In Linux there has a number of useful bandwidth monitoring tools such as nload, netwatch, iftop, trafshow, bandwidthd, vnstat. If all you need is a basic overview of your total bandwidth usage, iptables is all you really need. Usually we use iptables for setting firewall and port forwardings, but iptables also provides packet and byte counters.

Writting iptables rules

The IP addresses in this article are modified from the real addresses. We’ll use the private IP space 192.168.0.0/16, subnetted into smaller blocks.

In this example, the FORWARD chain will only provide the global counters.

$ sudo iptables -N system-1

The rule will match any source and any destination. Everything that is being passed through this router matches this rule and will provide the total of combined downloaded and uploaded data.

# System-1 Downloads
  iptables -A FORWARD -d 192.168.1.0/26 -j system-1
# System-1 Uploads
  iptables -A FORWARD -s 192.168.1.0/26 -j system-1

The rules created above give us separate totals for all downloads to and uploads for system-1. This is accomplished by matching the source and destination of all traffic through the router for target-1’s specific subnet. After a rule is matched, the -j option invokes a jump to one of the custom chains. These custom chains can then be used to add additional rules pertaining to the subnet. For instance, rules can be created for each individual IP address in that subnet to track bandwidth on a per-host basis:

# Town A, Host 192.168.1.10 Download
  iptables -A town-a -d 192.168.1.10
# Town A, Host 192.168.1.10 Upload
  iptables -A town-a -s 192.168.1.10

You could repeat this process for every IP address for all systems within the subnet.

Bandwidth statistics

Viewing the current bandwidth usage is a matter of running iptables with the -L and -v options. The -L outputs the statistics for a chain (or all chains if none is provided). The -v option provides verbose output, including the packet and byte counters that we are interested in. I recommend using the -n option as well to prevent DNS lookups, meaning iptables will show the IP addresses without attempting to resolve the hostnames for the IP addresses, which would put additional and unnecessary load on the router.

$ sudo iptables -L -v -n
Chain INPUT (policy ACCEPT 311K packets, 48M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 system-1   all  --  *      *       0.0.0.0/0            192.168.1.0/26
    0     0 system-1   all  --  *      *       192.168.1.0/26       0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 325K packets, 29M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain system-1 (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0            all  --  *      *       0.0.0.0/0            192.168.1.10
    0     0            all  --  *      *       192.168.1.10         0.0.0.0/0

Saving data across reboots

If you reboot the machine or remove the iptables kernel modules, you’ll lose all of your packet and byte counters. So you want to make backups of the running counters, and in the event of a reboot, restore the counters rather than starting from zero.

The iptables package comes with two programs that aid in this: iptables-save and iptables-restore. Both programs need to be told to explicitly use the packet and byte counters during backup and restore using the -c command line option.

The backup and restore process is fairly straightforward. To back up your iptables data, use

$ sudo iptables-save -c > iptables-backup.txt.

To restore the data, after reboot, use

$ sudo iptables-restore -c < iptables-backup.txt.

Conclution

The flexibility and power of iptables allows for more complex onitoring scenarios. You can create rules to not only track different subnets, but also to track specific ports and protocols, which lets you rack exactly how much of each customer’s traffic is Web, email, file
sharing, etc.

In addition, these bandwidth monitoring rules can also become blocking rules. If a host has used too much bandwidth, its rule in a town’s specific chain can be modified by adding -j DROP to both the download and upload rules. This effectively stops traffic being routed to and from that host.