IP Accounting for Smoothwall Express 2.0
[This modification has been verified to work with Smoothwall Express 2.0.
Please refer to this page for information about ipac on
Smoothwall GPL 1.0.]
This page will show you how to configure ip accounting on your
Smoothwall, so you can monitor and track how much internet traffic each
pc behind your Smoothwall server is generating.
Note that Smoothwall Express 2.0 uses
RRDTool traffic graphs instead of ipac-ng graphs.
Individual graphs can still be created for each ipac rule, but will
not show up in the web interface with the "normal" traffic graphs.
Requirements:
You'll need:
-
A Smoothwall Express 2.0 installation (obviously...).
-
A way of getting a command-line prompt on your Smoothwall box
(either by logging directly onto your Smoothwall box,
using a SSH client such as
PuTTY
or SSH Secure Shell,
or via the Smoothwall web interface).
Configuration:
Ensure you have SSH enabled on your Smoothwall (it's configured on the
"remote access" page). This is required for copying files to your Smoothwall
via SCP, and for logging into your Smoothwall with SSH.
Note that Smoothwall already has ipac-ng installed.
The configuration for ipac-ng is stored in
/etc/ipac-ng/ipac.rules. However, this file is re-created
each time Smoothwall reboots, so any changes made to this file will
be lost when Smoothwall is rebooted.
The rules.conf configuration file is generated by
/etc/rc.d/helper/writeipac.pl, so you need to
make your changes to it, instead of editing ipac.conf
or rules.conf.
Edit /etc/rc.d/helper/writeipac.pl,
and for each PC behind your
Smoothwall that you want to monitor, add the following just before the
close FILE; line at the end of the file:
print FILE "user1 in|ipac~fi|$settings{'RED_DEV'}|all||10.0.0.2\n";
print FILE "user1 out|ipac~fo|$settings{'RED_DEV'}|all|10.0.0.2|\n";
print FILE "user2 in|ipac~fi|$settings{'RED_DEV'}|all||10.0.0.3\n";
print FILE "user2 out|ipac~fo|$settings{'RED_DEV'}|all|10.0.0.3|\n";
where
user1 is the description of the PC being monitored
10.0.0.2 is the IP address of the PC to be monitored behind your Smoothwall
\n inserts an end-of-line character
Note that if your red interface is a modem, ISDN, or using PPPoE or PPPoA, you can't use the
$settings{'RED_DEV'} alias, but need to specify the actual interface
name, for example, ppp0.
If you only want to monitor incoming traffic to a specific PC, and are not interested
in the outgoing traffic, then leave out the user1 out|ipac~fo|$set.... line
(or comment it out with a #).
To rebuild your /etc/ipac-ng/ipac.rules file with your modifications, run
/etc/rc.d/helper/writeipac.pl
and to make the changes take effect, run
/usr/local/sbin/fetchipac -Sv
This will cause ipac-ng to reload all ip accounting rules,
and should display a list of all the rules, including the ones you've added.
If any errors are displayed, or some of your custom rules are not displayed,
there's a problem with the changes you made to writeipac.pl,
so you'll have to correct these before proceeding.
Smoothwall will now start monitoring all traffic to and from each of the IP addresses
you've specified.
Graphing:
Note that Smoothwall Express 2.0 no longer uses ipac-ng to generate traffic graphs,
but uses RRDTool traffic graphs.
The RRDTool graphs show the total network traffic through each interface, but don't
allow you to create graphs for individual ipac-ng rules.
However, individual graphs can still be created for each ipac-ng rule.
First of all, create a directory for the ipac-ng images
and web pages:
mkdir /home/httpd/html/ipac
Create a shell script called
/usr/local/bin/makegraphs to do the image creation,
with the following contents:
#!/bin/sh
/usr/local/sbin/ipacsum --png /home/httpd/html/ipac/ --png-average-curve 15 \
--png-index index.html --png-caption-in-index --png-width 695 -s 24h
Make the script executable:
chmod 755 /usr/local/bin/makegraphs
This script will create png images for each rule, showing the traffic
over the last 24 hours, and includes a curve showing the average traffic.
To change the length of data displayed on the graph, for example, to display 8 hours of data
instead of 24 hours of data, modify the value of the -s 24h
parameter defined in /usr/local/bin/makegraphs to
-s 8h.
Test the image creation by manually running the script from the command line:
/usr/local/bin/makegraphs
Totals for the last 24 hours (or the interval you've configured) will be displayed, and
the /home/httpd/html/ipac/ directory should
now contain an image for each rule, as well as index.html.
You should be able to view the ipac-ng graphs by pointing your
browser at http://green_ip:81/ipac/ or
https://green_ip:441/ipac/.
