Iptables is a powerful firewall/packet filtering framework inside Linux, and obviously used for firewalls on desktop, servers, and even embedded Linux devices such as most home internet routers. I was asked to write a script that could monitor and report network usage on one of our machines at work.
I took on the challenge and after searching package repositories and Google for cool Linux console apps that will report network usage, I came came across the idea of using iptables.. seeing as I love iptables, and it is installed by default on most machines it was the perfect solution for us.
Iptables can be thought of a bunch of tables each containing some lists of rules called “chains”. There are some default chains which packets must progress through depending on the packets origin and destination. The main and default table that most people use is the ‘filter’ table, the default chains are:
- INPUT – Packets coming to the machine from the network.
- OUTPUT – Packets leaving your machine,
- FORWARD – Packets passing through your machine, if your machine routes packets.
Each of these chains have a default policy, that is what should happen if there is no rules or no rules matching the packet, this is either:
- ACCEPT – Allow the packet into the machine.
- DROP – Drop the packet,
Now the default chains cannot be changed, the packets will work through one of those chains, we can add any rules we want to filter these packets. Netfilter/iptables tracks the amount of data running through chains. So if you want to track all your incoming network usage you can just use the INPUT chain, but if we want to track more specific traffic, we can create a custom chain, add a rule to pass the specific packets to this new chain, and thus monitor the specific traffic! Easy huh!
Before I go into the script and specific iptables configuration I’ll show you readers some useful itptables commands:
- To see the manual page on iptables: man iptables
- To list the rules on the default (filter) table: iptables -L
- To list rules on other tables: iptables -t <tablename> -L
NOTE: If you add a -v you can see packet and byte counts.
Now we move onto what I did.
Network script and setup
I mentioned some iptables commands in the last section, so now I will describe the iptables command I use in the script for reporting:
iptables -L -n -x -v --line-numbers
The options mean:
- -L = List the rules
- -n = Do not do a DNS lookup, just show numbers
- -x = use exact byte values, don’t convert to M or G, this is needed to ease the maths.
- -v = verbose output, to actually show the counts
- –line-numbers = The script inserts rules as to not disrupt other iptables rules that it doesn’t control so we need to know the rule number.
With the reporting explained let now talk about how we setup iptables, this is just the theory, the script actually sets it up for you, but as you will have different requirements you’ll need to know
In this example we will only be only worried about monitoring things going through a proxy, which we’ll call 192.168.1.10 and traffic not coming from our local network, not via the proxy (not on 192.168.1.0/24). As the we get the required byte counts from the rule on the INPUT chain, we can use 1 custom chain for both types of traffic. So the first step is to create the custom chain and then add rules to match these packets:
iptables -N DOWNLOADED
Then we add a rule for each of the traffic conditions we want to track:
# Proxy rule
iptables -I INPUT 1 -s 192.168.1.10 -j DOWNLOADED
# Not our network rule
iptables -I INPUT 1 ! -s 192.168.1.0/24 -j DOWNLOADED
The above rules break down like:
- -I INPUT 1 = Insert into the INPUT chain at index 1 (1 based).
- -s <ip address or network> = Source is from <ip address>, the ‘!’ means negate (read as ‘not’)
- -j DOWNLOADED = Jump or push this packet over to the DOWNLOADED chain.
See simple huh… ok maybe not, it is quite easy once you’ve used iptables for a while. Anyway, now that we have iptables set up I can talk about the script.
When ever the machine is rebooted or the chains flushed the counts will be zero’d out again, and as the chains only store the totals we need to keep track of the previous values so we can do a calculation. So I log the entries as three values (columns) separated by tabs:
date proxy bytes non-network bytes
The report I then generate says to usage since last check and current total, but the current total since when? In stead of having to parse the file since the last flush/reboot I simply have another file storing the last run with the following structure, similar to the log but containing the date of the last reset.
date proxy bytes non-network bytes total start date
Anyway without further adieu I’ll now present my script, it contains the reporting, and I have my own function that makes the report counts human readable:
#!/usr/bin/env python import sys import os import datetime from send_email import send_email # Global Variables PROXY = "192.168.1.10" NETWORK = "192.168.1.0/24" IPTABLES_CUSTOM_CHAIN = "DOWNLOADED" IPTABLES_CREATE_CHAIN = "iptables -N " + IPTABLES_CUSTOM_CHAIN IPTABLES_DELETE_CHAIN = "iptables -X " + IPTABLES_CUSTOM_CHAIN IPTABLES_PROXY_RULE = "INPUT %s -s " + PROXY + " -j " + IPTABLES_CUSTOM_CHAIN IPTABLES_NOT_NETWORK_RULE = "INPUT %s ! -s " + NETWORK + " -j " + IPTABLES_CUSTOM_CHAIN IPTABLES_REPORT_CMD = "iptables -L -n -x -v --line-numbers" # Result column indexes TIMESTAMP_IDX = 0 PROXY_IDX = 1 NOT_NETWORK_IDX = 2 TOTAL_START_IDX = 3 # Format of the folling files: date proxy bytes non-network bytes # NOTE: Seperated by tabs (\t) LAST_RESULT = "/home/dpadmin/matt/bin/netmon.last" RESULT_LOG = "/home/dpadmin/matt/bin/netmon.log" # Email reporting variables EMAIL_TO = ['firstname.lastname@example.org'] EMAIL_FROM = 'email@example.com' EMAIL_SUBJECT = 'Network Usage Report - %s' EMAIL_ATTACHMENTS =  EMAIL_SERVER = 'localhost' EMAIL_MSG = """Network usage between: %s and %s Proxy Traffic: Usage: %s Current Total: %s Non Network Traffic: Usage: %s Current Total: %s Total since: %s """ def human_readable(bytes): if bytes < 1024: return str(bytes) for x in 'K', 'M','G': bytes /= 1024.0 if bytes < 1024: return "%.2f%s" % (bytes, x) if bytes > 1024: return "%.2f%s" % (bytes, 'G') def make_human_readable(results): return (results, human_readable(results), human_readable(results)) def get_totals(): timestamp = generate_timestamp() result = os.popen(IPTABLES_REPORT_CMD) proxy_bytes = 0 network_bytes = 0 # Parse the output. # 1. Find "Chain INPUT" that way we know we have the right chain. # 2. Look for 1 and 2 in the first column, as they are our rules. # 3. Find out which one is the proxy one. # 4. return totals. start = False for line in result: if line.startswith("Chain INPUT"): start = True elif line.startswith("Chain"): start = False elif start: cols = line.split() if len(cols) != 0: if cols == '1' or cols == '2': # Found our rules if cols == PROXY: proxy_bytes = int(cols) else: network_bytes = int(cols) return (timestamp, proxy_bytes, network_bytes) def generate_timestamp(): d = datetime.datetime.now() datestr = "%d/%.2d/%.2d-%.2d:%.2d:%.2d" % (d.year, d.month, d.day, d.hour, d.minute, d.second) return datestr def get_last(): if os.path.exists(LAST_RESULT): lstFile = file(LAST_RESULT).readlines() result = lstFile.strip().split() result[PROXY_IDX] = int(result[PROXY_IDX]) result[NOT_NETWORK_IDX] = int(result[NOT_NETWORK_IDX]) return tuple(result) else: timestamp = generate_timestamp() return (timestamp, 0, 0, timestamp) def _cleanup_iptables(): os.system("iptables -D %s" % (IPTABLES_PROXY_RULE % (""))) os.system("iptables -D %s" % (IPTABLES_NOT_NETWORK_RULE % (""))) os.system(IPTABLES_DELETE_CHAIN) def start(): # Incase the rules alread exist lets remove them _cleanup_iptables() # Now we can add them os.system(IPTABLES_CREATE_CHAIN) os.system("iptables -I %s" % (IPTABLES_PROXY_RULE % ("1"))) os.system("iptables -I %s" % (IPTABLES_NOT_NETWORK_RULE % ("1"))) def stop(): # Delete the rules TOTAL_START_IDX _cleanup_iptables() def report(): last = get_last() # Now we need to get the byte totals from iptables. new_totals = get_totals() reset_detected = False proxy_usage = 0 not_network_usage = 0 total_start = last[TOTAL_START_IDX] if last[PROXY_IDX] > new_totals[PROXY_IDX]: # Counters must have been reset. reset_detected = True proxy_usage = new_totals[PROXT_IDX] not_network_usage = new_totals[NOT_NETWORK_IDX] total_start = new_totals[TIMESTAMP_IDX] else: # Do the calc proxy_usage = new_totals[PROXY_IDX] - last[PROXY_IDX] not_network_usage = new_totals[NOT_NETWORK_IDX] - last[NOT_NETWORK_IDX] result = (new_totals[TIMESTAMP_IDX],proxy_usage, not_network_usage) result_str = "Timestamp: %s Proxied: %s Off Network: %s" # Write out the new last totals to the log and last. last_file = file(LAST_RESULT, 'w') tmp_list =  tmp_list.extend(new_totals) tmp_list.append(total_start) last_file.write("%s\t%d\t%d\t%s\n" % tuple(tmp_list)) last_file.close() log = file(RESULT_LOG, 'a') log.write("%s\t%d\t%d\n" % new_totals) log.close() last = make_human_readable(last) new_totals = make_human_readable(new_totals) result = make_human_readable(result) print "Last Total - " + result_str % last print "New Total - " + result_str % new_totals print "New Usage - " + result_str % result if reset_detected: msg = " == RESET DETECTED! == \n" else: msg = "" # Send the email report msg += EMAIL_MSG % (last[TIMESTAMP_IDX],result[TIMESTAMP_IDX], result[PROXY_IDX], new_totals[PROXY_IDX], result[NOT_NETWORK_IDX], new_totals[NOT_NETWORK_IDX], total_start) send_email(EMAIL_FROM, EMAIL_TO, EMAIL_SUBJECT % (result[TIMESTAMP_IDX]), msg, EMAIL_ATTACHMENTS, EMAIL_SERVER) def main(args): if len(args) == 0: # Run report report() elif str(args).upper() == "CLEAR": stop() elif str(args).upper() == "FLUSH": stop() elif str(args).upper() == "STOP": stop() elif str(args).upper() == "INITIATE": start() elif str(args).upper() == "START": start() elif str(args).upper() == "INITIALISE": start() elif str(args).upper() == "REPORT": report() if __name__ == "__main__": main(sys.argv[1:])
The send email code looks like:
import smtplib import os from email.MIMEMultipart import MIMEMultipart from email.MIMEBase import MIMEBase from email.MIMEText import MIMEText from email.Utils import COMMASPACE, formatdate from email import Encoders def send_email(send_from, send_to, subject, text, files=, server="localhost"): assert type(send_to)==list assert type(files)==list msg = MIMEMultipart() msg['From'] = send_from msg['To'] = COMMASPACE.join(send_to) msg['Date'] = formatdate(localtime=True) msg['Subject'] = subject msg.attach( MIMEText(text) ) for f in files: part = MIMEBase('application', "octet-stream") part.set_payload( open(f,"rb").read() ) Encoders.encode_base64(part) part.add_header('Content-Disposition', 'attachment; filename="%s"' % os.path.basename(f)) msg.attach(part) smtp = smtplib.SMTP(server) smtp.sendmail(send_from, send_to, msg.as_string()) smtp.close()
The script will setup the iptables setup by:
To clean up iptables:
and finally to report:
If you wish to graph the log then using higher and higher totals might not be what you want, so here is another script which parses the totals log and turns each entry into the daily usage, in MB, rather then totals:
#!/usr/bin/env python import sys import os OUT_FILE = "netmon_graph.dat" def main(netmon_log): if not os.path.exists(netmon_log): print "Error %s doesn't exist!" % (netmon_log) sys.exit(1) inFile = file(netmon_log) outFile = file(OUT_FILE, 'w') outFile.write("%s\t%s\t%s\n" % ("Date", "Proxy", "Non-Network")) line = inFile.readline() lastProxyValue = 0 lastNetValue = 0 while len(line) > 0: #process cols = line.strip().split() if len(cols) == 3: date = cols proxy = long(cols) net = long(cols) if proxy < lastProxyValue or net < lastNetValue: lastProxyValue = 0 lastNetValue = 0 # Calc newProxy = proxy - lastProxyValue newNet = net - lastNetValue lastProxyValue = proxy lastNetValue = net # Convert to MBs newProxy = float(newProxy) / 1024.0 / 1024.0 newNet = float(newNet) / 1024.0 / 1024.0 outFile.write("%s\t%.2f\t%.2f\n" % (date, newProxy, newNet)) line = inFile.readline() inFile.close() outFile.close() if __name__ == "__main__": main(sys.argv)
Happy network monitoring!