I actually spent weeks and weeks on this problem. I was using Debian o/s back then. I needed to capture bandwidth from a user in a shell. I decided to allow SSH for some of my customers (yes i know..) Some of them were using wget/lynx and other net based applications. I didn't have any tools to log bandwidth from these programs.

A friend suggest I used the IPT_OWNER module. So I recompiled the 2.4.19 kernel and took a shot. But later to find out, it only supported OUTGOING rules which was pointless.

I searched on google for a solution and found a FreeBSD article comparing ipchains/iptables and ipfw and its other fw programs. I downloaded FreeBSD 4.6.2 and installed it. I followed some of the ipfw examples.

So if I wanted to log bandwidth info for user tom. I would use;

ipfw add allow ip from any to any in uid tom
ipfw add allow ip from any to any out uid tom

Then to find out the users bandwidth usage, you could type ipfw show and it will show you the in/out bandwidth statistics. You could also modify this rule and restict the use of IP's in your system for a certain user. Handy if you want to assign a user an IP address for webhosting and to prevent them from binding to any other IP which I'm doing at the moment.

But theres another problem, what if the user sets up a cgi or php script and issue the wget command? By default apache sets the permissions executable by apache or nogroup. So I read the apache manual and found out you can use the User directive in the users virtual host, ie: User tom so that anything executed will be under tom uid thus capturing his/her traffic.

So far.. thats how I'm doing it. If you have any other suggestions, improvement, corrections and other tips, please share.