Shorewall users - Jan 2007 - Packet counting/auditing per IP

Hi,

I''m using shorewall 2.4.9 running on Scientific Linux 4.4 (RHEL 4
Update 4).

I handle various subents and IP''s for various clients, and they all go
through the shorewall firewall system.

Some clients have subnets, some have only single IP''s.

I''d like to start counting the bandwidth they are using, whether that
be for subnets or IP''s on their dedicated servers.

Can shorewall do this? if so, how? will I need to upgrade the shorewall version?

If not, what is the best way to do this considering the hosting environment is
all Linux based (apart from the HP procurve switches which are used).

Many thanks for any advice and help.

Michael.




Send instant messages to your online friends http://au.messenger.yahoo.com 

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Michael Mansour wrote:
> Hi,
> 
> I''m using shorewall 2.4.9 running on Scientific Linux 4.4 (RHEL 4
Update 4).
> 
> I''d like to start counting the bandwidth they are using, whether
that be for
> subnets or IP''s on their dedicated servers.
> 
> Can shorewall do this? if so, how? will I need to upgrade the shorewall
version?
You might take a look at Shorewall''s Accounting facility
(http://www.shorewall.net/Accounting.html.

It would be a good idea to upgrade, given that 2.4 is no longer supported.
Be sure to read the release notes carefully before upgrading as there are
some issues when going from 2.x to 3.x.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Michael Mansour wrote:
>I handle various subents and IP''s for various clients, and they all
>go through the shorewall firewall system.
>
>Some clients have subnets, some have only single IP''s.
>
>I''d like to start counting the bandwidth they are using, whether 
>that be for subnets or IP''s on their dedicated servers.
>
>Can shorewall do this? if so, how? will I need to upgrade the 
>shorewall version?
Yes it can, I have two such setups at work doing just this - one was 
installed purely to do this. Add a bit of scripting and rrdtool and 
you can have some very useful graphs.

IIRC there is a page on the Shorewall site covering accounting, 
however, it isn''t that clear (or it wasn''t when I first set
this up)
about configuring accounting for lots of IPs.

I''m busy tomorrow at work, but I''ll try and post a bit more
about our
setup later.


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Hi Michael,

Michael Mansour wrote:
> Hi,
> 
> I''m using shorewall 2.4.9 running on Scientific Linux 4.4 (RHEL 4
Update 4).
> 
> I handle various subents and IP''s for various clients, and they
all go through the shorewall firewall system.
> 
> Some clients have subnets, some have only single IP''s.
> 
> I''d like to start counting the bandwidth they are using, whether
that be for subnets or IP''s on their dedicated servers.
> 
> Can shorewall do this? if so, how? will I need to upgrade the shorewall
version?
Shorewall can do some things in that area, just read about it here:
http://www.shorewall.net/Accounting.html
> If not, what is the best way to do this considering the hosting environment
is all Linux based (apart from the HP procurve switches which are used).
I''m personally very fond of SNMP in combination with Cacti. If
that''s
too much, it would probably be easy to hack up something using only 
ifconfig/rrdtool or snmp/rrdtool.

http://www.cacti.net/

-- 
  - Pieter

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Tom Eastep wrote:
> Michael Mansour wrote:
>   
>> Hi,
>>
>> I''m using shorewall 2.4.9 running on Scientific Linux 4.4
(RHEL 4 Update 4).
>>
>> I''d like to start counting the bandwidth they are using,
whether that be for
>> subnets or IP''s on their dedicated servers.
>>
>> Can shorewall do this? if so, how? will I need to upgrade the shorewall
version?
>>     
>
> You might take a look at Shorewall''s Accounting facility
> (http://www.shorewall.net/Accounting.html.
>
> It would be a good idea to upgrade, given that 2.4 is no longer supported.
> Be sure to read the release notes carefully before upgrading as there are
> some issues when going from 2.x to 3.x.
>
> -Tom
>   
> ------------------------------------------------------------------------
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net''s Techsay panel and you''ll get the
chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
>
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> ------------------------------------------------------------------------
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>   
According to the document if I want to do accounting by IP and I have 
/24 network I need to have 253(4) rules.

