подсчет трафика (iptables+ULOG+ipcad+bash)

ребята подскажите. Ситуация такая на машине с двумя сетевыми интерфейсами считаю трафик в такой связке. но с провайдером трафик не сходиться. в чем может быть дело?
Подробности
ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:05:5D:CF:D4:C1
inet addr:213.211.127.142 Bcast:213.211.127.143 Mask:255.255.255.252
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:59237 errors:0 dropped:0 overruns:0 frame:0
TX packets:61351 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:44186374 (42.1 Mb) TX bytes:9357667 (8.9 Mb)
Interrupt:11 Base address:0xe800

eth1 Link encap:Ethernet HWaddr 00:0A:CD:03:D8:88
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:73925 errors:0 dropped:0 overruns:0 frame:0
TX packets:66881 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:11705135 (11.1 Mb) TX bytes:47365651 (45.1 Mb)
Interrupt:12 Base address:0xec00

gre0 Link encap:UNSPEC HWaddr 00-00-00-00-05-08-D8-EF-00-00-00-00-00-00-00-00
NOARP MTU:1476 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:5662 errors:0 dropped:0 overruns:0 frame:0
TX packets:5662 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:322024 (314.4 Kb) TX bytes:322024 (314.4 Kb)

teql0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

tunl0 Link encap:IPIP Tunnel HWaddr
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

/etc/conf.d/net
less /etc/conf.d/net
# This blank configuration will automatically use DHCP for any net.*
# scripts in /etc/init.d. To create a more complete configuration,
# please review /etc/conf.d/net.example and save your configuration
# in /etc/conf.d/net (this file :]!).

#WAN
#INET GataWay 192.168.1.1
config_eth0=( "213.211.127.142/30" )
routes_eth0=( "default via 213.211.127.141" )

#LAN
config_eth1=( "192.168.0.1" )

less ./firewall.src
#!/bin/sh
###########################################################################
# 1. Configuration options.
# 1.1 Internet Configuration.

INET_IP="213.211.127.142"
INET_IFACE="eth0"
#INET_BROADCAST="192.168.1.255"

# 1.1.1 DHCP
# 1.1.2 PPPoE
# 1.2 Local Area Network configuration.

LAN_IP="192.168.0.1"
LAN_IP_RANGE="192.168.0.0/24"
LAN_IFACE="eth1"

# 1.3 DMZ Configuration.
# 1.4 Localhost Configuration.

LO_IFACE="lo"
LO_IP="127.0.0.1"

# 1.5 IPTables Configuration.
IPT="iptables"

# 1.6 Other Configuration.
###########################################################################
# 4. rules set up.

# 4.1 Filter table
# 4.1.1 Set policies

$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

#
# 4.1.2 Create userspecified chains
# Create chain for bad tcp packets

$IPT -N bad_tcp_packets

# Create separate chains for ICMP, TCP and UDP to traverse

$IPT -N allowed
$IPT -N tcp_packets
$IPT -N udp_packets
$IPT -N icmp_packets

# 4.1.3 Create content in userspecified chains
# bad_tcp_packets chain

$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn: "
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

# allowed chain

$IPT -A allowed -p TCP --syn -j ACCEPT
$IPT -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A allowed -p TCP -j DROP

# TCP rules

#$IPT -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
#$IPT -A tcp_packets -p TCP -s 0/0 --dport 25 -j allowed

#$IPT -A tcp_packets -p TCP -i INET_IFACE -m multiport --dport 22,2103 -j allowed

$IPT -A tcp_packets -p TCP -s $LAN_IP_RANGE --dport 22 -j allowed
$IPT -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
#$IPT -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed

# UDP ports

$IPT -A udp_packets -p UDP -s 0/0 --dport 53 --sport 1024:65535 -j ACCEPT
#$IPT -A udp_packets -p UDP -s 0/0 --sport 123 -j ACCEPT
#$IPT -A udp_packets -p UDP -s 0/0 --sport 2074 -j ACCEPT
#$IPT -A udp_packets -p UDP -s 0/0 --sport 4000 -j ACCEPT

