#!/bin/bash
#from stdin get output from iptables-save -c, update rrd files
-awk '
+#mawk is faster, do not use gawk
+mawk '
BEGIN{
I[2]=32-1
I[4]=32-2
I[256]=32-8
}
{
-if($2!="-A")next
-if($3 !~ "^FWcntIN" && $3 !~ "^FWcntOUT")next
-split(substr($1,2,length($1)-2),Nx,":")
+#only rules for FWcnt (FWcntIN and FWcntOUT)
+if("FWcnt" != substr($3,1,5))next
+#ignore master chain
+if($3 == "FWcnt")next
+
+#get counter data
+Na=index($1,":")
+Nx1=substr($1,2,Na-2)
+Nx2=substr($1,Na+1,length($1)-Na-1)
-#printf("%s %s",Nx[1],Nx[2])
if(NF==7){
- mask=""
if(2==split($(NF-2),N,"/")){
split(N[2],M,".")
- mask=sprintf("/%d",I[256-M[4]])
- }
+ mask="/"I[256-M[4]]
+ }else
+ mask=""
split(N[1],IP,".")
C[IP[1]"."IP[2]"."IP[3]]=1
if($(NF-3)=="-d") {
- IPbi[N[1]""mask]=Nx[2]
- IPpi[N[1]""mask]=Nx[1]
+ IPbi[N[1]""mask]=Nx2
+ IPpi[N[1]""mask]=Nx1
}else{
- IPbo[N[1]""mask]=Nx[2]
- IPpo[N[1]""mask]=Nx[1]
+ IPbo[N[1]""mask]=Nx2
+ IPpo[N[1]""mask]=Nx1
}
+ next
}
if(NF==5){
split($NF,N,"/")
split(N[1],IP,".")
C[IP[1]"."IP[2]"."IP[3]]=1
if($(NF-1)=="-d"){
- IPbi[N[1]"/"mask]=Nx[2]
- IPpi[N[1]"/"mask]=Nx[1]
+ IPbi[N[1]"/"mask]=Nx2
+ IPpi[N[1]"/"mask]=Nx1
}else{
- IPbo[N[1]"/"mask]=Nx[2]
- IPpo[N[1]"/"mask]=Nx[1]
+ IPbo[N[1]"/"mask]=Nx2
+ IPpo[N[1]"/"mask]=Nx1
}
-
+ next
}
}END{
CCMD="test -f /var/lib/FWcnt/FW_rrd_database/upgrade_needed"
}' /var/lib/FWcnt/etc/config
#update ipfm like log
-/usr/lib/FWcnt/ipfm_FWcnt
+grep -q NOIPFM /var/lib/FWcnt/etc/config || /usr/lib/FWcnt/ipfm_FWcnt
2. run /usr/lib/FWcnt/install_FWcnt
-3. insert FWcnt chain in FORWARD chain (and if needed INPUT and OUTPUT
- chains)
- iptables -I FORWARD -j FWcnt
+3. check http://YOUR_WEB/cgi-bin/mrtg-rrd.wrapper.cgi
-4. check http://YOUR_WEB/cgi-bin/mrtg-rrd.wrapper.cgi
+Configuration file directives
+-----------------------------
-"fast" config manual (config file directives):
-----------------------------------------------
+Counter directives:
-One line per interface for "counting" interface statistics like this:
+cntLINK
+-------
+Definition for network interface counter, example for counting eth0 and eth3:
cntLINK eth0
+cntLINK eth3
-one line per "C-class" net for counting all IP in this IP range:
+
+cntNET
+------
+Definition for counting 256 IP (one C range) example:
cntNET 192.168.0.0
(last number not needed .. etc cntNET 192.168.0 works fine)
-one line per sub "C-class" range for personalized view:
+inetLINK
+--------
+Defines interface to internet. All "cntNET" counters counts only trafic
+from/to internet.
+
+Graph view directive:
+
+mrtgNET
+-------
+
+Default view of first "mrtg" page consist of LINK (interfcaes) graphs and
+next summary of 256 IP (C range) "NET" graphs. Below "NET" graph exists
+page with 16 graphs for summary of 16 IPs. Next, below graph for summary of
+16 IP subpage exists with 16 graphs - one per IP. This is default view.
+mrtgNET dorective change numbers of graphs in first subpage. Example:
-mrtgNET 192.168.42.128 25
+mrtgNET 192.168.42.0 25
+mrtgNET 192.168.42.128 26
+mrtgNET 192.168.42.192 26
+
+Below graph for 192.168.42.0/24 one graph for 192.168.42.0/25 exists and two
+graphs for 192.168.42.128/26 and 192.168.42.192/26. Below graph 192.168.42.0/25
+is page with 128 graphs, one per IP exists. Next, below 192.168.42.128/26
+64 graphs subpage exists, for all IPs inside this range.
