[linux] MRTG

Michal Zila zila na drsr.sk
Středa Říjen 1 07:27:12 CEST 2003 

zdravim,

mam takyto problem:

mam router s dvomi sietovkami eth0 a eth1. Snazim sa na nich odmerat
traffic pomocou MRTG. Funguje to tak, ze cfg skript vola dalsi skript,
ktory meria traffic na danych sietovkach pomocou iptables. Snazim sa
merat celkovy traffic, ktory bezi z eth0 na eth1 a opacne (forward). To sa mi aj
dari. Avsak nedari sa mi merat traffic podla jednotlivych MAC adries
(meranie prenosu dat jednotlivych uzivatelov).

Tu su skripty:

uzivatel1.cfg
WorkDir: /var/www/html/mrtg_u/uzivatel1/
Options[_]: nopercent
XSize[_]: 480
PageTop[$]:
  <TABLE>
    <TR><TD>System:</TD><TD>Router AP server2</TD></TR>
  </TABLE>


Target[uzivatel1]: `/etc/mrtg/zber_dat/zber_uzivatel1`
MaxBytes[uzivatel1]: 100000000
Title[uzivatel1]: Analyza trafficu pre uzivatela1
PageTop[uzivatel1]: <H1>Analyza hrubeho trafficu pre uzivatela1 na AP</H1>

skript zber_uzivatel1:

#!/bin/csh
# <snip ipchainacc version 1.1.0 >
# Note: changed to use /bin/sh instead of /usr/bin/perl

set ipchains='/usr/local/sbin/iptables';   # path to ipchains

set inrule='uzivatel1_in';  # name of input accounting rule
set outrule='uzivatel1_out'; # name of output accounting rule

set INPACKETS = `/sbin/iptables -L $inrule -v -x -n | grep -v -i Chain | grep -v -i pkts | awk '{print $1}'`;
set INBYTES = `/sbin/iptables -L $inrule -v -x -n | grep -v -i Chain | grep -v -i pkts  | awk '{print $2}'`;
set OUTPACKETS = `/sbin/iptables -L $outrule -v -x -n | grep -v -i Chain | grep -v -i pkts | awk '{ print $1}'`;
set OUTBYTES = `/sbin/iptables -L $outrule -v -x -n | grep -v -i Chain | grep -v -i pkts | awk '{print $2}'`;

echo $SUMIN;
echo $SUMOUT;
echo `(uptime | cut -b 14-30 | awk -F "," '{ print $1 }')`;
echo "ROUTER";

no a nakoniec definicia a pravidla chainov vo firewalle podla ktorych
sa ma merat.

# cele ap
$IPTABLES -t filter -N acc_in
$IPTABLES -t filter -A acc_in -j RETURN
$IPTABLES -t filter -N acc_out
$IPTABLES -t filter -A acc_out -j RETURN
$IPTABLES -A FORWARD -i eth0 -o eth1 -p tcp -j acc_out
$IPTABLES -A FORWARD -i eth0 -o eth1 -p udp -j acc_out
$IPTABLES -A FORWARD -i eth1 -o eth0 -p tcp -j acc_in
$IPTABLES -A FORWARD -i eth1 -o eth0 -p udp -j acc_in

# uzivatel1
$IPTABLES -t filter -N uzivatel1_in
$IPTABLES -t filter -A uzivatel1_in -j RETURN
$IPTABLES -t filter -N uzivatel1_out
$IPTABLES -t filter -A uzivatel1_out -j RETURN
$IPTABLES -A FORWARD -i eth0 -m mac --mac-source 00-E0-4C-10-21-3B -p tcp -j uzivatel1_out
$IPTABLES -A FORWARD -i eth0 -m mac --mac-source 00-E0-4C-10-21-3B -p udp -j uzivatel1_out
$IPTABLES -A FORWARD -o eth0 -m mac --mac-source 00-E0-4C-10-21-3B -p tcp -j uzivatel1_in
$IPTABLES -A FORWARD -o eth0 -m mac --mac-source 00-E0-4C-10-21-3B -p udp -j uzivatel1_in

Problem je ten, ze traffic pre "cele AP" mi odmeria presne. Pre
"uzivatel1" mi meria bludy.
Skusal som aj zmenit pravidlo podla IP adresy avsak bez uspechu.

$IPTABLES -A FORWARD -i eth0 -o eth1 -s 192.168.111.22 -p tcp -j uzivatel1_out
$IPTABLES -A FORWARD -i eth0 -o eth1 -s 192.168.111.22 -p udp -j uzivatel1_out
$IPTABLES -A FORWARD -i eth1 -o eth0 -d 192.168.111.22 -p tcp -j uzivatel1_in
$IPTABLES -A FORWARD -i eth1 -o eth0 -d 192.168.111.22 -p udp -j uzivatel1_in

nemate nejake pripomienky, napady...? dopredu dakujem.

S pozdravom Michal Zila
mailto:zila na drsr.sk

Další informace o konferenci linux