Sent this earlier but it didn't like the size of the attached graphs.
Michael Mansour wrote:
>I handle various subents and IP's for various clients, and they all go through
>the shorewall firewall system.
>
>Some clients have subnets, some have only single IP's.
>
>I'd like to start counting the bandwidth they are using, whether that be for
>subnets or IP's on their dedicated servers.
>
>Can shorewall do this? if so, how? will I need to upgrade the shorewall
>version?
OK, some excerpts from one of my systems at work. This is a bridge and eth0 is
the outside interface. For obvious reasons I've cut out large chunks of
repetitive stuff. BTW, most of these file were done by writing a short shell
script - I didn't type them out by hand ;-)
The attached graphs show what the boss gets out of it (there is a legend which
isn't shown) - above the line is traffic in, below the line is traffic out. I
assume this is the sort of thing you are looking to get out of it.
I'll leave you to do the graphing, the scripts I have are done in bash and are,
shall we say, 'not very pretty' ! Be aware that graphing all 254 addresses
takes a lot of memory - in fact I had the process crash when it exceeded 2G (1G
real plus 1G swap) before I adjusted the graphs to align with the datapoints
(ie no scaling on the time axis).
It takes about 1 1/2 minutes to reload the firewall on a 1G Celeron. This is
with Shorewall ver 3.0.7 on a Debian box. Some day I'll get round to upgrading,
but you know what they say, if it ain't broke ...
/etc/shorewall/accounting :
#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE
USER/
# PORT(S) PORT(S)
GROUP
# Outside global stats
outside-in:COUNT - eth0 -
outside-out:COUNT - - eth0
DONE outside
# Do acocunting by IP address
account-ip - - -
total-ip-in:COUNT account-ip eth0 -
total-ip-out:COUNT account-ip - eth0
DONE total-ip
INCLUDE accounting.ip
/etc/shorewall/accounting.ip :
acc1-in:COUNT account-ip eth0 x.y.z.1
acc1-out:COUNT account-ip x.y.z.1 eth0
DONE acc1
acc2-in:COUNT account-ip eth0 x.y.z.2
acc2-out:COUNT account-ip x.y.z.2 eth0
DONE acc2
acc3-in:COUNT account-ip eth0 x.y.z.3
acc3-out:COUNT account-ip x.y.z.3 eth0
DONE acc3
...
acc253-in:COUNT account-ip eth0 x.y.z.253
acc253-out:COUNT account-ip x.y.z.253 eth0
DONE acc253
acc254-in:COUNT account-ip eth0 x.y.z.254
acc254-out:COUNT account-ip x.y.z.254 eth0
DONE acc254
Yes, that really is a file with 254 sets of entries in it !
Then there is a crontab entry :
* * * * * /var/rrd/stats
/var/rrd/stats contains :
#/bin/bash
# Script to extract values from shorewall output
cd /var/rrd
/usr/bin/rrdtool update ip-stats.rrd N:`/sbin/iptables -L account-ip -vxn | \
/usr/bin/awk 'BEGIN { getline ; getline }
{ print $2 }' | \
/usr/bin/tr '
' ':' | /bin/sed -e 's/:$//'`
I'm sure there's a much better way of doing it, but it works ! It takes the
second field from each line (having discarded the first two header lines),
converts line endings to ':'s, and then strips off the trailing ':' that
results.
BTW, the output from iptables -L account-ip -vxn looks like :
logger:/var/rrd# /sbin/iptables -L account-ip -vxn
Chain account-ip (1 references)
pkts bytes target prot opt in out source
destination
1082168765 221563701720 total-ip-in all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in eth0
1101056819 598433343443 total-ip-out all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-out eth0
52575 9336162 acc1-in all -- * * 0.0.0.0/0
x.y.z.1 PHYSDEV match --physdev-in eth0
34967 1524337 acc1-out all -- * * x.y.z.1
0.0.0.0/0 PHYSDEV match --physdev-out eth0
1231808 142239729 acc2-in all -- * * 0.0.0.0/0
x.y.z.2 PHYSDEV match --physdev-in eth0
1260011 370000059 acc2-out all -- * * x.y.z.2
0.0.0.0/0 PHYSDEV match --physdev-out eth0
42816 8915778 acc3-in all -- * * 0.0.0.0/0
x.y.z.3 PHYSDEV match --physdev-in eth0
12909 769000 acc3-out all -- * * x.y.z.3
0.0.0.0/0 PHYSDEV match --physdev-out eth0
...
0 0 acc253-in all -- * * 0.0.0.0/0
x.y.z.253 PHYSDEV match --physdev-in eth0
0 0 acc253-out all -- * * x.y.z.253
0.0.0.0/0 PHYSDEV match --physdev-out eth0
0 0 acc254-in all -- * * 0.0.0.0/0
x.y.z.254 PHYSDEV match --physdev-in eth0
0 0 acc254-out all -- * * x.y.z.254
0.0.0.0/0 PHYSDEV match --physdev-out eth0
And the rrd was made with a script containing :
rrdtool create ip-stats.rrd -s 300 \
DS:total-in:DERIVE:600:0:U \
DS:total-out:DERIVE:600:0:U \
\
DS:ip1-in:DERIVE:600:0:U \
DS:ip1-out:DERIVE:600:0:U \
DS:ip2-in:DERIVE:600:0:U \
DS:ip2-out:DERIVE:600:0:U \
DS:ip3-in:DERIVE:600:0:U \
DS:ip3-out:DERIVE:600:0:U \
...
DS:ip253-in:DERIVE:600:0:U \
DS:ip253-out:DERIVE:600:0:U \
DS:ip254-in:DERIVE:600:0:U \
DS:ip254-out:DERIVE:600:0:U \
\
RRA:AVERAGE:0.5:1:576 \
RRA:MAX:0.5:1:576 \
RRA:AVERAGE:0.5:6:672 \
RRA:MAX:0.5:6:672 \
RRA:AVERAGE:0.5:24:732 \
RRA:MAX:0.5:24:732 \
RRA:AVERAGE:0.5:144:1460 \
RRA:MAX:0.5:144:1460
# CFs for :
# 1 x 576 48hrx 5m
# 6 x 672 14d x 1/2hr
# 24 x 732 61d x 2hr
# 144 x 1460 730d x 12hr
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
