- Describe the IPTables setup
- Show the initial script I wrote to read the results
- Show some preliminary raw data
I've changed the setup described in the first post about the subject to also add the "foreign" side of each identified Skype connection to the "recent" list (using the "recent" module). That way when an ICMP packet arrives from a host in that list I assume that it's related to Skype (I guess there are very slim chances to have Skype traffic with a server such as web hosts).
Here is the updated setup:
# match all outgoing packets from gid skype, mark their connection
# and add their destination to the "recent list" so we can count ICMP packets to/from them
iptables -A OUTPUT -m owner --gid-owner skype --out-interface eth0 --protocol tcp -m recent --rdest --set --name Skype -j CONNMARK --set-mark 1
iptables -A OUTPUT -m owner --gid-owner skype --out-interface eth0 --protocol udp -m recent --rdest --set --name Skype -j CONNMARK --set-mark 2
# count ICMP packets going to hosts which appear in our "recent" list
iptables -A OUTPUT --out-interface eth0 --protocol icmp -m recent --rdest --name Skype --update -j ACCEPT -m comment --comment skype-out-icmp
# all packets which match the connection should go through the skype rule
iptables -A OUTPUT -m connmark --mark 1 -m comment --comment skype-out-tcp
iptables -A OUTPUT -m connmark --mark 2 -m comment --comment skype-out-udp
# match all packets on Skype's public TCP port and mark their connection
iptables -A INPUT -p tcp -m tcp --dport 21212 --in-interface eth0 -j CONNMARK --set-mark 1
iptables -A INPUT -p udp -m udp --dport 21212 --in-interface eth0 -j CONNMARK --set-mark 2
# count ICMP packets coming from hosts which appear in our "recent" list
iptables -A INPUT -p icmp --in-interface eth0 -m recent --name Skype --update -j ACCEPT -m comment --comment skype-in-icmp
# all packets which match the connection
iptables -A INPUT -m connmark --mark 1 -m comment --comment skype-in-tcp
iptables -A INPUT -m connmark --mark 2 -m comment --comment skype-in-udp
The counter reading script was modified to add "icmp" to the list of protocols it looks for and to total bytes/packets over the various planes: direction (total in vs. total out) and protocol (tcp vs. udp vs. icmp)
Here is what the counters look like after about 25 days of data gathering:
$ sudo ./getcounts.pl
tcp_out_bytes 35838386
icmp_out_bytes 155016
tcp_in_pkts 441671
icmp_out_pkts 1023
icmp_in_pkts 4526
udp_out_bytes 242046393
tcp_out_pkts 540629
icmp_in_bytes 505522
udp_out_pkts 1799468
udp_in_pkts 1607313
udp_in_bytes 204286584
tcp_in_bytes 42500198
====== totals =====
tcp_pkts 982300
tcp_bytes 78338584
icmp_pkts 5549
out_pkts 2341120
icmp_bytes 660538
udp_bytes 446332977
in_bytes 247292304
udp_pkts 3406781
out_bytes 278039795
in_pkts 2053510
I'm still looking for time to add writing of these numbers into an RRD file so it'll be possible to graph them across different periods, but for now my simple conslusion is about the "in_bytes" numbers (and to a lesser degree, the "out_bytes"): they are 235.8 incoming mega bytes and 265.1 outgoing mega bytes.
Over a period of 25 days this puts it at around 9.4 incoming mega bytes per day and 10.6 outgoing megabytes per day. Over a month (let's say it's 30 days) it's 283.0 mega bytes per month of incoming traffic and 318.2 mega bytes of outgoing traffic. This includes my own Skype conversations (admittedly, not much this month).
Whether this proves Cringley's point or not? I'm not sure. I didn't believe that there is that much traffic involved until I startted this experiment, but I'm still not completly convinced it's "too much to handle".
In my personal context it's still less than 2% (1.38%, to be precise) of my download quota of 20Gb per month.
So for now I'm not going to give up on the advantages of a smoother connection (which is the reason I configured my desktop as a "Super-node" in the first place).
I'd be glad to learn from you what you think about the experiment (have I missed some packets?) and the result - do you agree with my conclusion so far or not?
2 comments:
On my router I also notice connection attempts on ports 80 and 443 as well as the Skype private port. Does your usage statistics include Skype usage on these ports?
FWIW, I turned off supernode and uninstalled Skype over a month ago, and I'm *still* logging connection attempts to the private port. I'm thinking of replacing the cable modem so that I get an new Comcast address...
I count all connections which originate from or destined to my Skype process, which doesn't listen on port 80/443 but probably initiates connections to these ports on foreign hosts.
I'm not sure that the connection attempts on your ports 80/443 are related to Skype - port scanners probe these ports on all hosts connected to the Internet - I used to see dozens of such connections per minute on my desktop connected through an ADSL line until I configured my private Apache server to listen to some non-standard port.
About still getting these connection attempts a month after turning off super-node mode - have you changed the standard port on which Skype listens as a super-node? Maybe you get these connection attempts from port scanners which look for Skype as well.
Post a Comment