Is that statement correct?

Thanks

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Hristo Benev wrote:
>>   
> According to the document if I want to do accounting by IP and I have 
> /24 network I need to have 253(4) rules.
Yes -- in which case, you probably want to use another accounting method
besides Shorewall.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Sent this earlier but it didn''t like the size of the attached graphs.


Michael Mansour wrote:
>I handle various subents and IP''s for various clients, and they all
go through the shorewall firewall system.
>
>Some clients have subnets, some have only single IP''s.
>
>I''d like to start counting the bandwidth they are using, whether
that be for subnets or IP''s on their dedicated servers.
>
>Can shorewall do this? if so, how? will I need to upgrade the shorewall
version?
OK, some excerpts from one of my systems at work. This is a bridge and eth0 is
the outside interface. For obvious reasons I''ve cut out large chunks of
repetitive stuff. BTW, most of these file were done by writing a short shell
script - I didn''t type them out by hand ;-)

The attached graphs show what the boss gets out of it (there is a legend which
isn''t shown) - above the line is traffic in, below the line is traffic
out. I assume this is the sort of thing you are looking to get out of it.

I''ll leave you to do the graphing, the scripts I have are done in bash
and are, shall we say, ''not very pretty'' ! Be aware that
graphing all 254 addresses takes a lot of memory - in fact I had the process
crash when it exceeded 2G (1G real plus 1G swap) before I adjusted the graphs to
align with the datapoints (ie no scaling on the time axis).

It takes about 1 1/2 minutes to reload the firewall on a 1G Celeron. This is
with Shorewall ver 3.0.7 on a Debian box. Some day I''ll get round to
upgrading, but you know what they say, if it ain''t broke ...



/etc/shorewall/accounting :

#ACTION CHAIN   SOURCE          DESTINATION     PROTO   DEST            SOURCE 
USER/
#                                                       PORT(S)         PORT(S)
GROUP
# Outside global stats
outside-in:COUNT        -       eth0    -
outside-out:COUNT       -       -       eth0
DONE    outside

# Do acocunting by IP address
account-ip      -       -       -
total-ip-in:COUNT       account-ip      eth0    -
total-ip-out:COUNT      account-ip      -       eth0
DONE total-ip
 

INCLUDE accounting.ip




/etc/shorewall/accounting.ip :

acc1-in:COUNT   account-ip      eth0    x.y.z.1
acc1-out:COUNT  account-ip       x.y.z.1     eth0
DONE    acc1  

acc2-in:COUNT   account-ip      eth0     x.y.z.2
acc2-out:COUNT  account-ip       x.y.z.2     eth0
DONE    acc2

acc3-in:COUNT   account-ip      eth0     x.y.z.3
acc3-out:COUNT  account-ip       x.y.z.3     eth0
DONE    acc3

...

acc253-in:COUNT account-ip      eth0     x.y.z.253
acc253-out:COUNT        account-ip       x.y.z.253   eth0
DONE    acc253

acc254-in:COUNT account-ip      eth0     x.y.z.254
acc254-out:COUNT        account-ip       x.y.z.254   eth0
DONE    acc254


Yes, that really is a file with 254 sets of entries in it !



Then there is a crontab entry :

* * * * * /var/rrd/stats



/var/rrd/stats contains :

#/bin/bash
# Script to extract values from shorewall output

cd /var/rrd

/usr/bin/rrdtool update ip-stats.rrd N:`/sbin/iptables -L account-ip -vxn | \
  /usr/bin/awk ''BEGIN   { getline ; getline }
        { print $2 }'' | \
  /usr/bin/tr ''
'' '':'' | /bin/sed -e ''s/:$//''`

I''m sure there''s a much better way of doing it, but it works !
It takes the second field from each line (having discarded the first two header
lines), converts line endings to '':''s, and then strips off the
trailing '':'' that results.


