Peter Mann
2003-Aug-20 03:29 UTC
[Shorewall-users] BW-ACCT + Shorewall with NAT (per-workstation IP accounting)
Heyaaa!!!
i found Small HOWTO: Setting up an IP accounting system with Shorewall
http://lists.shorewall.net/pipermail/shorewall-users/2002-July/001923.html
and
bw-acct FAQ: Does bwacct work with ip forwarding/nat?
http://www.bwacct.org/#1
i''m using NAT with shorewall 1.4.6-20030813 - everything works fine
except IP accounting for bw-acct
how combine this two howtos?
can i use http://shorewall.net/Accounting.html for
per-workstation stats with bw-acct?
--
5o Peter.Mann at tuke.sk
KLFMANiK ICQ 12491471
PM2185-RIPE
Tom Eastep
2003-Aug-20 07:21 UTC
[Shorewall-users] BW-ACCT + Shorewall with NAT (per-workstation IP accounting)
On Wed, 2003-08-20 at 03:29, Peter Mann wrote:> > can i use http://shorewall.net/Accounting.html for > per-workstation stats with bw-acct?Given that Shorewall Accounting has been available for about a week and a half, you are probably the world''s expert on Shorewall Accounting with bw-acct (you''ve tried it). -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Peter Mann
2003-Aug-21 02:18 UTC
[Shorewall-users] Small HOWTO: BW-ACCT + Shorewall with NAT (per-workstation IP accounting)
On Wed, Aug 20, 2003 at 12:29:36PM +0200, Peter Mann wrote:> i found Small HOWTO: Setting up an IP accounting system with Shorewall > http://lists.shorewall.net/pipermail/shorewall-users/2002-July/001923.html > and > bw-acct FAQ: Does bwacct work with ip forwarding/nat? > http://www.bwacct.org/#1 > > i''m using NAT with shorewall 1.4.6-20030813 - everything works fine > except IP accounting for bw-acct > > how combine this two howtos? > > can i use http://shorewall.net/Accounting.html for > per-workstation stats with bw-acct?On Wed, Aug 20, 2003 at 09:58:57AM -0700, Tom Eastep wrote:> The current CVS version (/Shorewall project) contains a redesigned IP > accounting facility. The new facility is: > > a) Much simpler. :-) > b) More flexible. :-) > c) Compatible with bw-acct. :-) > c) Incompatible with the previous implementation :-( > > There''s a new Accounting Page available at: > > http://shorewall.net/AccountingNew.html > > On top of Snapshot 20030813: > > a) Move the ''firewall'' file from CVS to /usr/share/shoreall/firewall > b) Move the ''accounting'' file from CVS to /etc/shorewall/accounting > > Sorry for the inconvenience but I really think this implementation is a > lot better. > > Please let me know what you think.GREAT ;-)) bwacct need "ip number" as accounting chain name: iptables -L 10.0.0.2 -nvx but shorewall can''t use "ip number" as name, because of 10.0.0.2_exists=Yes: command not found - this is shell related thing: bash: name A word consisting only of alphanumeric characters and underscores, and beginning with an alphabetic character or an underscore. Also referred to as an identifier. now we have to ways to solve this problem: 1. /usr/share/shorewall/firewall -> another _exists=Yes implementation or #!/bin/perl or something else 2. change bwacct "ip address" value to corresponding name ... i''m using: a_10_0_0_2 as a "ip address" in bwacct and simultaneously as a chain name in Shorewall ... we need to change ip attribute in table hosts: ip varchar(15) to varchar(17) or more (depend on "a_" string before ip address as a chain name) a_123.123.123.123 i changed and added some bwacct php functions (here is diff against 0.9.4): diff -u -r stats/globals.inc stats2/globals.inc --- stats/globals.inc 2003-08-21 10:52:44.000000000 +0200 +++ stats2/globals.inc 2003-08-21 10:48:19.000000000 +0200 @@ -101,5 +101,15 @@ $this["days"] = date("t", $date); $months[$i] = $this; } - + +function ShowRealIP($ip) +{ + return SubStr(StrTr($ip,"_","."),2); +} + +function ShowShorewallIP($ip) +{ + return "a_".StrTr($ip, ".", "_"); +} + ?