# In Microsoft Networks you will be swamped by broadcasts. These lines
# will prevent them from showing up in the logs.
#$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d $INET_BROADCAST --destination-port 135:139 -j DROP

# If we get DHCP requests from the Outside of our network, our logs will
# be swamped as well. This rule will block them from getting logged.
#$IPT -A udp_packets -p UDP -i $INET_IFACE -d 255.255.255.255 --destination-port 67:68 -j DROP

# ICMP rules

#$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
#$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

# 4.1.4 INPUT chain
# Bad TCP packets we don't want.
###DEBUG
$IPT -A INPUT -j ULOG --ulog-cprange 100 --ulog-qthreshold 30 --ulog-nlgroup 1
#$IPT -A INPUT -j LOG --log-prefix "DEBUG INPUT packets: "

#$IPT -A INPUT -p tcp --dport 22 -i $INET_IFACE -m state --state NEW -m recent --set
#$IPT -A INPUT -p tcp --dport 22 -i $INET_IFACE -m state --state NEW -m recent --update --seconds 60 --hitcount 2 -j DROP
$IPT -A INPUT -p tcp -i $INET_IFACE --dport 22 -j ACCEPT

$IPT -A INPUT -p tcp -j bad_tcp_packets

# Rules for special networks not part of the Internet

$IPT -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
$IPT -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPT -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPT -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT

# Rules for incoming packets from anywhere.

$IPT -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p TCP -j tcp_packets
$IPT -A INPUT -p UDP -j udp_packets

#$IPT -A INPUT -p ICMP -j icmp_packets

# If you have a Microsoft Network on the outside of your firewall, you may
# also get flooded by Multicasts. We drop them so we do not get flooded by logs
#$IPT -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP

# Log weird packets that don't match the above.

#$IPT -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "

# 4.1.5 FORWARD chain
# Bad TCP packets we don't want
###DEBUG
$IPT -A FORWARD -j ULOG --ulog-cprange 100 --ulog-qthreshold 30 --ulog-nlgroup 1
#$IPT -A FORWARD -j LOG --log-prefix "DEBUG FORWARD packets: "

$IPT -A FORWARD -p tcp -j bad_tcp_packets

##Accept the packets we actually want to forward

$IPT -A FORWARD -p tcp --dport 21 -i $LAN_IFACE -j ACCEPT
$IPT -A FORWARD -p tcp --dport 25 -i $LAN_IFACE -j ACCEPT
$IPT -A FORWARD -p tcp --dport 80 -i $LAN_IFACE -j ACCEPT

$IPT -A FORWARD -p tcp -m multiport --dport 1252,1254,1239,1241,9993 -i $LAN_IFACE -j ACCEPT
$IPT -A FORWARD -p udp -m multiport --dport 1252,1254,1239,1241,9993 -i $LAN_IFACE -j ACCEPT

$IPT -A FORWARD -p tcp --dport 110 -i $LAN_IFACE -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Log weird packets that don't match the above.

#$IPT -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died: "

# 4.1.6 OUTPUT chain
# Bad TCP packets we don't want.
###DEBUG
$IPT -A OUTPUT -j ULOG --ulog-cprange 100 --ulog-qthreshold 30 --ulog-nlgroup 1
#$IPT -A OUTPUT -j LOG --log-prefix "DEBUG OUTPUT packets: "
#$IPT -A OUTPUT -p tcp --sport 22

$IPT -A OUTPUT -p tcp -j bad_tcp_packets

# Special OUTPUT rules to decide which IP's to allow.
$IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -s $INET_IP -j ACCEPT