BTW, the output from iptables -L account-ip -vxn looks like :

logger:/var/rrd# /sbin/iptables -L account-ip -vxn
Chain account-ip (1 references)
    pkts      bytes target     prot opt in     out     source              
destination
1082168765 221563701720 total-ip-in  all  --  *      *       0.0.0.0/0          
0.0.0.0/0           PHYSDEV match --physdev-in eth0
1101056819 598433343443 total-ip-out  all  --  *      *       0.0.0.0/0         
0.0.0.0/0           PHYSDEV match --physdev-out eth0
   52575  9336162 acc1-in    all  --  *      *       0.0.0.0/0            
x.y.z.1         PHYSDEV match --physdev-in eth0
   34967  1524337 acc1-out   all  --  *      *        x.y.z.1          0.0.0.0/0
PHYSDEV match --physdev-out eth0
 1231808 142239729 acc2-in    all  --  *      *       0.0.0.0/0            
x.y.z.2         PHYSDEV match --physdev-in eth0
 1260011 370000059 acc2-out   all  --  *      *        x.y.z.2         
0.0.0.0/0           PHYSDEV match --physdev-out eth0
   42816  8915778 acc3-in    all  --  *      *       0.0.0.0/0            
x.y.z.3         PHYSDEV match --physdev-in eth0
   12909   769000 acc3-out   all  --  *      *        x.y.z.3          0.0.0.0/0
PHYSDEV match --physdev-out eth0
...
       0        0 acc253-in  all  --  *      *       0.0.0.0/0            
x.y.z.253       PHYSDEV match --physdev-in eth0
       0        0 acc253-out  all  --  *      *        x.y.z.253       
0.0.0.0/0           PHYSDEV match --physdev-out eth0
       0        0 acc254-in  all  --  *      *       0.0.0.0/0            
x.y.z.254       PHYSDEV match --physdev-in eth0
       0        0 acc254-out  all  --  *      *        x.y.z.254       
0.0.0.0/0           PHYSDEV match --physdev-out eth0



And the rrd was made with a script containing :

rrdtool create ip-stats.rrd -s 300 \
  DS:total-in:DERIVE:600:0:U \
  DS:total-out:DERIVE:600:0:U \
  \
  DS:ip1-in:DERIVE:600:0:U \
  DS:ip1-out:DERIVE:600:0:U \
  DS:ip2-in:DERIVE:600:0:U \
  DS:ip2-out:DERIVE:600:0:U \
  DS:ip3-in:DERIVE:600:0:U \
  DS:ip3-out:DERIVE:600:0:U \
...
  DS:ip253-in:DERIVE:600:0:U \
  DS:ip253-out:DERIVE:600:0:U \
  DS:ip254-in:DERIVE:600:0:U \
  DS:ip254-out:DERIVE:600:0:U \
  \
  RRA:AVERAGE:0.5:1:576 \
  RRA:MAX:0.5:1:576 \
  RRA:AVERAGE:0.5:6:672 \
  RRA:MAX:0.5:6:672 \
  RRA:AVERAGE:0.5:24:732 \
  RRA:MAX:0.5:24:732 \
  RRA:AVERAGE:0.5:144:1460 \
  RRA:MAX:0.5:144:1460
 
# CFs for :
#   1 x 576    48hrx 5m
#   6 x 672    14d x 1/2hr  
#  24 x 732    61d x 2hr
# 144 x 1460  730d x 12hr

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Tom Eastep wrote:
> Hristo Benev wrote:
>
>   
>>>   
>>>       
>> According to the document if I want to do accounting by IP and I have 
>> /24 network I need to have 253(4) rules.
>>     
>
> Yes -- in which case, you probably want to use another accounting method
> besides Shorewall.
>
> -Tom
>   
> ------------------------------------------------------------------------
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net''s Techsay panel and you''ll get the
chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
>
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> ------------------------------------------------------------------------
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>   
Could you, please, give me a hint?

