contrib-munin/plugins/accounting/accounting_

#!/bin/bash
# -*- sh -*-
: <<=cut

=head1 NAME

accounting_ - Wildcard-plugin for tcp, udp and icmp traffic-accounting (IPv4 or IPv6) through iptables.

=head1 CONFIGURATION

This plugin needs to be run as root for iptables to work.
  [accounting_*]
    user root

=head2 ENVIRONMENT VARIABLES

This plugin does not use environment variables.

=head2 WILDCARD PLUGIN

This is a wildcard plugin.  To monitor traffic going through your iptables,link
accounting_<ipv4|ipv6>_<accountingname> to this file.

For example,
  ln -s /opt/munin/lib/plugins/accounting_ /etc/opt/munin/plugins/accounting_ipv4_subnet1

will monitor the tcp, udp and icmp traffic for the accounting named subnet1.


=head2 IPTABLES

You will need to set up iptables rules to create packet counters for
incoming and outgoing traffic.  The examples here cover how to create
the rules. Add these lines at the top of your firewall-script.

=head3 Accounting for single ip

If you want to monitor the traffic from the IP 192.168.0.1, you need to add the following
lines (replace iptables with ip6tables if needed):
  iptables -I INPUT -d 192.168.0.1 -p icmp -m comment --comment ACCT-accountingname-icmp-in
  iptables -I INPUT -d 192.168.0.1 -p udp -m comment --comment ACCT-accountingname-udp-in
  iptables -I INPUT -d 192.168.0.1 -p tcp -m comment --comment ACCT-accountingname-tcp-in
  iptables -I OUTPUT -s 192.168.0.1 -p icmp -m comment --comment ACCT-accountingname-icmp-out
  iptables -I OUTPUT -s 192.168.0.1 -p udp -m comment --comment ACCT-accountingname-udp-out
  iptables -I OUTPUT -s 192.168.0.1 -p tcp -m comment --comment ACCT-accountingname-tcp-out

Only the IP itself (192.168.0.1) and the accounting-name (accountingname) need to be replaced by your values.
 iptables -I <INPUT|OUTPUT> -d <yourip> -p <tcp|udp|icmp> -m comment --comment ACCT-<yourname>-<tcp|udp|icmp>-in

Then add the plugin to your munin configuration:
  ln -s /opt/munin/lib/plugins/accounting_ /etc/opt/munin/plugins/accounting_ipv4_accountingname


=head3 Accounting for subnets

If you want to monitor the traffic from the subnet 192.168.0.1/24, you need to add the following
lines (replace iptables with ip6tables if needed):

  iptables -I INPUT -d 192.168.0.1/24 -p icmp -m comment --comment ACCT-subnet1-icmp-in
  iptables -I INPUT -d 192.168.0.1/24 -p udp -m comment --comment ACCT-subnet1-udp-in
  iptables -I INPUT -d 192.168.0.1/24 -p tcp -m comment --comment ACCT-subnet1-tcp-in
  iptables -I OUTPUT -s 192.168.0.1/24 -p icmp -m comment --comment ACCT-subnet1-icmp-out
  iptables -I OUTPUT -s 192.168.0.1/24 -p udp -m comment --comment ACCT-subnet1-udp-out
  iptables -I OUTPUT -s 192.168.0.1/24 -p tcp -m comment --comment ACCT-subnet1-tcp-out

Then add the plugin to your munin configuration:
  ln -s /opt/munin/lib/plugins/accounting_ /etc/opt/munin/plugins/accounting_ipv4_subnet1

=head1 BUGS

Accounting-names should not contain underline "_" in the name. So instead of "This_Is_A_Cool_Name" use "This-Is-A-Cool-Name".

=head1 NOTES

This plugin is based on the ip_ plugin.

=head1 MAGIC MARKERS

  #%# family=auto
  #%# capabilities=autoconf suggest

=head1 VERSION

1.0

=head1 HISTORY

2013-06-29: initial release

=head1 AUTHOR

Thomas Frey <thomas.frey-munin@hugga.org>

=head1 LICENSE

GPLv2

=cut


PARAM=${0##*accounting_}
SUBCHAIN=$(echo $PARAM | cut -d '_' -f 2)
PROTO=$(echo $PARAM | cut -d '_' -f 1)

if [ $PROTO = "ipv4" ]; then
  IPTABLES="/sbin/iptables"
elif [ $PROTO == "ipv6" ]; then
  IPTABLES="/sbin/ip6tables"
else
  echo "Configuration error: invalid protocol name: not ipv4 or ipv6."
  echo "Use accounting_<ipv4|ipv6>_accountingname."
	exit 1
fi


