Linux 2.4 firewall, how can I monitor usage?

Posted on 2001-08-01
Last Modified: 2010-03-18
We have a Linux box (mandrake 8.0 with kernel 2.4) set up as a firewall.

It has 2 NIC's, one for our link and one into our switch. I noticed today that the usage looks fishy. i.e. : Received bytes (970MB) Transmitted bytes (2790MB).

As the link is only used for mail and www surfing I suspect either misuse of mail (all those porn videos) or someone running a warez server on our network.

I need a way to monitor traffic by host in our network. Overall usage statistics will also be usefull of course.

I had a look on the web but got lost in all the pre-ipchains and other old methods (which I did not bother to even read. I am trying the easy way out here).

Thus what I need is pointers to the best network usage/firewall traffic usage software that will work with our current setup to catch the culprit.

Fire away ...

PS. Please do not tell me to run tcpdump. I am very capable of doing that but doing the math in my head is too much and writing scripts to do it will hog the server too much.
Question by:gysbert1

Accepted Solution

batkung earned 300 total points
ID: 6344686
try ntop, or snort

either require that you monitor what's on the display.

I'm not sure if they are included as default in your install, but they can be obtained from

have you checked your local file integrity on your machine to make sure that you haven't been root-kitted from outside?

if not, most of the root-kits install trojaned versions of ls, ps, top, netstat.....I found a rootkit on a machine by doing a updatedb, and then locate log...


Expert Comment

ID: 6345970
Are you able to insist that users on the network use proxy software on the firewall box, eg squid for web browsing? If you also install a mail server on the box, eg sendmail, and insist that all emails sent out from your network have to be relayed by it, you will get immediate logging of all mail and web surfing activity.

Having done that, you could then shut down all ip forwarding and let the proxy software take over the ipchains functions.

What was said earlier about checking for possible compromise of your system is very valid. If you have your original installation cd, reinstall the system utilities from the cd and check that everything is ok.


Author Comment

ID: 6354788
Ok, am looking into the above.

I am running a proxy as well as mailserver on the machine as suggested already. Unfortunately we are a development company, developing some custom tcp/ip communications software amongst other things. I can thus not force all traffic through the proxy.

Am pretty sure the machine is still OK though. I can see that most of my traffic is coming from inside our network. I suspect mail or some gnutella or similar server but I cannot audit every machine on the lan.
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!


Expert Comment

ID: 6363669

If you are using a iptables firewall, you can add logging quite easily. For example,

/sbin/iptables -A FORWARD -p tcp --dport 21 -j LOG --log-level warning --log-prefix "FTP inbound connex."
/sbin/iptables -A FORWARD -p tcp --dport 21 -j ACCEPT

This should put entries into /var/log/messages.

Above assumes ftp server is on port 21 which for a warez server might well not be the case. What you could  also do is exploit the 'not' option to log everything that was not going to a well-known port, e.g. '! --dport 1:1024'

/sbin/iptables -A FORWARD -p tcp ! --dport 1:1024 -j LOG --log-level warning --log-prefix "Unpriveleged port."
/sbin/iptables -A FORWARD -p tcp ! --dport 1:1024 -j ACCEPT



Expert Comment

ID: 6363852
Gnutella or something similar is quite possible, and the user may be completely unaware of the load it's putting on the network.

If you suspect that someone within the network is abusing the system, whether intentionally or not, then I would suggest you talk to whoever is in charge of the development team, and tell them that you need to tighten up security on the gateway. Ask them to specify which ports they need left open, and then you can shut everything else down (or you can leave it open, but log it). You will then have a much better chance of finding the pcs within the network that are imposing the load, and then investigating in more detail.


Author Comment

ID: 6403948
Had a look at both, NTOP does the trick!

The latest version does not need monitoring of the display. It runs as a daemon and writes data to a GDB database on the server.

I can now monitor usage per src/dest host by protocol and time, and all of this via the web from my browser ...



Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
BIND rate-limit - DNS for web server requests 29 270
FTP File Transfer Failure 13 188
Allowing Youtube access only for 30 PCs on the network - BLOXX filtering system 3 104
Issue to mail 11 110
I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
In a recent question ( here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question