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Hristo Benev wrote:
> Tom Eastep wrote:
>> Hristo Benev wrote:   
>>> According to the document if I want to do accounting by IP and I
have
>>> /24 network I need to have 253(4) rules.
>>>     
>> Yes -- in which case, you probably want to use another accounting
method
>> besides Shorewall.
>>   
> Could you, please, give me a hint?
Others on the list have already done that.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Hi Simon,

That really is excellent information, I will start work on it next week to try
and implement it successfully.

Many thanks.

Michael.

----- Original Message ----
From: Simon Hobson <linux@thehobsons.co.uk>
To: Shorewall Users <shorewall-users@lists.sourceforge.net>
Sent: Saturday, 20 January, 2007 2:38:31 AM
Subject: Re: [Shorewall-users] Packet counting/auditing per IP

Sent this earlier but it didn''t like the size of the attached graphs.


Michael Mansour wrote:
>I handle various subents and IP''s for various clients, and they all
go through the shorewall firewall system.
>
>Some clients have subnets, some have only single IP''s.
>
>I''d like to start counting the bandwidth they are using, whether
that be for subnets or IP''s on their dedicated servers.
>
>Can shorewall do this? if so, how? will I need to upgrade the shorewall
version?
OK, some excerpts from one of my systems at work. This is a bridge and eth0 is
the outside interface. For obvious reasons I''ve cut out large chunks of
repetitive stuff. BTW, most of these file were done by writing a short shell
script - I didn''t type them out by hand ;-)

The attached graphs show what the boss gets out of it (there is a legend which
isn''t shown) - above the line is traffic in, below the line is traffic
out. I assume this is the sort of thing you are looking to get out of it.

I''ll leave you to do the graphing, the scripts I have are done in bash
and are, shall we say, ''not very pretty'' ! Be aware that
graphing all 254 addresses takes a lot of memory - in fact I had the process
crash when it exceeded 2G (1G real plus 1G swap) before I adjusted the graphs to
align with the datapoints (ie no scaling on the time axis).

It takes about 1 1/2 minutes to reload the firewall on a 1G Celeron. This is
with Shorewall ver 3.0.7 on a Debian box. Some day I''ll get round to
upgrading, but you know what they say, if it ain''t broke ...



/etc/shorewall/accounting :

#ACTION CHAIN   SOURCE          DESTINATION     PROTO   DEST            SOURCE 
USER/
#                                                       PORT(S)         PORT(S)
GROUP
# Outside global stats
outside-in:COUNT        -       eth0    -
outside-out:COUNT       -       -       eth0
DONE    outside

# Do acocunting by IP address
account-ip      -       -       -
total-ip-in:COUNT       account-ip      eth0    -
total-ip-out:COUNT      account-ip      -       eth0
DONE total-ip
 

INCLUDE accounting.ip




/etc/shorewall/accounting.ip :

acc1-in:COUNT   account-ip      eth0    x.y.z.1
acc1-out:COUNT  account-ip       x.y.z.1     eth0
DONE    acc1  

acc2-in:COUNT   account-ip      eth0     x.y.z.2
acc2-out:COUNT  account-ip       x.y.z.2     eth0
DONE    acc2

acc3-in:COUNT   account-ip      eth0     x.y.z.3
acc3-out:COUNT  account-ip       x.y.z.3     eth0
DONE    acc3

...

acc253-in:COUNT account-ip      eth0     x.y.z.253
acc253-out:COUNT        account-ip       x.y.z.253   eth0
DONE    acc253

acc254-in:COUNT account-ip      eth0     x.y.z.254
acc254-out:COUNT        account-ip       x.y.z.254   eth0
DONE    acc254


Yes, that really is a file with 254 sets of entries in it !



Then there is a crontab entry :

* * * * * /var/rrd/stats



/var/rrd/stats contains :

#/bin/bash
# Script to extract values from shorewall output

cd /var/rrd

/usr/bin/rrdtool update ip-stats.rrd N:`/sbin/iptables -L account-ip -vxn | \
  /usr/bin/awk ''BEGIN   { getline ; getline }
        { print $2 }'' | \
  /usr/bin/tr ''
'' '':'' | /bin/sed -e ''s/:$//''`

I''m sure there''s a much better way of doing it, but it works !
It takes the second field from each line (having discarded the first two header
lines), converts line endings to '':''s, and then strips off the
trailing '':'' that results.


BTW, the output from iptables -L account-ip -vxn looks like :

logger:/var/rrd# /sbin/iptables -L account-ip -vxn
Chain account-ip (1 references)
    pkts      bytes target     prot opt in     out     source              
destination
1082168765 221563701720 total-ip-in  all  --  *      *       0.0.0.0/0          
0.0.0.0/0           PHYSDEV match --physdev-in eth0
1101056819 598433343443 total-ip-out  all  --  *      *       0.0.0.0/0         
0.0.0.0/0           PHYSDEV match --physdev-out eth0
   52575  9336162 acc1-in    all  --  *      *       0.0.0.0/0            
x.y.z.1         PHYSDEV match --physdev-in eth0
   34967  1524337 acc1-out   all  --  *      *        x.y.z.1          0.0.0.0/0
PHYSDEV match --physdev-out eth0
 1231808 142239729 acc2-in    all  --  *      *       0.0.0.0/0            
x.y.z.2         PHYSDEV match --physdev-in eth0
 1260011 370000059 acc2-out   all  --  *      *        x.y.z.2         
0.0.0.0/0           PHYSDEV match --physdev-out eth0
   42816  8915778 acc3-in    all  --  *      *       0.0.0.0/0            
x.y.z.3         PHYSDEV match --physdev-in eth0
   12909   769000 acc3-out   all  --  *      *        x.y.z.3          0.0.0.0/0
PHYSDEV match --physdev-out eth0
...
       0        0 acc253-in  all  --  *      *       0.0.0.0/0            
x.y.z.253       PHYSDEV match --physdev-in eth0
       0        0 acc253-out  all  --  *      *        x.y.z.253       
0.0.0.0/0           PHYSDEV match --physdev-out eth0
       0        0 acc254-in  all  --  *      *       0.0.0.0/0            
x.y.z.254       PHYSDEV match --physdev-in eth0
       0        0 acc254-out  all  --  *      *        x.y.z.254       
0.0.0.0/0           PHYSDEV match --physdev-out eth0



And the rrd was made with a script containing :

rrdtool create ip-stats.rrd -s 300 \
  DS:total-in:DERIVE:600:0:U \
  DS:total-out:DERIVE:600:0:U \
  \
  DS:ip1-in:DERIVE:600:0:U \
  DS:ip1-out:DERIVE:600:0:U \
  DS:ip2-in:DERIVE:600:0:U \
  DS:ip2-out:DERIVE:600:0:U \
  DS:ip3-in:DERIVE:600:0:U \
  DS:ip3-out:DERIVE:600:0:U \
...
  DS:ip253-in:DERIVE:600:0:U \
  DS:ip253-out:DERIVE:600:0:U \
  DS:ip254-in:DERIVE:600:0:U \
  DS:ip254-out:DERIVE:600:0:U \
  \
  RRA:AVERAGE:0.5:1:576 \
  RRA:MAX:0.5:1:576 \
  RRA:AVERAGE:0.5:6:672 \
  RRA:MAX:0.5:6:672 \
  RRA:AVERAGE:0.5:24:732 \
  RRA:MAX:0.5:24:732 \
  RRA:AVERAGE:0.5:144:1460 \
  RRA:MAX:0.5:144:1460
 
# CFs for :
#   1 x 576    48hrx 5m
#   6 x 672    14d x 1/2hr  
#  24 x 732    61d x 2hr
# 144 x 1460  730d x 12hr

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users




Send instant messages to your online friends http://au.messenger.yahoo.com 

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Hi Pieter,

I actually implemented Simon''s scripts and they seem to have worked
fine. Although I couldn''t figure out how to get the rrd graphs out so I
download and installed cacti.

