For the last few days I have been looking for a bandwidth monitoring tool that is more efficient, accurate, and complete than IPFM. I found so many bandwidth monitoring tools (bandwidthd, ipband, darkstat, and a few others) on Google but couldn’t find one that fits what I want. In fact, IPFM suits me better than the others.
While I was reading iptables’ man page, I accidentally came across ‘account’ under ‘MATCH EXTENSIONS’. After reading the brief description and example, I got excited! This iptables match extension provides exactly what I need! With the flexibility of iptables’ rules plus the account match extension, this has to be the best solution for my new bandwidth monitoring system. There is one problem though. Fedora Core doesn’t have it. 🙁
With some experience I got from installing ipp2p by hand, I started trying to make this iptables match extension work on my Fedora Core 6 server. First, I used Google to locate ipt_account’s website. Then I used Google to search for some install guides on ipt_account but couldn’t find any, so I went through its website and found something.
Since I have prepared my system with kernel & iptables source tree, rpmbuild, etc. (basically everything required to build ipp2p modules), I will not go over the “ingredients” again. Sorry!
Download the kernel and iptables patches from this page. Patch the kernel tree:
- cd /usr/src/redhat/BUILD/kernel-2.6.19/linux-2.6.19.i386/
- patch -p1 < path_to_kernel_patch
You should see the following:
patching file include/linux/netfilter_ipv4/ipt_account.h
patching file net/ipv4/netfilter/ipt_account.c
patching file net/ipv4/netfilter/Kconfig
patching file net/ipv4/netfilter/Makefile
OK, now the kernel tree is patched. Now do make oldconfig. You will be asked:
account match support (IP_NF_MATCH_ACCOUNT) [N/m/?] (NEW)
Since this will be a kernel module, hit m. Once the process has finished, do make scripts/kconfig/ (if you haven’t previously during ipp2p module build process). Create a temporary directory somewhere (e.g. /tmp/ipt). Copy /usr/src/redhat/BUILD/kernel-2.6.19/linux-2.6.19.i386/net/ipv4/netfilter/ipt_account.c into that directory and create a file named Makefile. Paste the following into Makefile:
obj-m := ipt_account.o
KDIR := /usr/src/redhat/BUILD/kernel-2.6.19/linux-2.6.19.i386/
PWD := $(shell pwd)
$(MAKE) -C $(KDIR) SUBDIRS=$(PWD) modules
Make sure that there is a tab before $(MAKE). Save the file and execute make. If the compile process goes well, there will be a file named ipt_account.ko in the directory. Load the module by using insmod. Check lsmod to see the newly loaded module.
If you have got this far, that means your kernel now supports ipt_account. Now we will add ipt_account extension for iptables. To see if your iptables has ipt_account support, do iptables -m account. If it prints out something like “Couldn’t load match `account’: …”, that means there is no iptables account extension yet.
Let’s patch iptables source tree:
- cd /usr/src/redhat/BUILD/iptables-1.3.5
- patch -p1 < path_to_iptables_patch
Expect the following:
patching file extensions/libipt_account.c
Open extensions/Makefile, on line 8, add account before ah. Then compile the ipt_account’s extension:
cc -O2 -Wall -Wunused -I/usr/src/redhat/BUILD/kernel-2.6.19/linux-2.6.19.i386/include -Iinclude/ -DIPTABLES_VERSION=\”1.3.5\” -fPIC -o extensions/libipt_account_sh.o -c extensions/libipt_account.c
cc -shared -o extensions/libipt_account.so extensions/libipt_account_sh.o
Copy extensions/libipt_account.so to /lib/iptables and verify the extension: iptables -m account. That’s it! Pretty easy, eh? 🙂
Read this page to test the new iptables account match extension. Enjoy!
3 thoughts on “ipt_account HOWTO for Fedora Core 6”
Thanks a lot for this publication. I am a self taught Linux admin. I was looking for one-stop solution for firewall, traffic monitoring, traffic sahping, load balancing on a single linux box. you got me much more nearer to my desired goal.
All the links in this post are very-much relevent to my objectives.
Many many Thanks
You’re welcome! Actually I haven’t implemented this on my production server. Currently it’s still running IPFM.
At the moment I’m looking for a tool (something like iptraf or trafshow), which taps the interface and shows real-time (may be accumulative) statistics on a specified IP address. Unfortunately trafshow and iptraf monitor per-flow instead of per-IP (total per IP address). A real-time IPFM would be nice too if there were one. 🙂