Iptables and counters

Question

I'm trying to use iptables counters with munin to monitor traffic of hosts on my local subnet. For each host I set up a rule like this:

iptables -I OUTPUT -d $ip

This should count the packets going from firewall to $ip, correct?

I found out that this does not seem to count all packets. I start tcpdump on my router (Linux) and I see packets to $ip that are not counted.

For example I check number of packets for rule to my phone IP. I start tcpdump, refresh Gmail on my phoone, I see packets in tcpdump's output but iptables rule counters are not incremented. Then I open a web page on the same phone and the counters are incremented.

What could be the reason?

Ah thanks, let me correct myself. ipchains investigates packets in the rules defined in iptables. — ryekayo, Aug 21 '14 at 22:00

score 0 · Accepted Answer · answered Aug 21 '14 at 22:08

0

The OUTPUT chain is used by packets output from the firewall itself.

The chain you want to use is FORWARD, which is used by packets forwarded by the firewall.

answered Aug 21 '14 at 22:08

Tero Kilkanen

34,499
3
38
58

Thanks, that makes sense. I read about this here http://backreference.org/2010/07/31/munin-traffic-accounting-with-iptables/ and here http://munin-monitoring.org/browser/munin-contrib/plugins/network/accounting_ and the examples don't mention FORWARD. Care the explain what would be the difference between counters for OUTPUT and FORWARD in my case? – mehturt Aug 21 '14 at 22:20
`OUTPUT` chain applies only to packets that are sent from a program running inside the firewall, while `FORWARD` applies to packets forwarded by the firewall. – Tero Kilkanen Aug 21 '14 at 22:44

Iptables and counters

1 Answers1