It''s quite an impressive piece of software, all installed and working
but I''m struggling to understand how to get cumulative bandwidth usage
graphs out of it.

I use Simon''s method for creating the ip-stats.rrd file and updating it
every minute from cron (I realise this can be done by cacti but I''m
still too new to it to figure out how), and I get cacti to read the file and
generate graphs from it (although they can''t seem to show bandwidth
usage graphs).

Basically what I am after is the ability to pull out the bandwidth usage per IP
so I know which servers are consuming the most bandwidth resources.

shorewall easily does this through it''s accounting features, but I
really need to correlate that data to show hourly, daily, monthly and yearly
totals of bandwidth usage per IP.

If anyone can suggest something here I''d appreciate it.

Thankyou.

Michael.

----- Original Message ---- 
From: Pieter Ennes <shorewall@spam.ennes.net> 
To: Shorewall Users <shorewall-users@lists.sourceforge.net> 
Sent: Friday, 19 January, 2007 10:49:30 AM 
Subject: Re: [Shorewall-users] Packet counting/auditing per IP 


Hi Michael, 

Michael Mansour wrote: 
> Hi, 
> 
> I''m using shorewall 2.4.9 running on Scientific Linux 4.4 (RHEL 4
Update 4).
> 
> I handle various subents and IP''s for various clients, and they
all go through the shorewall firewall system.
> 
> Some clients have subnets, some have only single IP''s. 
> 
> I''d like to start counting the bandwidth they are using, whether
that be for subnets or IP''s on their dedicated servers.
> 
> Can shorewall do this? if so, how? will I need to upgrade the shorewall
version?
Shorewall can do some things in that area, just read about it here: 
http://www.shorewall.net/Accounting.html 
> If not, what is the best way to do this considering the hosting environment
is all Linux based (apart from the HP procurve switches which are used).
I''m personally very fond of SNMP in combination with Cacti. If
that''s
too much, it would probably be easy to hack up something using only 
ifconfig/rrdtool or snmp/rrdtool. 

http://www.cacti.net/ 

-- 
- Pieter 

------------------------------------------------------------------------- 
Take Surveys. Earn Cash. Influence the Future of IT 
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash 
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________ 
Shorewall-users mailing list 
Shorewall-users@lists.sourceforge.net 
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Send instant messages to your online friends http://au.messenger.yahoo.com 

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Michael Mansour wrote:
>I actually implemented Simon''s scripts and they seem to have worked
>fine. Although I couldn''t figure out how to get the rrd graphs out 
>so I download and installed cacti.
>
>It''s quite an impressive piece of software, all installed and 
>working but I''m struggling to understand how to get cumulative 
>bandwidth usage graphs out of it.
>
>I use Simon''s method for creating the ip-stats.rrd file and
updating
>it every minute from cron (I realise this can be done by cacti but 
>I''m still too new to it to figure out how), and I get cacti to read
>the file and generate graphs from it (although they can''t seem to 
>show bandwidth usage graphs).
>
>Basically what I am after is the ability to pull out the bandwidth 
>usage per IP so I know which servers are consuming the most 
>bandwidth resources.
This seems to be the most common faq on the rrd mailing list !

RRD stores rates (<somethings> per second). It does not store 
accumulated totals or anything else, only rates. To get the 
cumulative total over a period, take the rate and multiply by time - 
and make sure you use the average consolidation function in the rrd.

