Monitoring traffic with munin and shorewall

I have been using munin to monitor servers for some time. Recently I noticed a message in pages generated by network traffic plugin if_ which stated the plugin doesn’t work reliably on 32 bit systems were bursts may exceed 50Mbps. As I was monitoring a 100Mbit and 1Gbit interface this problem could effect my system.

The message from the if plugin suggested I use the ip plugin which uses iptables to find the packet count and should work on a 32 bit system. The problem with this plugin is that it requires you to add INPUT and OUTPUT tables

# iptables -A INPUT -d 192.168.0.1
# iptables -A OUTPUT -s 192.168.0.1

to the firewall. I use shorewall to setup the firewall and don’t want to risk messing it up by manually adding rules. A google brought up someone who had the same problem and had written a plugin to use shorewall accounting to track network traffic. This had the added advantage of being able to track anything the shorewall could produce accounting data for.

Adding Shorewall accounting rules

My first step was to setup the accounting data. I started by just checking internet traffic by adding.

  
1
2

  
total_net:COUNT -       ppp0    -
total_net:COUNT -       -       ppp0

to /etc/shorewall/accounting file. I then added a rule to check http traffic with.

  
1
2

  
http_net:COUNT  -       ppp0    -               tcp     80
http_net:COUNT  -       -       ppp0            tcp     -               80

I then checked the new rules with.

# /etc/init.d/shorewall check

and then updated the configuration.

# /etc/init.d/shorewall restart

I then ran some traffic through the network and checked the result with

# shorewall show accounting
Shorewall 4.2.6 Chain accounting at leviathan - Mon Apr  6 00:21:27 JST 2009

Counters reset Sat Apr  4 22:57:50 JST 2009

Chain accounting (3 references)
 pkts bytes target     prot opt in     out     source               destination         
 124K   76M total_net  all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           
 109K   12M total_net  all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0
 1255  131K http_net   tcp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 
 1323 1457K http_net   tcp  --  *      ppp0    0.0.0.0/0            0.0.0.0/0           tcp spt:80

Setup shorewall_accounting plugin

I copied the code from the website and fixed up all quote characters and other html issues, saved it to /etc/munin/plugins/shorewall_accounting and made it executable. I then added

[shorewall_accounting]
user root

to /etc/munin/plugin-conf.d/munin-node so that the plugin would be run as root which is required to get accounting information from shorewall. I then restarted munin-node

References

• munin shorewall_accounting plugin
• shorewall accounting rule reference

2 comments »

1. 

   By Djoh 24 days later:

   
   

   Hi !

   I would like to see the code that you corrected, if you don’t mind !

   Do you think it is possible to modify the shorewall and the script in order to monitor not only the port 80, but also 443, 110 and whatever port we need ?

   In that case, I could get rid off Ntop and a broken iptraf solution…

   Thanks !

2. 

   By Edward Middleton 25 days later:

   
   

   Djoh) you can do all those things, it is just a matter of adding the appropriate shorewall accounting rules. The shorewall accounting page I linked gives a more detailed explanation. I use

   https_net:COUNT  -       ppp0    -               tcp     443
   https_net:COUNT  -       -       ppp0            tcp     -               443
   

   to monitor secure http.