我正在尝试找到一种方法来对 OpenVPN 进行流量统计,以便在 OpenVPN 的网页管理面板内构建图表。我已经完成了所有工作。但我无法让 IPTables 正常工作,我尝试了以下方法:https://www.cyberciti.biz/faq/linux-configuring-ip-traffic-accounting/失败了。以下是我所得到的以及所发生的情况。
[root@vpn-01:~]# cat traf
iptables -N INET_OUT
iptables -N INET_IN
iptables -A FORWARD -j INET_IN
iptables -A FORWARD -j INET_OUT
iptables -A INPUT -j INET_IN
iptables -A OUTPUT -j INET_OUT
/sbin/iptables -A INET_IN -d 10.8.0.2
/sbin/iptables -A INET_OUT -s 10.8.0.2
/sbin/iptables -A INET_IN -d 10.8.0.3
/sbin/iptables -A INET_OUT -s 10.8.0.3
/sbin/iptables -L INET_IN -v -x -n
/sbin/iptables -L INET_OUT -v -x -n
[root@vpn-01:~]#
结果iptables -L -v -x -n:
[root@vpn-01:~]# iptables -L -v -x -n
Chain INPUT (policy ACCEPT 18610 packets, 990598 bytes)
pkts bytes target prot opt in out source destination
236 33488 f2b-sshd tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22
2321179 121098434 INET_IN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
170 25554 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tun+ venet0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
152 20536 ACCEPT all -- venet0 tun+ 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 INET_IN all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 INET_OUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 47225 packets, 68689096 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * tun+ 0.0.0.0/0 0.0.0.0/0
5662908 8196501864 INET_OUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain INET_IN (2 references)
pkts bytes target prot opt in out source destination
0 0 all -- * * 0.0.0.0/0 10.8.0.2
0 0 all -- * * 0.0.0.0/0 10.8.0.3
Chain INET_OUT (2 references)
pkts bytes target prot opt in out source destination
0 0 all -- * * 10.8.0.2 0.0.0.0/0
0 0 all -- * * 10.8.0.3 0.0.0.0/0
Chain f2b-sshd (1 references)
pkts bytes target prot opt in out source destination
21 1756 REJECT all -- * * 61.177.172.158 0.0.0.0/0 reject-with icmp-port-unreachable
17 1232 REJECT all -- * * 61.177.172.128 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 222.186.173.154 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 222.186.180.223 0.0.0.0/0 reject-with icmp-port-unreachable
164 28132 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
[root@vpn-01:~]#
不确定我错过了什么或者配置错误了什么。
答案1
因此过了一段时间,我想到了一个非常有效的办法。
#!/bin/bash
for line in $(cat /etc/openvpn/ipp.txt);do
CLIENT=$(echo $line|cut -d',' -f1)
VPN_IP=$(echo $line|cut -d',' -f2)
echo "
iptables -N ${CLIENT}_IN
iptables -N ${CLIENT}_OUT
iptables -A ${CLIENT}_IN -j RETURN
iptables -A ${CLIENT}_OUT -j RETURN
iptables -I ${CLIENT}_IN -d ${VPN_IP}
iptables -I ${CLIENT}_OUT -s ${VPN_IP}
iptables -A FORWARD -j ${CLIENT}_in
iptables -A FORWARD -j ${CLIENT}_out
"
echo "OUTGOING=\$(iptables -v -x -L ${CLIENT}_out|grep -E \"RETURN\"|cut -d' ' -f5)"
echo "INCOMING=\$(iptables -v -x -L ${CLIENT}_in|grep -E \"10\"|cut -d' ' -f5)"
done