Eg, if you graph showed an average of 1kbyte/s over 24 hours, that 
would work out to 86400 kB total (1kBps time 86400 seconds/24hr).

The RRD tool pages are at http://oss.oetiker.ch/rrdtool/

I''ll see if I can find time to extract some of the less embarassing 
bits of my script for generating graphs and post them :-)

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Michael Mansour wrote:
>Although I couldn''t figure out how to get the rrd graphs out so I 
>download and installed cacti.
OK, here are some hints that may help. This is off-topic for this 
list, but if you are still stuck after reading the rrd doc pages etc, 
then there is an rrd mailing list.


The scripts I wrote are ''a bit crude'', though I suppose
writing CGI
in bash is never going to be too elegant. Many people use Perl, but I 
haven''t learned that !

Much of the script is concerned with making the rest of the html page 
(menus and stuff), but the key bit is building an rrdtool script. 
This is a procedure* that puts the relevant code into a temp file, 
and then calls rrdtool to generate the actual output. The way I''m 
doing it is the script will generate a graphic file (if required) and 
simply output the html to load that image (ie <IMG SRC=... ALT=...>).

* I also have a simpler procedure that just plots one ip address. 
Also, the time span is passed as a parameter.


Another technique used is to have the image reference itself be a CGI 
which dynamically creates the image file (ie <IMG 
SRC=dograph.cgi?param=x?param=y...>.

Once I have built the script file, I then call rrdtool to create the image :

/usr/bin/rrdcgi --filter ${TempFile}


Sample script (note, if you look at those long CDEFs in the middle 
you''ll see that this script didn''t do every IP, just the ones
we have
things attached to) :

       <p>
         <RRD::GRAPH /var/www/graphs/gr1det-off-7d.png
         --title="All active devices - Last Week" -v
"bytes/second"
         --end 1167822000 --start end-300h
         --lazy
         --width 600 --height 300
         --imginfo ''<IMG SRC="../graphs/%s" width=%lu
height=%lu
ALT="Graph data for of All active devices over Last
Week">''

         DEF:1-in=/var/rrd/ip-stats.rrd:ip1-in:AVERAGE
         DEF:1-out=/var/rrd/ip-stats.rrd:ip1-out:AVERAGE
         CDEF:i1-out=1-out,-1,*
         VDEF:v1-in=1-in,AVERAGE
         VDEF:v1-inmax=1-in,MAXIMUM
         VDEF:v1-out=1-out,AVERAGE
         VDEF:v1-outmax=1-out,MAXIMUM

         DEF:2-in=/var/rrd/ip-stats.rrd:ip2-in:AVERAGE
         DEF:2-out=/var/rrd/ip-stats.rrd:ip2-out:AVERAGE
         CDEF:i2-out=2-out,-1,*
         VDEF:v2-in=2-in,AVERAGE
         VDEF:v2-inmax=2-in,MAXIMUM
         VDEF:v2-out=2-out,AVERAGE
         VDEF:v2-outmax=2-out,MAXIMUM

         DEF:3-in=/var/rrd/ip-stats.rrd:ip3-in:AVERAGE
         DEF:3-out=/var/rrd/ip-stats.rrd:ip3-out:AVERAGE
         CDEF:i3-out=3-out,-1,*
         VDEF:v3-in=3-in,AVERAGE
         VDEF:v3-inmax=3-in,MAXIMUM
         VDEF:v3-out=3-out,AVERAGE
         VDEF:v3-outmax=3-out,MAXIMUM

....


