It can be easily done |
using iptables. | using iptables. | ||
== Situation description == | == Situation description == | ||
| − | + | Let's consider the very simple situation: one VE with one IP address on the [[Hardware Node]] | |
| − | with only one interface. To be more exact assume that | + | with only one network interface. To be more exact, assume that [[VE]] ID is <tt>200</tt>, the IP address of the [[HN]] |
| − | is <tt>192.168.0.56</tt>, interface name is <tt>eth0</tt>, | + | is <tt>192.168.0.56</tt>, the network interface name is <tt>eth0</tt>, and the IP address of the [[VE]] is <tt>192.168.0.117</tt>. |
| − | + | ||
| + | You wish to know how much bytes VE 200 eats. One more assumption that ther is no iptables rules | ||
on HN now. All these assumption are only for clarity! | on HN now. All these assumption are only for clarity! | ||
== Solution == | == Solution == | ||
| − | Almost any trafic that goes to and from | + | Almost any trafic that goes to and from a VE can be catched by FORWARD chain of iptables module in [[VE0]], |
thus we add such rules: | thus we add such rules: | ||
<pre> | <pre> | ||
| Line 16: | Line 17: | ||
# iptables -A FORWARD -d 192.168.0.117 | # iptables -A FORWARD -d 192.168.0.117 | ||
</pre> | </pre> | ||
| − | It means | + | It means that all traffic forwarded to IP 192.168.0.117 and from IP 192.168.0.117 will be accounted. |
| − | To obtain current traffic usage of | + | To obtain current traffic usage of VE you can issue the command: |
<pre> | <pre> | ||
# iptables -nv -L FORWARD | # iptables -nv -L FORWARD | ||
| Line 25: | Line 26: | ||
15 1052 all -- * * 0.0.0.0/0 192.168.0.117 | 15 1052 all -- * * 0.0.0.0/0 192.168.0.117 | ||
</pre> | </pre> | ||
| − | + | '''Bytes''' column is the column we need. It's worth to say, that restarting a VE doesn't affect accounting, | |
| − | it remains right. But if you restart your node all rules and consequently statistics are | + | it remains right. But if you restart your [[hardware node]], all the rules and consequently statistics are dropped. |
| − | + | So it is recommended to | |
| − | iptables rules on HN start. | + | * run some cron job that dumps statistics to some file |
| + | * add init script that creates iptables rules on [[HN]] start. | ||
| − | As is easy to see, it's not per | + | As is easy to see, it's not per-VE statistic, but rather per-IP statistic. Thus you must be careful |
| − | then changing | + | then changing VE IP addresses, otherwise you'll get mess of results. |
| − | + | By saying ''almost any trafic'' I mean that traffic between a [[VE]] and [[VE0]] is not accounted by rules above. | |
| − | can | + | Not sure if it can be useful for anybody, but to account such traffic these rules are needed: |
<pre> | <pre> | ||
iptables -I INPUT 1 -i venet0 -d 192.168.0.117 | iptables -I INPUT 1 -i venet0 -d 192.168.0.117 | ||
iptables -I OUTPUT 1 -o venet0 -s 192.168.0.117 | iptables -I OUTPUT 1 -o venet0 -s 192.168.0.117 | ||
</pre> | </pre> | ||
| + | |||
To observe results: | To observe results: | ||
<pre> | <pre> | ||
| − | + | # iptables -nv -L INPUT | |
Chain INPUT (policy ACCEPT 542 packets, 63745 bytes) | Chain INPUT (policy ACCEPT 542 packets, 63745 bytes) | ||
pkts bytes target prot opt in out source destination | pkts bytes target prot opt in out source destination | ||
35 4533 all -- venet0 * 0.0.0.0/0 192.168.0.117 | 35 4533 all -- venet0 * 0.0.0.0/0 192.168.0.117 | ||
| − | + | # iptables -nv -L OUTPUT | |
Chain OUTPUT (policy ACCEPT 247 packets, 27847 bytes) | Chain OUTPUT (policy ACCEPT 247 packets, 27847 bytes) | ||
pkts bytes target prot opt in out source destination | pkts bytes target prot opt in out source destination | ||
| Line 57: | Line 60: | ||
you can just replace the rule with the same rule: | you can just replace the rule with the same rule: | ||
<pre> | <pre> | ||
| − | + | # iptables -nv -L FORWARD | |
Chain FORWARD (policy ACCEPT 101 packets, 10715 bytes) | Chain FORWARD (policy ACCEPT 101 packets, 10715 bytes) | ||
pkts bytes target prot opt in out source destination | pkts bytes target prot opt in out source destination | ||
44 5151 all -- * * 192.168.0.117 0.0.0.0/0 | 44 5151 all -- * * 192.168.0.117 0.0.0.0/0 | ||
57 5564 all -- * * 0.0.0.0/0 192.168.0.117 | 57 5564 all -- * * 0.0.0.0/0 192.168.0.117 | ||
| − | + | # iptables -R FORWARD 1 -s 192.168.0.117 | |
| − | + | # iptables -nv -L FORWARD | |
Chain FORWARD (policy ACCEPT 101 packets, 10715 bytes) | Chain FORWARD (policy ACCEPT 101 packets, 10715 bytes) | ||
pkts bytes target prot opt in out source destination | pkts bytes target prot opt in out source destination | ||
| Line 73: | Line 76: | ||
Well, now, when we know how to work in the easiest case, we'll try to understand what to do in | Well, now, when we know how to work in the easiest case, we'll try to understand what to do in | ||
more complicated situations. | more complicated situations. | ||
| − | * More than one | + | * More than one VE on the node |
| − | Just add the rules like above for each | + | Just add the rules like above for each VE IP. |
| − | * More than one IP per | + | * More than one IP per VE. |
For each IP add the rules like above. When counting the complete traffic | For each IP add the rules like above. When counting the complete traffic | ||
| − | of | + | of a VE you have to summarize over all IPs that this VE owns. |
* More interfaces on the HN. | * More interfaces on the HN. | ||
Nothing to do! :) | Nothing to do! :) | ||
== Scripting == | == Scripting == | ||
| − | As you see this way can be time-consuming in case of big | + | As you see this way can be time-consuming in case of big number of VEs. |
So if anybody has scripts that automate all the process - you are welcome! | So if anybody has scripts that automate all the process - you are welcome! | ||
[[Category: HOWTO]] | [[Category: HOWTO]] | ||
[[Category: Networking]] | [[Category: Networking]] | ||
Revision as of 10:21, 14 June 2006
Suppose you need to know how much traffic your VEs eat. It can be easily done using iptables.