# Log weird packets that don't match the above.

#$IPT -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

############ 4.2 nat table ######################
# 4.2.1 Set policies
# 4.2.2 Create user specified chains
# 4.2.3 Create content in user specified chains
# 4.2.4 PREROUTING chain
#Trasparensy proxy SQUID
$IPT -t nat -A PREROUTING -i $LAN_IFACE -p tcp --dport 80 -j REDIRECT --to-port 3128

# 4.2.5 POSTROUTING chain
# Enable simple IP Forwarding and Network Address Translation
$IPT -t nat -A POSTROUTING -s $LAN_IP_RANGE -p tcp -m multiport --dport 25,110 -o $INET_IFACE -j MASQUERADE
$IPT -t nat -A POSTROUTING -s $LAN_IP_RANGE -p tcp --dport 21 -o $INET_IFACE -j MASQUERADE
$IPT -t nat -A POSTROUTING -s $LAN_IP_RANGE -p tcp -m multiport --dport 1252,1254,1239,1241,9993 -o $INET_IFACE -j MASQUERADE
$IPT -t nat -A POSTROUTING -s $LAN_IP_RANGE -p udp -m multiport --dport 1252,1254,1239,1241,9993 -o $INET_IFACE -j MASQUERADE

#$IPT -t nat -A POSTROUTING -o $LAN_IFACE -j SNAT --to-source $INET_IP

# 4.2.6 OUTPUT chain

####### 4.3 mangle table #######################
# 4.3.1 Set policies
# 4.3.2 Create user specified chains
# 4.3.3 Create content in user specified chains
# 4.3.4 PREROUTING chain
# 4.3.5 INPUT chain
# 4.3.6 FORWARD chain
# 4.3.7 OUTPUT chain
# 4.3.8 POSTROUTING chain

по крону в полночь сбрасываю статистику
less ./everyday_dump
#!/bin/bash
CUR_DAY=$(date "+%d")
CUR_MONTH=$(date "+%m")
CUR_YEAR=$(date "+%Y")
ipcad_dumps="/var/ipcad/dumps"
file_log="$CUR_DAY.dump"
cur_dir="$ipcad_dumps/$CUR_MONTH.$CUR_YEAR"
ipcad_log="$cur_dir/$file_log"

#sbros dumpa
rsh localhost dump $file_log >/dev/null 2>&1
#sbros schetchika
rsh localhost clear ip accounting >/dev/null 2>&1
#proverka papki
if [ ! -d $cur_dir ]
then mkdir $cur_dir
fi
mv "/var/ipcad/$file_log" "$cur_dir"

конфиг ipcad
less /etc/ipcad.conf
capture-ports disable;

buffers = 256k;

interface ulog group 1;

aggregate 192.168.0.0/24 strip 32;

# netflow export destination 127.0.0.1 9996;
netflow export version 5; # NetFlow export format version {1|5}
netflow timeout active 30; # Timeout when flow is active, in minutes
netflow timeout inactive 15; # Flow inactivity timeout, in seconds
netflow engine-type 73; # v5 engine_type; 73='I' for "IPCAD"
netflow engine-id 1; # Useful to differentiate multiple ipcads.
netflow ifclass eth mapto 0-99; # i.e., "eth1"->1, "eth3"->3
netflow ifclass fxp mapto 0-99; # i.e., "fxp4"->4, "fxp0"->0
netflow ifclass ppp mapto 100-199; # i.e., "ppp32"->532, "ppp7"->507
netflow ifclass gre mapto 200-299;
netflow ifclass tun mapto 300-399; # i.e., "tun0"->300

rsh enable at 127.0.0.1;

rsh

admin; /* Can shutdown ipcad */
rsh

backup; /* Can dump/restore/import accounting table */
rsh

; /* Can view and modify accounting tables */
/* Note the order! */
rsh

deny; /* Deny this user from even viewing tables */
rsh 127.0.0.1 view-only; /* Other users can view current tables */

rsh timeout = 30;

dumpfile = ipcad.dump; # The file is inside chroot(), see below...

