"netfilter and iptables are building blocks of a framework inside the Linux 2.4.x and 2.6.x kernel. This framework enables packet filtering, network addresss [and port] translation (NA[P]T) and other packet mangling. It is the re-designed and heavily improved successor of the previous Linux 2.2.x ipchains and Linux 2.0.x ipfwadm systems."
Peer to Peer traffic
I found a nice little kernel/iptables module that makes it easy to match various P2P protocols... once they've been marked, it's trivial to set up bandwidth shaping for those protocols, count the traffic passing through, or just drop it:
To install on debian:
apt-get install iptables-dev kernel-headers-2.6.8-1-k7 tar xvfz ipp2p*.gz cd ipp2p make cp ibipt_ipp2p.so /lib/modules/iptables cp ipt_ipp2p.ko /lib/modules/`uname -r`/kernel/net/ipv4 depmod insmod ipt_ipp2p.ko
IP Tables + Promisc mode
If you need to do passive IP Accounting using iptables using a hidden host in promiscous mode... it doesn't seem like it can be done. The packets never show up in the INPUT, FORWARD, or OUTPUT chains, and hence can't be counted.
Perhaps by using the PROMISC chain it's possible? http://www.advogato.org/person/scaramanga/
Here are the patches:
http://idea.hosting.lv/a/iptables-promisc/
I found that using ip tables for traffic counting doesn't work to great. Using pmacct has worked much better.
Related testing
See also Linux, Networking, LinuxSecurity