Shorewall/IPtables Statistics

[djr]

my first post, so here we go.

i've found a way to graph shorewall chain statistics, a'la http://forums.cacti.net/viewtopic.php?t ... t=iptables this.

it's a wee bit of a security risk, and i basically just followed venquessa's instructions. the problem is that www-data (the user account used by cacti normally), is unable to parse iptables information as it's not a root account.

so...

1. create a new data input method, call it "iptables collection method" or whatever. select "Script/Command" for the Input Type. the command you need to enter for the input string is "sudo <path_cacti>/scripts/iptables.pl <chain>". i'll follow up on the sudo bit in a moment. you can get the iptables.pl from the above link, and pop it into your scripts directory (correcting the above path in the input string as necessary). also, create an Input Field called "chain", you will use this later in the data source to select a particular chain for analysis. you'll also need an Output Field to hold the string outputted by iptables.pl.

2. you need to edit your /etc/sudoers file (i'm on ubuntu so that's where mine is) to reflect the following:

Code: Select all

www-data    ALL = NOPASSWD: /usr/share/cacti/site/scripts/iptables.pl

this allows www-data to run the iptables.pl script with root priviliges. you can test it with the following command:

Code: Select all

sudo -u www-data sudo /usr/share/cacti/site/scripts/iptables.pl <chain> 

put in a valid chain. i use shorewall to configure my iptables so i've a wealth of choices available. eg.

Code: Select all

sudo -u www-data sudo /usr/share/cacti/site/scripts/iptables.pl INPUT

gives me

Code: Select all

48279686

as output.

you then need to create the Data Template and Data Source to grab the actual data and have it ready for graphing. i'm sure the rest of it is pretty strightforward, as it's just the initial bit that caused me heartache.

i've attached a few screenshots. my cacti (0.8.6f on ubuntu 5.10) won't let me export template items without crashing, so these screenies will have to do. if you want to have a look at my iptables graphing output, have a clicky here:

http://magog.dyndns.org/cacti/graph.php ... rra_id=all

[nativemad]

Hi,

Has anybody done this with snmp? I get values with snmp, but can't figure out how to integrate them in cacti...

[nativemad]

I've done it myself now...
http://www.nativenet.ch/content/view/28/51

[Hyperion]

does anyone have a working template for this? im having a fair bit of trouble getting it to work

J

[rony]

I have a very strong suggestion that you DO NOT sudo from the webserver user.

I would suggest you run as root a collector that drops the results off in a file that then is read by the input method script that is ran from the poller.

At minimum make sure that you can overrun the buffer in the perl script. So, make sure you are validating the input.

[Hyperion]

fair call, and a smart one.

(and i can change that myself, im just not a huge cacti buff).

im just having trouble getting cacti to display the results of the script.

would you have any helpful advice on getting cacti to do this?

(stupid questions i know, but yea)

[JJX]

The link at your site isnt working:
The Archive can be donwloaded HERE!

axxx , i found it in downloads section

[nativemad]

The link at your site isnt working:

Sorry, that came from a joomla-update... i've corrected it now!

@hyperion
Which version do you try? The Version from djr (Iptables and cacti on the same Host) or my version (Iptables via snmp)?!? I thougt (not shure) that you can't read iptables-stats at all with a non-root user. So, rony's suggestion (way through a file) can be necessary, unless you run apache as root... But also in that case, you could use it via snmp on only one-host!

I count the output together, so i think an additional validation isn't necessery in my script, as it will end up in an error, if no integer is given... Or am i wrong?

[redkurawa]

i my snmpd.conf, i write

rocommunity public
Input exec Input /home/adi/cacti/newiptables.pl VOIPIN

then i restart the snmpd service.

the result from snmpwalk
$ snmpwalk -v1 -cpublic 127.0.0.1 .1.3.6.1.4.1.2021.8.1
UCD-SNMP-MIB::extIndex.1 = INTEGER: 1
UCD-SNMP-MIB::extNames.1 = STRING: Input
UCD-SNMP-MIB::extCommand.1 = STRING: /home/adi/cacti/newiptables.pl VOIPIN
UCD-SNMP-MIB::extResult.1 = INTEGER: 0
UCD-SNMP-MIB::extOutput.1 = STRING: 26726272
UCD-SNMP-MIB::extErrFix.1 = INTEGER: 0
UCD-SNMP-MIB::extErrFixCmd.1 = STRING:

but i change the command like this below, the result is error.
$ snmpwalk -v1 -cpublic 127.0.0.1 .1.3.6.1.4.1.2021.8.1.extOutput.1
.1.3.6.1.4.1.2021.8.1.extOutput.1: Unknown Object Identifier (Sub-id not found: iso -> extOutput.1)

please help, thx

-redkurawa-

[nativemad]

Hi redkurawa

The first walk seems to be fine! But the second one is very strange...
I think this is all on the same host (127.0.0.1). Have you changed anything between those two snmp-walks?!?
I only retrieve this "Sub-id not found:" when i misspell the walk (requested id is not avaiable), but your query looks also good!?!

I think this is snmp-related and not necessary depends on the script... you could test that like this:
1. create a new little script with the folllowing content:

Code: Select all

#!/bin/bash
echo 1234567890

2. make it executable, so it returns the numbers entered in the echo above, when you execute it.
3. point to that script in snmpd.conf without parameter (like you did it before). Restart snmpd!
4. with your first snmp-walk, you should see the number then...(extOutput.[N])
5. with a snmpwalk directly pointed to that specific extOutput.[N], you should only get that ID back (this step failed in your setup, if it works with this little example, then the problem is on the script-side! -but i don't think so, as the whole walk worked!?! If you also get that strange error here, then something must be wrong in the snmpd.conf)

If it doesn't work at all (only with the full walk), you could modify my script (on the cacti-side) to do a large walk, and grep out the specified ext.Output. -let me know if you need help with that!

Your snmpd.conf also seems to have an error (when i do it like this, it doesn't work at all?!? -perhaps just a failre in the posting?): Input exec Input <- it should be just "exec Input"

Btw: you should also be able to request other id's like .1.3.6.1.4.1.2021.8.1.extCommand.1

I hope this will bring you a bit further, but please let us know, if you find something...

[tuxx]

hey guys,

i really would like to be able to see incoming AND outgoing traffic of each service as opposed to just the total traffic.

to achieve that i've done:

## > iptables -N WWWIN
## > iptables -N WWWOUT
## > iptables -A WWWIN -j ACCEPT
## > iptables -A WWWOUT -j ACCEPT
## > iptables -A INPUT -p tcp -m tcp --dport 80 -j WWWIN
## > iptables -A OUTPUT -p tcp -m tcp --sport 80 -j WWWOUT


i also modified the perl script so taht i can pass 2 parameters like such:

sudo ./iptables.pl WWWIN WWWOUT

and it returns a string of say size_incoming, newline size_outgoing, i.e.:
934016
3646692856

how can i make cacti read both these variables into say: traffic_in/traffic_out?

i tried making 2 output variables but it seems the syntax as such is not correct.. must i use tab/space instead of a newline "\n"?

any ideas?

thanks in advance,
tuxx

[tuxx]

ok i figured it out:

has to be of the format:

Code: Select all

 WWWIN:234234 WWWOUT:23423423

my final problem is that the values are all slightly off. Iptables returns the value in bytes so i reckoned i need the "convert bytes to bits" in the graphics template. but that makes things worse...

does anyone know what i must modify in the "interface - traffic" template?


thanks,
tuxx