Plugin:IPTables

From collectd Wiki
Revision as of 16:21, 20 March 2009 by SergiuszPawlowicz (talk | contribs) (shorewall and collectd - it rules!)

Jump to: navigation, search

Template:List of Plugins

Description

With the IP-Tables plugin you can gather statistics from your ip_tables based packet filter (aka. firewall). It can collect the byte- and packet-counters of selected rules and submit them to collectd. You can select rules that should be collected wither by its position (e. g. "the fourth rule in the "INPUT" queue in the filter table") or by its comment (using the "COMMENT" match). This means that depending on your firewall layout you can collect certain services (such as the amount of web-traffic), source or destination hosts or networks, dropped packets and much more.

Of course this plugin uses libiptc and does not fork the iptables(8) application. This means that it is talking directly with the kernel and the overhead is as low as it gets.

This plugin is a generic plugin, i.e. it cannot work without configuration, because there is no reasonable default behavior. Please read the Plugin iptables section of the collectd.conf(5) manual page for an in-depth description of the plugin's configuration.

Synopsis

<Plugin "iptables">
  Chain "filter" "FORWARD"
</Plugin>

Example graphs

Plugin-iptables-bytes.png Plugin-iptables-packets.png

Dependencies

Real examples of deployment

How to marry shorewall accounting and collectd

There is a clear HOWTO enable traffic accounting using Shorewall, high-level tool for configuring Netfilter. It gives you nice overview of summary usage in shell, but unfortunately counters are gone after shorewall or server restart.

The idea is to mix standard shorewall accounting with collectd to have a cute and accurate graphs.

The standard accounting file looks like:

#ACTION         CHAIN   SOURCE          DESTINATION    
#                                                               
scigacz:COUNT   -       -               81.218.94.95/32
scigacz:COUNT   -       81.218.94.95/32 -               
DONE            scigacz

To adapt it to collectd's iptables plugin, you need to add comments into iptables:

#ACTION         CHAIN   SOURCE          DESTINATION    
#                                                               
COMMENT akonetin
scigacz:COUNT   -       -               81.218.94.95/32
COMMENT akonetout
scigacz:COUNT   -       81.218.94.95/32 -               
COMMENT
DONE            scigacz

And then add a proper entry to collectd.conf:

<Plugin iptables>
       Chain filter accounting akonetin
       Chain filter accounting akonetout
</Plugin>

That's all! Now you are logging separately in and out traffic into rrd files:

iptables-filter-accounting/ipt_bytes-akonetin.rrd
iptables-filter-accounting/ipt_bytes-akonetout.rrd
iptables-filter-accounting/ipt_packets-akonetin.rrd
iptables-filter-accounting/ipt_packets-akonetout.rrd

--SergiuszPawlowicz 14:21, 20 March 2009 (UTC)