Re: [Shorewall-users] Packet counting/auditing per IP

Michael Mansour Sat, 20 Jan 2007 03:23:37 -0800

Hi Simon,

That really is excellent information, I will start work on it next week to try 
and implement it successfully.


Many thanks.

Michael.

----- Original Message ----
From: Simon Hobson <[EMAIL PROTECTED]>
To: Shorewall Users <[email protected]>
Sent: Saturday, 20 January, 2007 2:38:31 AM
Subject: Re: [Shorewall-users] Packet counting/auditing per IP

Sent this earlier but it didn't like the size of the attached graphs.


Michael Mansour wrote:

>I handle various subents and IP's for various clients, and they all go through 
>the shorewall firewall system.
>
>Some clients have subnets, some have only single IP's.
>
>I'd like to start counting the bandwidth they are using, whether that be for 
>subnets or IP's on their dedicated servers.
>
>Can shorewall do this? if so, how? will I need to upgrade the shorewall 
>version?

OK, some excerpts from one of my systems at work. This is a bridge and eth0 is 
the outside interface. For obvious reasons I've cut out large chunks of 
repetitive stuff. BTW, most of these file were done by writing a short shell 
script - I didn't type them out by hand ;-)

The attached graphs show what the boss gets out of it (there is a legend which 
isn't shown) - above the line is traffic in, below the line is traffic out. I 
assume this is the sort of thing you are looking to get out of it.

I'll leave you to do the graphing, the scripts I have are done in bash and are, 
shall we say, 'not very pretty' ! Be aware that graphing all 254 addresses 
takes a lot of memory - in fact I had the process crash when it exceeded 2G (1G 
real plus 1G swap) before I adjusted the graphs to align with the datapoints 
(ie no scaling on the time axis).

It takes about 1 1/2 minutes to reload the firewall on a 1G Celeron. This is 
with Shorewall ver 3.0.7 on a Debian box. Some day I'll get round to upgrading, 
but you know what they say, if it ain't broke ...



/etc/shorewall/accounting :

#ACTION CHAIN   SOURCE          DESTINATION     PROTO   DEST            SOURCE  
USER/
#                                                       PORT(S)         PORT(S) 
GROUP
# Outside global stats
outside-in:COUNT        -       eth0    -
outside-out:COUNT       -       -       eth0
DONE    outside

# Do acocunting by IP address
account-ip      -       -       -
total-ip-in:COUNT       account-ip      eth0    -
total-ip-out:COUNT      account-ip      -       eth0
DONE total-ip
 

INCLUDE accounting.ip




/etc/shorewall/accounting.ip :

acc1-in:COUNT   account-ip      eth0    x.y.z.1
acc1-out:COUNT  account-ip       x.y.z.1     eth0
DONE    acc1  

acc2-in:COUNT   account-ip      eth0     x.y.z.2
acc2-out:COUNT  account-ip       x.y.z.2     eth0
DONE    acc2

acc3-in:COUNT   account-ip      eth0     x.y.z.3
acc3-out:COUNT  account-ip       x.y.z.3     eth0
DONE    acc3

...

acc253-in:COUNT account-ip      eth0     x.y.z.253
acc253-out:COUNT        account-ip       x.y.z.253   eth0
DONE    acc253

acc254-in:COUNT account-ip      eth0     x.y.z.254
acc254-out:COUNT        account-ip       x.y.z.254   eth0
DONE    acc254


Yes, that really is a file with 254 sets of entries in it !



Then there is a crontab entry :

* * * * * /var/rrd/stats



/var/rrd/stats contains :

#/bin/bash
# Script to extract values from shorewall output

cd /var/rrd

/usr/bin/rrdtool update ip-stats.rrd N:`/sbin/iptables -L account-ip -vxn | \
  /usr/bin/awk 'BEGIN   { getline ; getline }
        { print $2 }' | \
  /usr/bin/tr '
' ':' | /bin/sed -e 's/:$//'`

I'm sure there's a much better way of doing it, but it works ! It takes the 
second field from each line (having discarded the first two header lines), 
converts line endings to ':'s, and then strips off the trailing ':' that 
results.


BTW, the output from iptables -L account-ip -vxn looks like :

logger:/var/rrd# /sbin/iptables -L account-ip -vxn
Chain account-ip (1 references)
    pkts      bytes target     prot opt in     out     source               
destination        
1082168765 221563701720 total-ip-in  all  --  *      *       0.0.0.0/0          
  0.0.0.0/0           PHYSDEV match --physdev-in eth0
1101056819 598433343443 total-ip-out  all  --  *      *       0.0.0.0/0         
   0.0.0.0/0           PHYSDEV match --physdev-out eth0
   52575  9336162 acc1-in    all  --  *      *       0.0.0.0/0             
x.y.z.1         PHYSDEV match --physdev-in eth0
   34967  1524337 acc1-out   all  --  *      *        x.y.z.1          
0.0.0.0/0           PHYSDEV match --physdev-out eth0
 1231808 142239729 acc2-in    all  --  *      *       0.0.0.0/0             
x.y.z.2         PHYSDEV match --physdev-in eth0
 1260011 370000059 acc2-out   all  --  *      *        x.y.z.2          
0.0.0.0/0           PHYSDEV match --physdev-out eth0
   42816  8915778 acc3-in    all  --  *      *       0.0.0.0/0             
x.y.z.3         PHYSDEV match --physdev-in eth0
   12909   769000 acc3-out   all  --  *      *        x.y.z.3          
0.0.0.0/0           PHYSDEV match --physdev-out eth0
...
       0        0 acc253-in  all  --  *      *       0.0.0.0/0             
x.y.z.253       PHYSDEV match --physdev-in eth0
       0        0 acc253-out  all  --  *      *        x.y.z.253        
0.0.0.0/0           PHYSDEV match --physdev-out eth0
       0        0 acc254-in  all  --  *      *       0.0.0.0/0             
x.y.z.254       PHYSDEV match --physdev-in eth0
       0        0 acc254-out  all  --  *      *        x.y.z.254        
0.0.0.0/0           PHYSDEV match --physdev-out eth0



And the rrd was made with a script containing :

rrdtool create ip-stats.rrd -s 300 \
  DS:total-in:DERIVE:600:0:U \
  DS:total-out:DERIVE:600:0:U \
  \
  DS:ip1-in:DERIVE:600:0:U \
  DS:ip1-out:DERIVE:600:0:U \
  DS:ip2-in:DERIVE:600:0:U \
  DS:ip2-out:DERIVE:600:0:U \
  DS:ip3-in:DERIVE:600:0:U \
  DS:ip3-out:DERIVE:600:0:U \
...
  DS:ip253-in:DERIVE:600:0:U \
  DS:ip253-out:DERIVE:600:0:U \
  DS:ip254-in:DERIVE:600:0:U \
  DS:ip254-out:DERIVE:600:0:U \
  \
  RRA:AVERAGE:0.5:1:576 \
  RRA:MAX:0.5:1:576 \
  RRA:AVERAGE:0.5:6:672 \
  RRA:MAX:0.5:6:672 \
  RRA:AVERAGE:0.5:24:732 \
  RRA:MAX:0.5:24:732 \
  RRA:AVERAGE:0.5:144:1460 \
  RRA:MAX:0.5:144:1460
 
# CFs for :
#   1 x 576    48hrx 5m
#   6 x 672    14d x 1/2hr  
#  24 x 732    61d x 2hr
# 144 x 1460  730d x 12hr

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users




Send instant messages to your online friends http://au.messenger.yahoo.com 

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Packet counting/auditing per IP

Reply via email to