 
CDEF:datainavg=1-in,2-in,+,3-in,+,4-in,+,6-in,+,9-in,+,12-in,+,13-in,+,14-in,+,15-in,+,17-in,+,18-in,+,19-in,+,21-in,+,22-in,+,24-in,+,25-in,+,26-in,+,27-in,+,28-in,+,29-in,+,30-in,+,40-in,+,41-in,+,42-in,+,43-in,+,44-in,+,50-in,+,51-in,+,60-in,+,68-in,+,69-in,+,71-in,+,84-in,+,85-in,+,86-in,+,87-in,+,88-in,+,93-in,+,98-in,+,99-in,+,105-in,+,108-in,+,109-in,+,110-in,+,112-in,+,115-in,+,121-in,+,122-in,+,123-in,+,126-in,+,134-in,+,158-in,+,160-in,+,161-in,+,162-in,+,165-in,+,166-in,+,201-in,+,202-in,+,239-in,+,240-in,+,254-in,+
         VDEF:vdatainavg=datainavg,AVERAGE
 
CDEF:dataoutavg=1-out,2-out,+,3-out,+,4-out,+,6-out,+,9-out,+,12-out,+,13-out,+,14-out,+,15-out,+,17-out,+,18-out,+,19-out,+,21-out,+,22-out,+,24-out,+,25-out,+,26-out,+,27-out,+,28-out,+,29-out,+,30-out,+,40-out,+,41-out,+,42-out,+,43-out,+,44-out,+,50-out,+,51-out,+,60-out,+,68-out,+,69-out,+,71-out,+,84-out,+,85-out,+,86-out,+,87-out,+,88-out,+,93-out,+,98-out,+,99-out,+,105-out,+,108-out,+,109-out,+,110-out,+,112-out,+,115-out,+,121-out,+,122-out,+,123-out,+,126-out,+,134-out,+,158-out,+,160-out,+,161-out,+,162-out,+,165-out,+,166-out,+,201-out,+,202-out,+,239-out,+,240-out,+,254-out,+
         VDEF:vdataoutavg=dataoutavg,AVERAGE


         COMMENT:"  IP Address        In avg       In max 
Out avg      Out max\n"

         AREA:1-in#FF7F7F:"x.y.z.1  "
         GPRINT:v1-in:"%6.2lf %sBps"
         GPRINT:v1-inmax:"%6.2lf %sBps"
         COMMENT:" "
         GPRINT:v1-out:"%6.2lf %sBps"
         GPRINT:v1-outmax:"%6.2lf %sBps"
         COMMENT:" host1.mydomain\n"

         AREA:2-in#7FFF7F:"x.y.z.2  ":STACK
         GPRINT:v2-in:"%6.2lf %sBps"
         GPRINT:v2-inmax:"%6.2lf %sBps"
         COMMENT:" "
         GPRINT:v2-out:"%6.2lf %sBps"
         GPRINT:v2-outmax:"%6.2lf %sBps"
         COMMENT:" host2.mydomain\n"

         AREA:3-in#7F7FFF:"x.y.z.3  ":STACK
         GPRINT:v3-in:"%6.2lf %sBps"
         GPRINT:v3-inmax:"%6.2lf %sBps"
         COMMENT:" "
         GPRINT:v3-out:"%6.2lf %sBps"
         GPRINT:v3-outmax:"%6.2lf %sBps"
         COMMENT:" fw.furness.net\n"

....

         AREA:254-in#FF3F3F:"x.y.z.254":STACK
         GPRINT:v254-in:"%6.2lf %sBps"
         GPRINT:v254-inmax:"%6.2lf %sBps"
         COMMENT:" "
         GPRINT:v254-out:"%6.2lf %sBps"
         GPRINT:v254-outmax:"%6.2lf %sBps"
         COMMENT:" gate.mydomain\n"

         AREA:i1-out#FF7F7F:
         AREA:i2-out#7FFF7F::STACK
         AREA:i3-out#7F7FFF::STACK
....
         AREA:i254-out#FF3F3F::STACK

         COMMENT:"\n"
         COMMENT:"In  avg"
         GPRINT:vdatainavg:"%6.2lf %sBps\n"

         COMMENT:"Out avg"
         GPRINT:vdataoutavg:"%6.2lf %sBps"

         COMMENT:"  Data to 11\:00 Wed 03 Jan 2007\n"
         >
       </p>




-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV