ipchainacc 1.1.0 Author: John Lange john@darkcore.net Date : September 12, 2000 ipchains accounting script for use with MRTG *** New in this version *** *** please read before *** *** using this script *** *** In version 1.0.1, the script is actually counting packets, NOT bytes as was intended. I apologize for this mistake. By default, this new version of the script also counts packets NOT bytes. I've done this to maintain compatibility with the previous (buggy) version so that people who blindly upgrade won't suddenly find all of their output out of whack. To change to counting bytes, please edit the ipchainacc script. *** In order for this script to work: 1) You need a kernel which was compiled with the configuration option CONFIG_IP_FIREWALL set to y. You also need the front end to ip firewall and ip accounting, that is, the tool 'ipchains'. I used version 1.3.9. 2) Add input and output rules to ipchains for accounting. I've included the small script ipchainacc.rules. If you run it, it will do what it needs for ipchains to work with this script. I recommend you have a look at it before running it. It shouldn't break anything because it just adds some empty rules at the top of the input and output chains for accounting purposes. One concern however is that these rules have to be first on the chains to work. If you have some bad IPs black-holed these rules will still count packets from them which might be bad for server load. 2) edit the script ipchainacc for your system. You only need give it the path to ipchains and hostname. Alternatively, you can just remove the call to hostname and assign it manually. The ipchainacc script can also be run from the console if you want to see the output. 3) edit your mrtg.cfg for your system. For this script to be incorperated into mrtg, you need only add the following line to mrtg.cfg: Target[ipchains]: `/sbin/ipchainacc` 4) set mrtg to run as a cron (see the mrtg docs) ------ NOTE: this script is very basic. It captures accounting information for EVERYTHING coming in and out of your machine on all interfaces and IPs. If you need to narrow the accounting rules, you will have to edit the ipchainacc.rules script. I've included a very simple example in that script on how to narrow the accounting but it remains untested.