Учет Shorewall / iptables между конкретными сетями?

вы можете сделать что-то вроде этого:

TRACK_INBOUND="TRACKING_IN"
TRACK_OUTBOUND="TRACKING_OUT"
#Space separated lists of hosts(1.2.3.4),networks(1.2.3.x/y) to separate
TRACKING_IGNORE="1.2.3.4 5.6.7.8"

iptables -N $TRACK_INBOUND
iptables -F $TRACK_INBOUND
iptables -I INPUT -j $TRACK_INBOUND
for ignore in $TRACKING_IGNORE; do
    iptables -A $TRACK_INBOUND -s $ignore -j RETURN
done
iptables -A $TRACK_INBOUND  -j RETURN

iptables -N $TRACK_OUTBOUND
iptables -F $TRACK_OUTBOUND
iptables -I OUTPUT -j $TRACK_OUTBOUND
for ignore in $TRACKING_IGNORE; do
    iptables -A $TRACK_OUTBOUND -d $ignore -j RETURN
done
iptables -A $TRACK_OUTBOUND -j RETURN

BYTES_IN=$(iptables -L $TRACK_INBOUND -nxv | tail -n 1 | awk '{print$2}')
BYTES_OUT=$(iptables -L $TRACK_OUTBOUND -nxv | tail -n 1 | awk '{print$2}')

iptables -L $TRACK_INBOUND -nv

Chain TRACKING_IN (4 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all  --  *      *       1.2.3.4              0.0.0.0/0
    0     0 RETURN     all  --  *      *       5.6.7.8              0.0.0.0/0
 123K   15M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

iptables -L $TRACK_OUTBOUND -nv

Chain TRACKING_OUT (4 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all  --  *      *       0.0.0.0/0            1.2.3.4
    0     0 RETURN     all  --  *      *       0.0.0.0/0            5.6.7.8
 1116  679K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0