Cacti (home)ForumsRepositoryDocumentation
Cacti: offical forums and support  

 FAQFAQ   SearchSearch   MemberlistMemberlist    RegisterRegister   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in    


IPTables script modifications.

 
Post new topic   Reply to topic    Cacti Forum Index -> Scripts and Templates
Author Message
venquessa



Joined: 15 Jun 2005
Posts: 8
PostPosted: Wed Jun 15, 2005 3:36 pm    Post subject: IPTables script modifications. Reply with quote
I tried to email the author and tried his website but everything seemed to be down or rejected.

So, I'll post here.

The following is a modified iptable.pl script that will retain "all" the counters in a chain. Each rules counters are returned as for example:

rule1:123 rule2:5678 rule3:9876

If the author is reading, thanks for your script and please feel free to use the mod, juset add me a credit.

Code:

#!/usr/bin/perl
##
## This is a quick perl script to
## pull bandwidth usage from iptables chains
##
## If you use/optimize this script, please let me know.
## Brian Stanback : brian [at] stanback [dot] net
#
## Example iptables rule for web bandwidth usage:
## > iptables -N WWW
## > iptables -A WWW -j ACCEPT
## > iptables -A INPUT -p tcp -m tcp --dport 80 -j WWW
## > iptables -A OUTPUT -p tcp -m tcp --sport 80 -j WWW
##
## Run "iptables.pl WWW" as root to test, note that you can
## combine more than one protocol into a single chain.
##
## Sudo Configuration (/etc/sudoers)
## > www-data    ALL = NOPASSWD: /usr/share/cacti/scripts/iptables.pl
##
## The Input String should be set to "sudo <path_cacti>/scripts/iptables.pl <chain>"
## and you will need to setup an input field so that the <chain> argument can be passed.
##
## The data input type should be set to COUNTER
##
#
#
# modified by: Paul Campbell <forums@campbell-multimedia.co.uk>
# Now returns a seperate entry for each rule.  Output for a
# 3 rule chain might now be:
# rule1:123 rule2:456 rule3:789

if ($ARGV[0]) {
        $chains = `/sbin/iptables --line-number -xnvL $ARGV[0]`;
        @chains = split(/\n/, $chains);
        shift(@chains);
        shift(@chains);
        foreach( @chains ) {
                /(\d+)\W+[0-9]+\W+([0-9]+)\W+/;
                print " rule$1:$2";
        }
        print "\n";
        #$chains[2] =~ /[\W+]?[0-9]+\W+([0-9]+)\W+/;
} else {
        print "Usage: $0 Chain\n";
}



Demo:
http://campbell-multimedia.co.uk/cacti/graph_view.php?action=tree&tree_id=1&leaf_id=28
User: guest
Pass: guest

Enjoy.
Back to top
rdilallo



Joined: 05 Jun 2005
Posts: 17
Location: St. Louis, MO
PostPosted: Wed Jun 15, 2005 4:31 pm    Post subject: Reply with quote
It looks great! I really appreciate seeing scripts like this. The whole point of graphing is to be able to tell a story. The more chapters you add, the better the story will be!!!

Keep up the good work!
Back to top
mindstormmaster



Joined: 12 Mar 2005
Posts: 6
PostPosted: Fri Jun 17, 2005 1:55 am    Post subject: Reply with quote
Can you post the template xml for the graphs/data sources? This looks really cool and is very helpful. I've been looking for something like this for a while.
Back to top
venquessa



Joined: 15 Jun 2005
Posts: 8
PostPosted: Sun Jun 19, 2005 5:57 am    Post subject: Reply with quote
I'd love to, but as I haven't figured out how to use the template system on Cacti, I don't have a template.

The process to create the graphs was...

Add iptables rules to mark traffic in the "mangle" FORWARD chain. Use a bit flag structure, so you can match on AND masks later for the counters.

In my case these same marks are used to filter traffic into HTB classes and queues for QoS, but need not be for the graphs.

Then put your COUNTERS chain into the default FORWARD chain to match on bit masks for each type of traffic, or each user. In my case,

Bits 1, 2 and 4 are the 3 user sets. Me, my bro and the web server.
Bits 8, 16, 32 are high mid low priority traffic respectively.
Bit 64 is "outbound" selector.

Therefore:

--match mark --mark 1/1

Matches all my traffic and only my traffic.

mark 1/65

Would match all my inbound traffic. if the result of MARK AND 65 is 1, then 1 is set and 64 is not.

You "could" just not bother with the marking stuff, especially if you aren't going to use it for traffic control, but just accounting and make do with generic rules in the COUNTERS chain.

Next step was to put the iptables.pl script into SNMP.conf and create a <cacti_path>/scripts/iptables-snmp.pl script to parse the multiple values from the one SNMP response and set that up for the Input Method in cacti. ( I couldn't figure out how to graph more than one value from one snmp query). The script simply dumped the filtered reply to "snmpwalk -c public -v 2c routerinner.domain.com OID"

Then define the data sources to graph each of the rules.

Finally define a graph or graphs to show the data sources as you want them.

I'll certainly help you more, and if anyone can explain the template system to me, then I'd maybe give that a go if I can find the time.

BFN
Back to top
micoots



Joined: 09 Apr 2007
Posts: 3
PostPosted: Tue Feb 12, 2008 3:15 am    Post subject: Reply with quote
Hi,

venquessa wrote:

Next step was to put the iptables.pl script into SNMP.conf and create a <cacti_path>/scripts/iptables-snmp.pl script to parse the multiple values from the one SNMP response and set that up for the Input Method in cacti. ( I couldn't figure out how to graph more than one value from one snmp query). The script simply dumped the filtered reply to "snmpwalk -c public -v 2c routerinner.domain.com OID"


Is there any chance you could make available your iptables-snmp.pl script please?

I currently graph all bandwidth usage usage one snmp query each time and am trying to the one query process working. I use your iptables.pl script fine and get all the rules listed I want, just I can't post-process this file as you say:

The script simply dumped the filtered reply to "snmpwalk -c public -v 2c routerinner.domain.com OID"

That doesn't make sense to me.

Thanks.

Michael.
Back to top
cacti-lavoro



Joined: 28 Nov 2007
Posts: 7
PostPosted: Tue Feb 19, 2008 11:27 am    Post subject: Reply with quote
Anybody had problems doing iptables restart?
In my graphs there are peaks!

Thanks
Back to top
flixy2k8



Joined: 07 Apr 2008
Posts: 5
PostPosted: Mon Apr 14, 2008 8:11 am    Post subject: Reply with quote
Would be really helpful if you please can describe your steps
Quote:

put the iptables.pl script into SNMP.conf and create a <cacti_path>/scripts/iptables-snmp.pl

and provide the scipts.
I'm about to create a logging für TC. I have seen you have a category for tc on your cacti link. How far are you with that.
Back to top
Display posts from previous:   
Post new topic   Reply to topic    Cacti Forum Index -> Scripts and Templates All times are GMT - 5 Hours
Page 1 of 1

 



Powered by phpBB © 2001, 2005 phpBB Group