Automate the image creation every half hour by adding these lines into
/etc/crontab
# generate some ipac graphs
*/30 * * * * root /usr/local/bin/makegraphs >/dev/null
Note that the ipac-ng data summarisation rules are missing in 2.0 RC1, so be
sure to add the following to /etc/crontab too:
# Summarize ip accounting info:
2 0 * * * root /usr/local/sbin/ipacsum -r -t "the day 7 days ago" >/dev/null
3 0 * * 0 root /usr/local/sbin/ipacsum -r -t "the week 11 weeks ago" >/dev/null
4 0 1 2 * root /usr/local/sbin/ipacsum -r -t "the year 2 years ago" >/dev/null
Reporting:
Total bandwidth usage over any period of time can be displayed by running
ipacsum from a command prompt on your Smoothwall.
Running ipacsum without any parameters will show
the bandwidth for each configured rule that's ever been logged.
With the default ipac-ng rule-set on a Smoothwall configured with
a red, green and orange interface, running ipacsum
returns the following on my Smoothwall box:
IP accounting summary
Host: gandalf / Time created: 2004/08/08 19:03:49 WST
Data from 2003/12/08 00:00:00 WST to 2004/08/08 19:03:49 WST
Incoming GREEN Direct : 62M
Incoming GREEN Forward : 91G
Incoming ORANGE Direct : 301K
Incoming ORANGE Forward : 21M
Incoming RED Direct : 284M
Incoming RED Forward : 130G
Outgoing GREEN Direct : 168M
Outgoing GREEN Forward : 130G
Outgoing ORANGE Direct : 91K
Outgoing ORANGE Forward : 100M
Outgoing RED Direct : 55M
Outgoing RED Forward : 91G
Note that you can get ipacsum to return data in specific units if
desired, rather than returning data in varying units.
For example, to return all data in Megabytes, I ran the following on my
Smoothwall box:
ipacsum --fixed-quantity M
with the following output:
IP accounting summary
Host: gandalf / Time created: 2004/08/08 19:04:13 WST
Data from 2003/12/08 00:00:00 WST to 2004/08/08 19:04:13 WST
Incoming GREEN Direct : 62M
Incoming GREEN Forward : 90953M
Incoming ORANGE Direct : 0M
Incoming ORANGE Forward : 21M
Incoming RED Direct : 284M
Incoming RED Forward : 129580M
Outgoing GREEN Direct : 168M
Outgoing GREEN Forward : 129600M
Outgoing ORANGE Direct : 0M
Outgoing ORANGE Forward : 100M
Outgoing RED Direct : 55M
Outgoing RED Forward : 90854M
Alternatively, running ipacsum -t "this month" will
show the bandwidth for each configured rule over the current month.
Run ipacsum --help for more information on using it.
Smoothwall's Default Rules:
Smoothwall already has ipac-ng installed,
and by default, it is configured to monitor the traffic in and out of
each interface.
More specifically, it is configured with two rules for counting incoming traffic
to each interface, and two rules for counting outbound traffic for each interface.
The direct incoming rule shows traffic inbound to the
Smoothwall box itself on that specific interface, while the
forward incoming rule shows traffic inbound on that
interface, which is forwarded through Smoothwall to another network.
Comments About Squid Proxy Traffic:
Note that if you're using Smoothwall's web proxy server, the ipac-ng rules
described above will not count any web traffic downloaded by a specific user.
The rules described above only monitor forwarded traffic coming in through Smoothwall's
red interface, destined for a specific IP address on the green subnet.
When using Smoothwall's proxy server, web traffic is proxied by Squid, and hence
isn't counted by those rules.
There's a couple of options for including this traffic.
Adding the following rule for each green PC being monitored
print FILE "user1 in|ipac~i|$settings{'GREEN_DEV'}|all||10.0.0.2\n";
will cause ipac-ng to sum the total non-http traffic with all traffic that's transferred directly
between Smoothwall's green interface and the specified green PC.
Note that this includes any traffic caused by the green PC accessing Smoothwall's
web interface, and will be counting the proxied traffic, even if it's coming out of
the web cache on Smoothwall (ie, some of the traffic will not be direct internet traffic).
If running the web proxy in non-transparent mode, non-http direct traffic can be filtered
by only monitoring the traffic from the proxy:
print FILE "user1 in|ipac~i|$settings{'GREEN_DEV'}|all|0/0 800|10.0.0.2\n";
However, this will still be counting the proxied traffic which may be coming out of
the web cache, rather than direct from the internet.
An alternative approach is to use one of the many Squid log analysis
scripts which are available,
to determine the amount of non-cached traffic used by each green PC.
The total internet traffic for each green PC is then the sum of the ipac-ng forwarded
traffic, and the non-cached traffic as reported by Squid.
If there's an easier way to sum a user's non-proxy and proxy traffic, please
let me know.
References:
Bandwidth Monitoring with ipac-ng
ipac-ng - Linux IP accounting package
last updated 8 Aug 2004
|
