# Accounting rules for Bandwidth Pie
# Adam Sampson <ats@offog.org>

# Make sure you do these before any other firewalling rules you set up...
IPTABLES=/sbin/iptables

# (We ignore errors since there's no way to tell iptables to shut up
# if the chain already exists, grr.)
# create name
create () {
	$IPTABLES -N $1 >/dev/null 2>/dev/null
	$IPTABLES -F $1
}
# account name address [address ...]
account () {
	name=$1
	shift
	create $name''_in
	$IPTABLES -A $name''_in -j RETURN
	for x in $* ; do
		$IPTABLES -A FORWARD -d $x -j $name''_in
		# This line is here to account for traffic through the proxy
		# server we run on our firewall machine. If you run your proxy
		# on a different port (or you have more than one), adjust as
		# appropriate:
                $IPTABLES -A OUTPUT -d $x -p tcp --sport 80 -j $name''_in
	done
	create $name''_out
	$IPTABLES -A $name''_out -j RETURN
	for x in $* ; do
		$IPTABLES -A FORWARD -s $x -j $name''_out
		# The note above also applies to this line:
                $IPTABLES -A INPUT -s $x -p tcp --dport 80 -j $name''_out
	done
}

# To enable accounting for a machine, "account <name> <address> <address> ..."
# If a machine has multiple addresses, make sure you specify all of them.
account goldfish 192.168.7.2
account harpoon 192.168.7.3 11.22.33.44