if [ "$1" == "autoconf" ]; then
	if [ -r /proc/net/dev ]; then
		$IPTABLES -L INPUT -v -n -x -w >/dev/null 2>/dev/null
			if [ $? -gt 0 ]; then
				echo "no (could not run iptables as user `whoami`)"
				exit 1
			else
				echo yes
			exit 0
		fi
	else
		echo "no (/proc/net/dev not found)"
		exit 1
	fi
fi

if [ "$1" = "suggest" ]; then

	if [ $PROTO = "ipv4" ]; then
	  $IPTABLES -L INPUT -v -x -n -w 2>/dev/null | sed -n 's/^.*\/\* ACCT\-\([a-zA-Z\-]*\) \*\/.*$/\ipv4_\1/p'
	  $IPTABLES -L OUTPUT -v -x -n -w 2>/dev/null | sed -n 's/^.*\/\* ACCT\-\([a-zA-Z\-]*\) \*\/.*$/\ipv4_\1/p'
	elif [ $PROTO == "ipv6" ]; then
	  $IPTABLES -L INPUT -v -x -n -w 2>/dev/null | sed -n 's/^.*\/\* ACCT\-\([a-zA-Z\-]*\) \*\/.*$/\ipv6_\1/p'
	  $IPTABLES -L OUTPUT -v -x -n -w 2>/dev/null | sed -n 's/^.*\/\* ACCT\-\([a-zA-Z\-]*\) \*\/.*$/\ipv6_\1/p'
	fi

	exit 0
fi


if [ "$1" = "config" ]; then

	echo 'multigraph '${0##*/}'_in'
	echo 'graph_title '$SUBCHAIN' traffic incoming ('$PROTO')'
	echo 'graph_args --base 1024 -l 0'
	echo 'graph_vlabel bytes per ${graph_period}'
	echo 'graph_order tcpIN udpIN icmpIN'
	echo 'graph_category network'
	echo 'tcpIN.label tcp received'
  echo 'tcpIN.cdef tcpIN,8,*'
	echo 'tcpIN.type DERIVE'
  echo 'tcpIN.draw AREA'
	echo 'tcpIN.min 0'
  echo 'udpIN.label udp received'
  echo 'udpIN.cdef udpIN,8,*'
  echo 'udpIN.type DERIVE'
  echo 'udpIN.draw STACK'
  echo 'udpIN.min 0'
  echo 'icmpIN.label icmp received'
  echo 'icmpIN.cdef icmpIN,8,*'
  echo 'icmpIN.type DERIVE'
  echo 'icmpIN.draw STACK'
  echo 'icmpIN.min 0'

  echo 'multigraph '${0##*/}'_out'
  echo 'graph_title '$SUBCHAIN' traffic outgoing ('$PROTO')'
  echo 'graph_args --base 1024 -l 0'
  echo 'graph_vlabel bytes per ${graph_period}'
  echo 'graph_order tcpOUT udpOUT icmpOUT'
  echo 'graph_category network'
  echo 'tcpOUT.label tcp sent'
  echo 'tcpOUT.cdef tcpOUT,8,*'
  echo 'tcpOUT.type DERIVE'
  echo 'tcpOUT.draw AREA'
  echo 'tcpOUT.min 0'
  echo 'udpOUT.label udp sent'
  echo 'udpOUT.cdef udpOUT,8,*'
  echo 'udpOUT.type DERIVE'
  echo 'udpOUT.draw STACK'
  echo 'udpOUT.min 0'
  echo 'icmpOUT.label icmp sent'
  echo 'icmpOUT.cdef icmpOUT,8,*'
  echo 'icmpOUT.type DERIVE'
  echo 'icmpOUT.draw STACK'
  echo 'icmpOUT.min 0'
	exit 0
fi;