-create one page with 128 IPs from 192.168.42.128 to 192.168.42.255
-default is 16 sub "C-class"
NOIPFM
+------
if present in config file, no ipfm like log is generated
+
+
INTERNALS
---------
+fwcnt (0.6.1) unstable; urgency=low
+
+ * ipfm log generated by rrdgraph
+
+ -- Peter Popovec <popovec@fei.tuke.sk> Thu, 13 Dec 2007 10:07:37 +0100
+
fwcnt (0.6) unstable; urgency=low
* one rrd file per C range
Package: fwcnt
Architecture: all
Pre-Depends: mrtg-rrd, patch
-Depends: gawk, iptables, cron, rrdtool
+Depends: gawk, mawk, iptables, cron, rrdtool
Description: Firewall counter
Detailed measuring system for wide range of IPs based on firewall
rules (counters) and mrtg with rrd backend database.
if(C>128 || C<8)C=16
N[4]=and(N[4],xor(255,(C-1)))
NL[N[1]"."N[2]"."N[3]"."N[4]]=C
-# print("Net "N[1]"."N[2]"."N[3]"."N[4]" "C)
}
if($1 ~ "^cntLINK"){
match($2,"(.*)([[:digit:]]+)$",a)
j=16
if(netC"."i in NL) j=NL[netC"."i]
jx=32-int(log(j)*1.5)
-# print "j="j" jx="jx
IP=netC"."i"/"jx
TARGET=IP
NAME=IP
}' MAINT=$MAINT
#create and flush initial firewall chains, create initial "goto"
-iptables-restore -n <<EOP
-*filter
-:FWcnt - [0:0]
-:FWcntIN - [0:0]
-:FWcntOUT - [0:0]
--A FWcnt -j FWcntOUT
--A FWcnt -j FWcntIN
-COMMIT
-EOP
+awk '{
+if($1=="inetLINK")
+ dev=$2
+}
+END{
+print "*filter"
+print ":FWcnt - [0:0]"
+print ":FWcntIN - [0:0]"
+print ":FWcntOUT - [0:0]"
+if(length(dev)>0){
+ print "-A FWcnt -j FWcntOUT -o "dev
+ print "-A FWcnt -j FWcntIN -i "dev
+}else{
+ print "-A FWcnt -j FWcntOUT"
+ print "-A FWcnt -j FWcntIN"
+}
+print "COMMIT"
+}' < /var/lib/FWcnt/etc/config | iptables-restore -n
+
#install all C ranges
/usr/lib/FWcnt/init_FWcnt
#!/bin/bash
-awk 'BEGIN{
-printf ("# fwcnt 0.6 %s (local time) -- dump every 0d00:05:00 -- generated from iptables counters\n",
- strftime("%Y/%m/%d %H:%M:00"));
-
-printf ("# %-33s%15s%15s%15s\n", "Host", "In (bytes)", "Out (bytes)", "Total (bytes)");
-}' >/var/log/fwcnt/fwcnt-global.tmp
while read tag value; do
if [ $tag == "cntNET" ]; then
-rrdtool fetch /var/lib/FWcnt/FW_rrd_database/${value}.rrd AVERAGE --start `date +%s -d '0:0'`|
-awk -v net=$value '{
-if(NR<3)next
-i=NF-256*4+1
-j=0
-while(i<=NF){
- bi[j]+=300*strtonum($i)
- bo[j]+=300*strtonum($(i+1))
- i+=4
- j++
-}
-}
-END{
-j=0;
-while(j<256){
- if(bi[j]+bo[j]>0){
- printf ("%-35s%15d%15d%15d\n",net"."j,bi[j],bo[j],bi[j]+bo[j])
- }
- j++
-}
-}'
+
+rrdtool graph $value.png --start 0:0 --end now $(for i in `seq 0 255`;do
+echo -n "DEF:bo$i=/var/lib/FWcnt/FW_rrd_database/${value}.rrd:IPbo$i:AVERAGE "
+echo -n "DEF:bi$i=/var/lib/FWcnt/FW_rrd_database/${value}.rrd:IPbi$i:AVERAGE "
+echo -n "VDEF:i$i=bi$i,TOTAL "
+echo -n "VDEF:o$i=bo$i,TOTAL "
+echo -n "PRINT:i$i:\:${value}.$i\:%lf\: "
+echo -n "PRINT:o$i:%lf; "
+done
+echo "")
+
fi
-done </var/lib/FWcnt/etc/config >>/var/log/fwcnt/fwcnt-global.tmp
+
+done </var/lib/FWcnt/etc/config |gawk -v RS=';' -v FS=':' 'BEGIN{
+printf ("# fwcnt 0.6 %s (local time) -- dump every 0d00:05:00 -- generated from iptables counters\n", strftime("%Y/%m/%d %H:%M:00"));
+printf ("# %-33s%15s%15s%15s\n", "Host", "In (bytes)", "Out (bytes)", "Total (bytes)");
+}{
+if($1 != "0x0" && length($2)>0 && ($4+$3) > 0)
+ printf "%-35s%15d%15d%15d\n",$2,strtonum($3),strtonum($4),$4+$3
+}' >/var/log/fwcnt/fwcnt-global.tmp
mv /var/log/fwcnt/fwcnt-global.tmp /var/log/fwcnt/ipfm-global-`date +%Y-%m-%d`.log
projects / fwcnt / commitdiff