New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Need some help with counters in iptables on CentOS 7
Hey LETers, I have a rather dumb question that I'm not able to figure out. I'm trying to get bandwidth accounting working on CentOS 7 via iptables (firewalld was removed) but it doesn't work like it does on CentOS 6. Any ideas on what I need to do to get the counters in the FORWARD table to work correctly in CentOS 7?
Thanks in advanced for any help you can provide!
Comments
In order for the FORWARD chain to work correctly in CentOS 7, you need to repost your black friday offer.
I read that right off the iptables man page.
I so knew that was going to be the first reply to this thread. :P
What do you get with
iptables -L -nvx
?I would rewrite it as
iptables -nvx -L FORWARD
for brevity.Of course remove the FORWARD to get all the chains.
Here's the output for the FORWARD table: https://pastebin.com/FMUwxM5G
It looks like the counters aren't working for the INPUT or OUTPUT tables either after running some more tests.
Try changing your rules and setting them to log and then watch your console output? That's weird.
Having 0's for the FORWARD table is understandable if forwarding is off.
But not having counter values (pkts + bytes) for INPUT/OUTPUT is definitely fishy.
I assume you are testing with IPv4 (and so no need for ip6tables).
I'm thinking there's a module that needs to be loaded. I'm going through and comparing them between the CentOS 6 build and the CentOS 7 build.
I'd have thought it'll give an error if the module wasn't available/loaded.
Curious...
What're your rp_filters set to?
net.ipv4.conf.default.rp_filter
net.ipv4.conf.all.rp_filter
Specifically.
All are set to 1. Also I can't get anything to output using "-j LOG" which is also weird.
Is this box acting as a router? Or is it just bridging?
Set them to 2. Try again.
No change.
Just bridging. It's a KVM node if that helps at all.
Well shit. That should have disabled strict mode on them. What's your entire ruleset look like? How are you bridging- using a standard bridge device or doing anything crazy with ebtables?
try modprobe br_netfilter - on newer distro's you have to do this for bridged traffic to pass iptables
there is also the
settings
This was it! Somebody PMed me the answer and that fixed it. Thanks everybody! It's been a long week to say the least.
FREE KVMS TO THE WINNERS!?
WITH STORAGE ...
C'mon, @KuJoe!
I wish I could.
@KuJoe the only thread we want to see here is about you adding more KVM storage offers.
I needed that KVM deal so bad, instead we get tech support questions....
@kujoe - make sure to load
br_netfilter
and see if it works then.You'll be able to
sysctl -a | grep iptables
and find a rule where it runs bridge traffic through iptables.Francisco
Also
bridge-nf-call-iptables