Changes

Jump to: navigation, search

Traffic accounting with iptables

76 bytes removed, 10:21, 14 June 2006
VPS->VE, some spelling/grammar/wording fixes
Suppose you need to know how much traffic VPS eatsyour [[VE]]s eat. It can be easily done
using iptables.
== Situation description ==
Lets Let's consider the very simple situation: one VPS VE with one IP address on the [[Hardware Node (HN)]]with only one network interface. To be more exact , assume that VPS id [[VE]] ID is <tt>200</tt>, ip the IP address of the [[HN]]is <tt>192.168.0.56</tt>, the network interface name is <tt>eth0</tt>, ip and the IP address of VPS the [[VE]] is <tt>192.168.0.117</tt>.And you You wish to know how much bytes 200th VPS VE 200 eats. One more assumption that ther is no iptables rules
on HN now. All these assumption are only for clarity!
== Solution ==
Almost any trafic that goes to and from vps a VE can be catched from by FORWARD chain of iptables module in [[VE0]],
thus we add such rules:
<pre>
# iptables -A FORWARD -d 192.168.0.117
</pre>
It means, that all traffic forwarded to ip IP 192.168.0.117 and from ip IP 192.168.0.117 will be accounted.To obtain current traffic usage of VPS VE you can give issue the command:
<pre>
# iptables -nv -L FORWARD
15 1052 all -- * * 0.0.0.0/0 192.168.0.117
</pre>
"'''Bytes" ''' column is the column we need. It's worth to say, that restarting VPS a VE doesn't affect accounting,it remains right. But if you restart your [[hardware node ]], all the rules and consequently statistics are dropeddropped. So it'sis recommended torecomended to * run some cron job that dumps statistic on hard drive and also statistics to some file* add init script that createsiptables rules on [[HN ]] start.
As is easy to see, it's not per VPS -VE statistic, but rather per -IP statistic. Thus you must be carefullcarefulthen changing IPs of VPSsVE IP addresses, otherwise you'll get mess of results.
Saing "By saying ''almost any trafic", '' I mean, that traffic between a [[VE ]] and and [[VE0 isn't ]] is not accounted by rules above. Don't knowNot sure if it can it be useful for anybody, but to account such traffic these rules passare needed:
<pre>
iptables -I INPUT 1 -i venet0 -d 192.168.0.117
iptables -I OUTPUT 1 -o venet0 -s 192.168.0.117
</pre>
 
To observe results:
<pre>
[root@dhcp0-56 traffic_accounting]# iptables -nv -L INPUT
Chain INPUT (policy ACCEPT 542 packets, 63745 bytes)
pkts bytes target prot opt in out source destination
35 4533 all -- venet0 * 0.0.0.0/0 192.168.0.117
[root@dhcp0-56 traffic_accounting]# iptables -nv -L OUTPUT
Chain OUTPUT (policy ACCEPT 247 packets, 27847 bytes)
pkts bytes target prot opt in out source destination
you can just replace the rule with the same rule:
<pre>
[root@dhcp0-56 traffic_accounting]# iptables -nv -L FORWARD
Chain FORWARD (policy ACCEPT 101 packets, 10715 bytes)
pkts bytes target prot opt in out source destination
44 5151 all -- * * 192.168.0.117 0.0.0.0/0
57 5564 all -- * * 0.0.0.0/0 192.168.0.117
[root@dhcp0-56 traffic_accounting]# iptables -R FORWARD 1 -s 192.168.0.117[root@dhcp0-56 traffic_accounting]# iptables -nv -L FORWARD
Chain FORWARD (policy ACCEPT 101 packets, 10715 bytes)
pkts bytes target prot opt in out source destination
Well, now, when we know how to work in the easiest case, we'll try to understand what to do in
more complicated situations.
* More than one VPS VE on the nodeJust add the rules like above for each VPS's VE IP.* More than one IP per VPSVE.
For each IP add the rules like above. When counting the complete traffic
of VPS a VE you have to summarize over all IPs that this VPS VE owns.
* More interfaces on the HN.
Nothing to do! :)
== Scripting ==
As you see this way can be time-consuming in case of big amount number of VPSsVEs.
So if anybody has scripts that automate all the process - you are welcome!
[[Category: HOWTO]]
[[Category: Networking]]
Retrieved from "https://wiki.openvz.org/Special:MobileDiff/1664"

Navigation menu