iptables counting TCP
I am trying to use ip tables to count different types of packets.
Actually http, sql, all tcp and udp. For the example here I will just
show one command I did, but it is analagous for the others.
To count http incoming, for instance, I do (this also goes into the
/etc/sysconfig/iptables without the initial "iptables" and comments after)
iptables -N HTTPIN # Create new chain
iptables -I INPUT -p tcp -m tcp --dport 80 -j HTTPIN # port 80 incoming to chain
iptables -I HTTPIN -j ACCEPT
then at some point I do an iptables -L INPUX -xnv and I can grep the chain and count the
bytes, then zero it (iptables -Z) wait 1/2 hour and repeat (via cronjob).
Now this works fine (I also do with MYSQLIN, TCPIN, UDPIN and OUT). But I am
1 - is this correct? Will it impede system performance, etc?
2 - is the ACCEPT stuff necessary? They seem to be accepted anyway.
3 - It seems to matter whn you do TCP (all TCP) and HTTP (just port 80) which
rule comes first?
Re (2), the ACCEPT is necessary only if there's a potential for it to be dropped later in the flow, or you otherwise want the flow to accept & stop at that point for the given packet.
In the case of your example, the ACCEPT is unnecessary, as I believe the packet will already get accepted since that's the end of the script. However, other scripts may DROP everything at the end, in which case you'd explicitly want to ACCEPT.