Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Need some help with counters in iptables on CentOS 7
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Need some help with counters in iptables on CentOS 7

KuJoeKuJoe Member, Host Rep

Hey LETers, I have a rather dumb question that I'm not able to figure out. I'm trying to get bandwidth accounting working on CentOS 7 via iptables (firewalld was removed) but it doesn't work like it does on CentOS 6. Any ideas on what I need to do to get the counters in the FORWARD table to work correctly in CentOS 7?

Thanks in advanced for any help you can provide! :)

Comments

  • raindog308raindog308 Administrator, Veteran

    KuJoe said: Any ideas on what I need to do to get the counters in the FORWARD table to work correctly in CentOS 7?

    In order for the FORWARD chain to work correctly in CentOS 7, you need to repost your black friday offer.

    I read that right off the iptables man page.

  • KuJoeKuJoe Member, Host Rep

    @raindog308 said:

    KuJoe said: Any ideas on what I need to do to get the counters in the FORWARD table to work correctly in CentOS 7?

    In order for the FORWARD chain to work correctly in CentOS 7, you need to repost your black friday offer.

    I read that right off the iptables man page.

    I so knew that was going to be the first reply to this thread. :P

  • What do you get with iptables -L -nvx ?

  • I would rewrite it as iptables -nvx -L FORWARD for brevity.

    Of course remove the FORWARD to get all the chains.

  • KuJoeKuJoe Member, Host Rep

    Here's the output for the FORWARD table: https://pastebin.com/FMUwxM5G

    It looks like the counters aren't working for the INPUT or OUTPUT tables either after running some more tests. :(

  • Try changing your rules and setting them to log and then watch your console output? That's weird.

  • Having 0's for the FORWARD table is understandable if forwarding is off.

    But not having counter values (pkts + bytes) for INPUT/OUTPUT is definitely fishy.

    I assume you are testing with IPv4 (and so no need for ip6tables).

  • KuJoeKuJoe Member, Host Rep

    I'm thinking there's a module that needs to be loaded. I'm going through and comparing them between the CentOS 6 build and the CentOS 7 build.

  • KuJoe said: I'm thinking there's a module that needs to be loaded.

    I'd have thought it'll give an error if the module wasn't available/loaded.

    Curious...

  • What're your rp_filters set to?

    net.ipv4.conf.default.rp_filter
    net.ipv4.conf.all.rp_filter

    Specifically.

  • KuJoeKuJoe Member, Host Rep

    @WSS said:
    What're your rp_filters set to?

    net.ipv4.conf.default.rp_filter
    net.ipv4.conf.all.rp_filter

    Specifically.

    All are set to 1. Also I can't get anything to output using "-j LOG" which is also weird.

  • Is this box acting as a router? Or is it just bridging?

  • Set them to 2. Try again.

  • KuJoeKuJoe Member, Host Rep

    @WSS said:
    Set them to 2. Try again.

    No change.

    @rds100 said:
    Is this box acting as a router? Or is it just bridging?

    Just bridging. It's a KVM node if that helps at all.

  • Well shit. That should have disabled strict mode on them. What's your entire ruleset look like? How are you bridging- using a standard bridge device or doing anything crazy with ebtables?

  • try modprobe br_netfilter - on newer distro's you have to do this for bridged traffic to pass iptables

    there is also the

    • net.bridge.bridge-nf-call-ip6tables = 1
    • net.bridge.bridge-nf-call-iptables = 1
    • net.bridge.bridge-nf-call-arptables = 0

    settings

  • KuJoeKuJoe Member, Host Rep

    @svmo said:
    try modprobe br_netfilter - on newer distro's you have to do this for bridged traffic to pass iptables

    This was it! Somebody PMed me the answer and that fixed it. Thanks everybody! It's been a long week to say the least. :)

  • @KuJoe said:

    @svmo said:
    try modprobe br_netfilter - on newer distro's you have to do this for bridged traffic to pass iptables

    This was it! Somebody PMed me the answer and that fixed it. Thanks everybody! It's been a long week to say the least. :)

    FREE KVMS TO THE WINNERS!?

  • @WSS said:

    @KuJoe said:

    @svmo said:
    try modprobe br_netfilter - on newer distro's you have to do this for bridged traffic to pass iptables

    This was it! Somebody PMed me the answer and that fixed it. Thanks everybody! It's been a long week to say the least. :)

    FREE KVMS TO THE WINNERS!?

    WITH STORAGE ...

    Thanked by 1WSS
  • C'mon, @KuJoe!

  • KuJoeKuJoe Member, Host Rep

    I wish I could. :(

    Thanked by 2svmo WSS
  • @KuJoe the only thread we want to see here is about you adding more KVM storage offers.

  • I needed that KVM deal so bad, instead we get tech support questions....

    Thanked by 1Hxxx
  • FranciscoFrancisco Top Host, Host Rep, Veteran

    @kujoe - make sure to load br_netfilter and see if it works then.

    You'll be able to sysctl -a | grep iptables and find a rule where it runs bridge traffic through iptables.

    Francisco

  • jackbjackb Member, Host Rep

    Also bridge-nf-call-iptables

Sign In or Register to comment.