Difference between revisions of "Plugin:IPTables"

From collectd Wiki
Jump to: navigation, search
(Added "List of Plugins" template.)
(shorewall and collectd - it rules!)
Line 23: Line 23:
 
* Linux 2.4 or later with [http://netfilter.org/projects/iptables/index.html ip_tables]
 
* Linux 2.4 or later with [http://netfilter.org/projects/iptables/index.html ip_tables]
 
* <code>libiptc</code>
 
* <code>libiptc</code>
 +
 +
= Real examples of deployment =
 +
 +
=== How to marry shorewall accounting and collectd ===
 +
 +
There is a clear [http://www.shorewall.net/Accounting.html HOWTO] enable traffic accounting using Shorewall, high-level tool for configuring Netfilter. It gives you nice overview of summary usage in shell, but unfortunately counters are gone after shorewall or server restart.
 +
 +
The idea is to mix standard shorewall accounting with collectd to have a cute and accurate graphs.
 +
 +
The standard '''accounting''' file looks like:
 +
 +
#ACTION        CHAIN  SOURCE          DESTINATION   
 +
#                                                             
 +
scigacz:COUNT  -      -              81.218.94.95/32
 +
scigacz:COUNT  -      81.218.94.95/32 -             
 +
DONE            scigacz
 +
 +
To adapt it to collectd's iptables plugin, you need to add comments into iptables:
 +
 +
#ACTION        CHAIN  SOURCE          DESTINATION   
 +
#                                                             
 +
COMMENT akonetin
 +
scigacz:COUNT  -      -              81.218.94.95/32
 +
COMMENT akonetout
 +
scigacz:COUNT  -      81.218.94.95/32 -             
 +
COMMENT
 +
DONE            scigacz
 +
 +
And then add a proper entry to '''collectd.conf''':
 +
 +
<Plugin iptables>
 +
        Chain filter accounting akonetin
 +
        Chain filter accounting akonetout
 +
</Plugin>
 +
 +
That's all! Now you are logging separately in and out traffic into rrd files:
 +
 +
iptables-filter-accounting/ipt_bytes-akonetin.rrd
 +
iptables-filter-accounting/ipt_bytes-akonetout.rrd
 +
iptables-filter-accounting/ipt_packets-akonetin.rrd
 +
iptables-filter-accounting/ipt_packets-akonetout.rrd
 +
 +
--[[User:SergiuszPawlowicz|SergiuszPawlowicz]] 14:21, 20 March 2009 (UTC)
  
 
[[Category:Plugins]]
 
[[Category:Plugins]]

Revision as of 15:21, 20 March 2009

Template:List of Plugins

Description

With the IP-Tables plugin you can gather statistics from your ip_tables based packet filter (aka. firewall). It can collect the byte- and packet-counters of selected rules and submit them to collectd. You can select rules that should be collected wither by its position (e. g. "the fourth rule in the "INPUT" queue in the filter table") or by its comment (using the "COMMENT" match). This means that depending on your firewall layout you can collect certain services (such as the amount of web-traffic), source or destination hosts or networks, dropped packets and much more.

Of course this plugin uses libiptc and does not fork the iptables(8) application. This means that it is talking directly with the kernel and the overhead is as low as it gets.

This plugin is a generic plugin, i.e. it cannot work without configuration, because there is no reasonable default behavior. Please read the Plugin iptables section of the collectd.conf(5) manual page for an in-depth description of the plugin's configuration.

Synopsis

<Plugin "iptables">
  Chain "filter" "FORWARD"
</Plugin>

Example graphs

Plugin-iptables-bytes.png Plugin-iptables-packets.png

Dependencies

Real examples of deployment

How to marry shorewall accounting and collectd

There is a clear HOWTO enable traffic accounting using Shorewall, high-level tool for configuring Netfilter. It gives you nice overview of summary usage in shell, but unfortunately counters are gone after shorewall or server restart.

The idea is to mix standard shorewall accounting with collectd to have a cute and accurate graphs.

The standard accounting file looks like:

#ACTION         CHAIN   SOURCE          DESTINATION    
#                                                               
scigacz:COUNT   -       -               81.218.94.95/32
scigacz:COUNT   -       81.218.94.95/32 -               
DONE            scigacz

To adapt it to collectd's iptables plugin, you need to add comments into iptables:

#ACTION         CHAIN   SOURCE          DESTINATION    
#                                                               
COMMENT akonetin
scigacz:COUNT   -       -               81.218.94.95/32
COMMENT akonetout
scigacz:COUNT   -       81.218.94.95/32 -               
COMMENT
DONE            scigacz

And then add a proper entry to collectd.conf:

<Plugin iptables>
       Chain filter accounting akonetin
       Chain filter accounting akonetout
</Plugin>

That's all! Now you are logging separately in and out traffic into rrd files:

iptables-filter-accounting/ipt_bytes-akonetin.rrd
iptables-filter-accounting/ipt_bytes-akonetout.rrd
iptables-filter-accounting/ipt_packets-akonetin.rrd
iptables-filter-accounting/ipt_packets-akonetout.rrd

--SergiuszPawlowicz 14:21, 20 March 2009 (UTC)