chroot = /var/ipcad;

pidfile = /run/ipcad.pid;

memory_limit = 10m;

а вот так считаю трафик
less ./stat_gen
#!/bin/bash
CUR_DAY=$(date -d "-1 day" "+%d")
CUR_MONTH=$(date -d "-1 day" "+%m")
CUR_YEAR=$(date -d "-1 day" "+%Y")
letter="/var/ipcad/letter.txt"
ipcad_dumps="/var/ipcad/dumps"
cur_dir="$ipcad_dumps/$CUR_MONTH.$CUR_YEAR"
statis="Statatistic of day ( $CUR_DAY.$CUR_MONTH.$CUR_YEAR )"
if [ "$1" = "month" ]
then
month_log="$ipcad_dumps/$CUR_MONTH$CUR_YEAR.dump"
#skleivaem logi v mesyaz
cat $cur_dir/* >$month_log
statis="Statistic of month ( $CUR_MONTH.$CUR_YEAR )"
#free-sa -d $CUR_MONTH/01/$CUR_YEAR-$CUR_MONTH/$CUR_DAY/$CUR_YEAR
echo "$CUR_MONTH/01/$CUR_YEAR-$CUR_MONTH/$CUR_DAY/$CUR_YEAR"
cd /usr/www/html
tar -cj free-sa/ >cat >/var/ipcad/dumps/www/statwww_01-$CUR_DAY.$CUR_MONTH.$CUR_YEAR.tar.bzip2
appendToLetter="-a /var/ipcad/dumps/www/statwww_01-$CUR_DAY.$CUR_MONTH.$CUR_YEAR.tar.bzip2 "

else
month_log="$cur_dir/$CUR_DAY.dump"
fi

#echo $cur_dir
#echo $month_log

#Summary trafic
echo "$statis" >$letter
echo "Summary INTERNET traffic: $(awk '("213.211.127.142" == $1) || ("213.211.127.142" == $2) {s+=$4} END {print(s/1048576)}' < $month_log) MByte" >>$letter
echo "Summary INTERNET OUT traffic: $(awk '$1 == "213.211.127.142" {s+=$4} END {print(s/1048576)}' < $month_log) Mbyte" >>$letter
echo "Summary INTERNET IN traffic: $(awk '$2 == "213.211.127.142" {s+=$4} END {print(s/1048576)}' < $month_log) Mbyte" >>$letter
echo >>$letter
echo "Summary LOCAL traffic: $(awk '(($1 ~ "192.168.0") || ($2 ~ "192.168.0")) {s+=$4} END {print(s/1048576)}' $month_log) Mbyte" >>$letter
echo "Summary LOCAL OUT traffic: $(awk '$1 ~ "192.168.0" {s+=$4} END {print(s/1048576)}' $month_log) Mbyte" >>$letter
echo "Summary LOCAL IN traffic: $(awk '$2 ~ "192.168.0" {s+=$4} END {print(s/1048576)}' $month_log) Mbyte" >>$letter
#podschet po polzovatelyam
usual_ip=2
usual_ipend=31
while test "$usual_ip" != "$usual_ipend"
do
#echo " $usual_ip "
echo "" >>$letter
echo "192.168.0.$usual_ip " >>$letter
echo "Summary LOCAL OUT traffic: $(awk '$1 == "192.168.0."'$usual_ip' {s+=$4} END {print(s/1048576)}' $month_log) Mbyte" >>$letter
echo "Summary LOCAL IN traffic: $(awk '$2 == "192.168.0."'$usual_ip' {s+=$4} END {print(s/1048576)}' $month_log) Mbyte" >>$letter
usual_ip=`expr $usual_ip + 1`
done

email $appendToLetter-s "Traffice Statistice"

,LexX1st@mail.ru,firstassa@ya.ru <$letter #>/dev/null 2>&1

вот скажите и чего у меня не так???? у провайдера в разы трафика больше. что делать?