Situation description
Let's consider the very simple situation: one VE with one IP address on the Hardware Node with only one network interface. To be more exact, assume that VE ID is 200, the IP address of the HN is 192.168.0.56, the network interface name is eth0, and the IP address of the VE is 192.168.0.117.
You wish to know how much bytes VE 200 eats. One more assumption that ther is no iptables rules on HN now. All these assumption are only for clarity!
Solution
Almost any trafic that goes to and from a VE can be catched by FORWARD chain of iptables module in VE0, thus we add such rules:
# iptables -A FORWARD -s 192.168.0.117 # iptables -A FORWARD -d 192.168.0.117
It means that all traffic forwarded to IP 192.168.0.117 and from IP 192.168.0.117 will be accounted. To obtain current traffic usage of VE you can issue the command:
# iptables -nv -L FORWARD
Chain FORWARD (policy ACCEPT 243 packets, 28089 bytes)
pkts bytes target prot opt in out source destination
8 832 all -- * * 192.168.0.117 0.0.0.0/0
15 1052 all -- * * 0.0.0.0/0 192.168.0.117
Bytes column is the column we need. It's worth to say, that restarting a VE doesn't affect accounting, it remains right. But if you restart your hardware node, all the rules and consequently statistics are dropped. So it is recommended to
- run some cron job that dumps statistics to some file
- add init script that creates iptables rules on HN start.
As is easy to see, it's not per-VE statistic, but rather per-IP statistic. Thus you must be careful then changing VE IP addresses, otherwise you'll get mess of results.
By saying almost any trafic I mean that traffic between a VE and VE0 is not accounted by rules above. Not sure if it can be useful for anybody, but to account such traffic these rules are needed:
iptables -I INPUT 1 -i venet0 -d 192.168.0.117 iptables -I OUTPUT 1 -o venet0 -s 192.168.0.117
To observe results:
# iptables -nv -L INPUT Chain INPUT (policy ACCEPT 542 packets, 63745 bytes) pkts bytes target prot opt in out source destination 35 4533 all -- venet0 * 0.0.0.0/0 192.168.0.117 # iptables -nv -L OUTPUT Chain OUTPUT (policy ACCEPT 247 packets, 27847 bytes) pkts bytes target prot opt in out source destination 48 4724 all -- * venet0 192.168.0.117 0.0.0.0/0
If you need to zero counters this command works:
# iptables -Z
The disadvantage is that doing this way you zero all counters in all rules. If it's undesrable for you, you can just replace the rule with the same rule:
# iptables -nv -L FORWARD
Chain FORWARD (policy ACCEPT 101 packets, 10715 bytes)
pkts bytes target prot opt in out source destination
44 5151 all -- * * 192.168.0.117 0.0.0.0/0
57 5564 all -- * * 0.0.0.0/0 192.168.0.117
# iptables -R FORWARD 1 -s 192.168.0.117
# iptables -nv -L FORWARD
Chain FORWARD (policy ACCEPT 101 packets, 10715 bytes)
pkts bytes target prot opt in out source destination
0 0 all -- * * 192.168.0.117 0.0.0.0/0
57 5564 all -- * * 0.0.0.0/0 192.168.0.117
More complicated cases
Well, now, when we know how to work in the easiest case, we'll try to understand what to do in more complicated situations.
- More than one VE on the node
Just add the rules like above for each VE IP.
- More than one IP per VE.
For each IP add the rules like above. When counting the complete traffic of a VE you have to summarize over all IPs that this VE owns.
- More interfaces on the HN.
Nothing to do! :)
Scripting
As you see this way can be time-consuming in case of big number of VEs. So if anybody has scripts that automate all the process - you are welcome!
