I used these command for port forwarding in Linux(Centos OS).
sysctl net.ipv4.ip_forward=1
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 150 -j DNAT --to-destination 37.120.193.51:31095
iptables -t nat -A PREROUTING -p udp --dport 150 -j DNAT --to-destination 37.120.193.51:31095
iptables -t nat -A POSTROUTING -j MASQUERADE
port forwarding works fine and traffic routed finely.
I want to know how much traffic routed by this port(150)
iptables -A FORWARD -p tcp --dport 150 -j DROP
iptables -A FORWARD -p tcp --dport 150 -m quota --quota 10000000 -j ACCEPT
I connect to server by port 150 and use the bandwidth
Check quota by this command:
iptables -L FORWARD -n -v
But does not start counting
Output is:
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:150 quota: 10000000
sysctl net.ipv4.ip_forward=1
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 150 -j DNAT --to-destination 37.120.193.51:31095
iptables -t nat -A PREROUTING -p udp --dport 150 -j DNAT --to-destination 37.120.193.51:31095
iptables -t nat -A POSTROUTING -j MASQUERADE
port forwarding works fine and traffic routed finely.
I want to know how much traffic routed by this port(150)
iptables -A FORWARD -p tcp --dport 150 -j DROP
iptables -A FORWARD -p tcp --dport 150 -m quota --quota 10000000 -j ACCEPT
I connect to server by port 150 and use the bandwidth
Check quota by this command:
iptables -L FORWARD -n -v
But does not start counting
Output is:
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:150 quota: 10000000
Share this post:
Responses (2)
-
Accepted Answer
Thank you for your advice.
I did this test right after creating the rules. That is, there was no restart in the firewall.
According to my research, I found that the FORWARD chain is after the PREROUTING chain.
So after changing the address IP and port of the packets in the nat table, none of the packets are tracked on port 150 anymore.
I think this is the reason why it does not work quota on port 150.
Because there is no longer a packet with destination port 150 and all packets that entered the network with the destination port 150 were translated to port 31095. -
Accepted Answer
Please don't use manual rules like that or you will lose them every time the firewall restarts (which is much more often than you may realise). Use the Port Forwarding app for the port forwards. If you need to, I(nsert) another rule in the FORWARD chain rather than A(ppend) the rule so it fires before the ClearOS rule. You will need to use the Custom Firewall rules for this and use the key word "$IPTABLES" rather than "iptables".
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »