Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Advertise on LowEndTalk.com

Need some help with counters in iptables on CentOS 7
New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

Need some help with counters in iptables on CentOS 7

KuJoeKuJoe Member, Provider

Hey LETers, I have a rather dumb question that I'm not able to figure out. I'm trying to get bandwidth accounting working on CentOS 7 via iptables (firewalld was removed) but it doesn't work like it does on CentOS 6. Any ideas on what I need to do to get the counters in the FORWARD table to work correctly in CentOS 7?

Thanks in advanced for any help you can provide! :)

-Joe @ SecureDragon - LEB's Powered by Wyvern in FL, CO, CA, IL, NJ, GA, OR, TX, and AZ
Need backup space? Check out BackupDragon

Comments

  • raindog308raindog308 Administrator, Moderator

    KuJoe said: Any ideas on what I need to do to get the counters in the FORWARD table to work correctly in CentOS 7?

    In order for the FORWARD chain to work correctly in CentOS 7, you need to repost your black friday offer.

    I read that right off the iptables man page.

    For LET support, please visit the support desk.

  • KuJoeKuJoe Member, Provider

    @raindog308 said:

    KuJoe said: Any ideas on what I need to do to get the counters in the FORWARD table to work correctly in CentOS 7?

    In order for the FORWARD chain to work correctly in CentOS 7, you need to repost your black friday offer.

    I read that right off the iptables man page.

    I so knew that was going to be the first reply to this thread. :P

    -Joe @ SecureDragon - LEB's Powered by Wyvern in FL, CO, CA, IL, NJ, GA, OR, TX, and AZ
    Need backup space? Check out BackupDragon
  • What do you get with iptables -L -nvx ?

  • I would rewrite it as iptables -nvx -L FORWARD for brevity.

    Of course remove the FORWARD to get all the chains.

  • KuJoeKuJoe Member, Provider

    Here's the output for the FORWARD table: https://pastebin.com/FMUwxM5G

    It looks like the counters aren't working for the INPUT or OUTPUT tables either after running some more tests. :(

    -Joe @ SecureDragon - LEB's Powered by Wyvern in FL, CO, CA, IL, NJ, GA, OR, TX, and AZ
    Need backup space? Check out BackupDragon
  • Try changing your rules and setting them to log and then watch your console output? That's weird.

  • Having 0's for the FORWARD table is understandable if forwarding is off.

    But not having counter values (pkts + bytes) for INPUT/OUTPUT is definitely fishy.

    I assume you are testing with IPv4 (and so no need for ip6tables).

  • KuJoeKuJoe Member, Provider

    I'm thinking there's a module that needs to be loaded. I'm going through and comparing them between the CentOS 6 build and the CentOS 7 build.

    -Joe @ SecureDragon - LEB's Powered by Wyvern in FL, CO, CA, IL, NJ, GA, OR, TX, and AZ
    Need backup space? Check out BackupDragon
  • KuJoe said: I'm thinking there's a module that needs to be loaded.

    I'd have thought it'll give an error if the module wasn't available/loaded.

    Curious...

  • What're your rp_filters set to?

    net.ipv4.conf.default.rp_filter
    net.ipv4.conf.all.rp_filter

    Specifically.

  • KuJoeKuJoe Member, Provider

    @WSS said:
    What're your rp_filters set to?

    net.ipv4.conf.default.rp_filter
    net.ipv4.conf.all.rp_filter

    Specifically.

    All are set to 1. Also I can't get anything to output using "-j LOG" which is also weird.

    -Joe @ SecureDragon - LEB's Powered by Wyvern in FL, CO, CA, IL, NJ, GA, OR, TX, and AZ
    Need backup space? Check out BackupDragon
  • Is this box acting as a router? Or is it just bridging?

    -

  • Set them to 2. Try again.

  • KuJoeKuJoe Member, Provider

    @WSS said:
    Set them to 2. Try again.

    No change.

    @rds100 said:
    Is this box acting as a router? Or is it just bridging?

    Just bridging. It's a KVM node if that helps at all.

    -Joe @ SecureDragon - LEB's Powered by Wyvern in FL, CO, CA, IL, NJ, GA, OR, TX, and AZ
    Need backup space? Check out BackupDragon
  • Well shit. That should have disabled strict mode on them. What's your entire ruleset look like? How are you bridging- using a standard bridge device or doing anything crazy with ebtables?

  • try modprobe br_netfilter - on newer distro's you have to do this for bridged traffic to pass iptables

    there is also the

    • net.bridge.bridge-nf-call-ip6tables = 1
    • net.bridge.bridge-nf-call-iptables = 1
    • net.bridge.bridge-nf-call-arptables = 0

    settings

  • KuJoeKuJoe Member, Provider

    @svmo said:
    try modprobe br_netfilter - on newer distro's you have to do this for bridged traffic to pass iptables

    This was it! Somebody PMed me the answer and that fixed it. Thanks everybody! It's been a long week to say the least. :)

    -Joe @ SecureDragon - LEB's Powered by Wyvern in FL, CO, CA, IL, NJ, GA, OR, TX, and AZ
    Need backup space? Check out BackupDragon
  • @KuJoe said:

    @svmo said:
    try modprobe br_netfilter - on newer distro's you have to do this for bridged traffic to pass iptables

    This was it! Somebody PMed me the answer and that fixed it. Thanks everybody! It's been a long week to say the least. :)

    FREE KVMS TO THE WINNERS!?

  • @WSS said:

    @KuJoe said:

    @svmo said:
    try modprobe br_netfilter - on newer distro's you have to do this for bridged traffic to pass iptables

    This was it! Somebody PMed me the answer and that fixed it. Thanks everybody! It's been a long week to say the least. :)

    FREE KVMS TO THE WINNERS!?

    WITH STORAGE ...

    Thanked by 1WSS
  • C'mon, @KuJoe!

  • KuJoeKuJoe Member, Provider

    I wish I could. :(

    Thanked by 2svmo WSS
    -Joe @ SecureDragon - LEB's Powered by Wyvern in FL, CO, CA, IL, NJ, GA, OR, TX, and AZ
    Need backup space? Check out BackupDragon
  • @KuJoe the only thread we want to see here is about you adding more KVM storage offers.

  • I needed that KVM deal so bad, instead we get tech support questions....

    Thanked by 1Hxxx
  • FranciscoFrancisco Top Provider

    @kujoe - make sure to load br_netfilter and see if it works then.

    You'll be able to sysctl -a | grep iptables and find a rule where it runs bridge traffic through iptables.

    Francisco

    BuyVM - Free DirectAdmin, Softaculous, & Blesta! / Anycast Support! / Windows 2008, 2012, & 2016! / Unmetered Bandwidth!
    BuyShared - Shared & Reseller Hosting / cPanel + Softaculous + CloudLinux / Pure SSD! / Free Dedicated IP Address
  • jackbjackb Member, Provider

    Also bridge-nf-call-iptables

    Afterburst - Awesome OpenVZ&KVM VPS in US+EU

Sign In or Register to comment.