> diff -u -r stats/lib/modifiers.inc stats2/lib/modifiers.inc --- stats/lib/modifiers.inc 2003-08-21 10:52:44.000000000 +0200 +++ stats2/lib/modifiers.inc 2003-08-21 10:50:34.000000000 +0200 @@ -52,7 +52,7 @@ add_host($addr) { $sql = "INSERT INTO hosts (ip, last_update) VALUES (" - .sqlWrap($addr).", NOW())"; + .sqlWrap(ShowShorewallIP($addr)).", NOW())"; db_query($sql, "add_host() : "); } diff -u -r stats/screens/display.php stats2/screens/display.php --- stats/screens/display.php 2003-08-21 10:52:44.000000000 +0200 +++ stats2/screens/display.php 2003-08-21 10:49:26.000000000 +0200 @@ -15,7 +15,7 @@ while ($host = fetch_array($query)) { echo "<option value=\"" - .$host["id"]."\">".$host["ip"]." (" + .$host["id"]."\">".ShowRealIP($host["ip"])." (" .$host["domain_name"].")\n"; } } diff -u -r stats/screens/host_selected.php stats2/screens/host_selected.php --- stats/screens/host_selected.php 2003-08-21 10:52:44.000000000 +0200 +++ stats2/screens/host_selected.php 2003-08-21 10:49:41.000000000 +0200 @@ -19,7 +19,7 @@ else { echo $host["domain_name"]; - echo " (".$host["ip"].")\n"; + echo " (".ShowRealIP($host["ip"]).")\n"; } ?></font></td> diff -u -r stats/screens/host_stats.php stats2/screens/host_stats.php --- stats/screens/host_stats.php 2003-08-21 10:52:44.000000000 +0200 +++ stats2/screens/host_stats.php 2003-08-21 10:49:52.000000000 +0200 @@ -35,7 +35,7 @@ else if ($domains["ip"]) { page_font("3", FONT_COLOR); - echo "<b>".$domains["ip"]."</b></font>"; + echo "<b>".ShowRealIP($domains["ip"])."</b></font>"; } else if ($domains["ifdescr"]) -------------------- and /etc/shorewall/accounting: a_10_0_0_2 - eth0 eth1:10.0.0.2 a_10_0_0_2 - eth1:10.0.0.2 eth0 COUNT a_10_0_0_2 eth0 eth1:10.0.0.2 COUNT a_10_0_0_2 eth1:10.0.0.2 eth0 i''m using latest CVS version and now i''m testing my changes, hope it works fine ;-)) any questions? -- 5o Peter.Mann at tuke.sk KLFMANiK ICQ 12491471 PM2185-RIPE
Peter Mann
2003-Aug-21 02:26 UTC
[Shorewall-users] Small HOWTO: BW-ACCT + Shorewall with NAT (per-workstation IP accounting)
On Thu, Aug 21, 2003 at 11:17:48AM +0200, Peter Mann wrote:> now we have to ways to solve this problem:^^ two -- 5o Peter.Mann at tuke.sk KLFMANiK ICQ 12491471 PM2185-RIPE
Peter Mann
2003-Aug-21 03:58 UTC
[Shorewall-users] Small HOWTO: BW-ACCT + Shorewall with NAT (per-workstation IP accounting)
story continues ;-))
--- stats/lib/graph.inc 2003-08-21 10:52:44.000000000 +0200
+++ stats2/lib/graph.inc 2003-08-21 12:56:37.000000000 +0200
@@ -277,7 +277,7 @@
$xsize = $num_data * $base;
$titlefont = 3;
- $title = get_ip(($HTTP_GET_VARS["id"]) ?
$HTTP_GET_VARS["id"] : $HTTP_GET_VARS["group_id"]);
+ $title = get_ip($HTTP_GET_VARS["id"]) ?
ShowRealIP(get_ip($HTTP_GET_VARS["id"])) :
$HTTP_GET_VARS["group_id"];
$txtsz = ImageFontWidth($titlefont) * strlen($title);
$xpos = (int)($hmargin + ($xsize - $txtsz)/2);
--
5o Peter.Mann at tuke.sk
KLFMANiK ICQ 12491471
PM2185-RIPE
Peter Mann
2003-Aug-21 06:13 UTC
[Shorewall-users] Small HOWTO: BW-ACCT + Shorewall with NAT (per-workstation IP accounting)
corrected bad view of values between 1000 and 1024 (old script show only
3 digits):
--- stats/lib/graph.inc 2003-08-21 10:52:44.000000000 +0200
+++ stats2/lib/graph.inc 2003-08-21 15:13:11.000000000 +0200
@@ -318,7 +318,8 @@
$end = "b";
}
- $char = substr($ydat, 0,3);
+ $char = explode(".",$ydat);
+ $char = $char[0];
if ($char[strlen($char)-1] == ".")
$char = substr($char, 0, 2);
$ydat = $char." ".$end;
--
5o Peter.Mann at tuke.sk
KLFMANiK ICQ 12491471
PM2185-RIPE