echo 'multigraph '${0##*/}'_in'
$IPTABLES -L INPUT -v -n -x -w | grep  "\/\* ACCT\-"$SUBCHAIN"\-tcp\-in \*\/" | tr -s '*' '-' | awk "{ print \"tcpIN.value \" \$2 }"
$IPTABLES -L INPUT -v -n -x -w | grep  "\/\* ACCT\-"$SUBCHAIN"\-udp\-in \*\/" | tr -s '*' '-' | awk "{ print \"udpIN.value \" \$2 }"
$IPTABLES -L INPUT -v -n -x -w | grep  "\/\* ACCT\-"$SUBCHAIN"\-icmp\-in \*\/" | tr -s '*' '-' | awk "{ print \"icmpIN.value \" \$2 }"
echo
echo 'multigraph '${0##*/}'_out'
$IPTABLES -L OUTPUT -v -n -x -w | grep  "\/\* ACCT\-"$SUBCHAIN"\-tcp\-out \*\/" | tr -s '*' '-' | awk "{ print \"tcpOUT.value \" \$2 }"
$IPTABLES -L OUTPUT -v -n -x -w | grep  "\/\* ACCT\-"$SUBCHAIN"\-udp\-out \*\/" | tr -s '*' '-' | awk "{ print \"udpOUT.value \" \$2 }"
$IPTABLES -L OUTPUT -v -n -x -w | grep  "\/\* ACCT\-"$SUBCHAIN"\-icmp\-out \*\/" | tr -s '*' '-' | awk "{ print \"icmpOUT.value \" \$2 }"
Create accounting_ Wildcard-plugin for tcp, udp and icmp traffic-accounting (IPv4 or IPv6) going through iptables. This plugin can monitor a single ip as well as a entire subnets. Lists tcp, udp and icmp separately. 2013-06-29 23:08:20 +02:00			`#!/bin/bash`
			`# -- sh --`
			`: <<=cut`

			`=head1 NAME`

			`accounting_ - Wildcard-plugin for tcp, udp and icmp traffic-accounting (IPv4 or IPv6) through iptables.`

			`=head1 CONFIGURATION`

			`This plugin needs to be run as root for iptables to work.`
			`[accounting_*]`
			`user root`

			`=head2 ENVIRONMENT VARIABLES`

			`This plugin does not use environment variables.`

			`=head2 WILDCARD PLUGIN`

			`This is a wildcard plugin. To monitor traffic going through your iptables,link`
			`accounting_<ipv4\|ipv6>_<accountingname> to this file.`

			`For example,`
			`ln -s /opt/munin/lib/plugins/accounting_ /etc/opt/munin/plugins/accounting_ipv4_subnet1`

			`will monitor the tcp, udp and icmp traffic for the accounting named subnet1.`


			`=head2 IPTABLES`

			`You will need to set up iptables rules to create packet counters for`
			`incoming and outgoing traffic. The examples here cover how to create`
			`the rules. Add these lines at the top of your firewall-script.`

			`=head3 Accounting for single ip`

			`If you want to monitor the traffic from the IP 192.168.0.1, you need to add the following`
			`lines (replace iptables with ip6tables if needed):`
			`iptables -I INPUT -d 192.168.0.1 -p icmp -m comment --comment ACCT-accountingname-icmp-in`
			`iptables -I INPUT -d 192.168.0.1 -p udp -m comment --comment ACCT-accountingname-udp-in`
			`iptables -I INPUT -d 192.168.0.1 -p tcp -m comment --comment ACCT-accountingname-tcp-in`
			`iptables -I OUTPUT -s 192.168.0.1 -p icmp -m comment --comment ACCT-accountingname-icmp-out`
			`iptables -I OUTPUT -s 192.168.0.1 -p udp -m comment --comment ACCT-accountingname-udp-out`
			`iptables -I OUTPUT -s 192.168.0.1 -p tcp -m comment --comment ACCT-accountingname-tcp-out`

			`Only the IP itself (192.168.0.1) and the accounting-name (accountingname) need to be replaced by your values.`
			`iptables -I <INPUT\|OUTPUT> -d <yourip> -p <tcp\|udp\|icmp> -m comment --comment ACCT-<yourname>-<tcp\|udp\|icmp>-in`

			`Then add the plugin to your munin configuration:`
			`ln -s /opt/munin/lib/plugins/accounting_ /etc/opt/munin/plugins/accounting_ipv4_accountingname`


			`=head3 Accounting for subnets`

			`If you want to monitor the traffic from the subnet 192.168.0.1/24, you need to add the following`
			`lines (replace iptables with ip6tables if needed):`

			`iptables -I INPUT -d 192.168.0.1/24 -p icmp -m comment --comment ACCT-subnet1-icmp-in`
			`iptables -I INPUT -d 192.168.0.1/24 -p udp -m comment --comment ACCT-subnet1-udp-in`
			`iptables -I INPUT -d 192.168.0.1/24 -p tcp -m comment --comment ACCT-subnet1-tcp-in`
			`iptables -I OUTPUT -s 192.168.0.1/24 -p icmp -m comment --comment ACCT-subnet1-icmp-out`
			`iptables -I OUTPUT -s 192.168.0.1/24 -p udp -m comment --comment ACCT-subnet1-udp-out`
			`iptables -I OUTPUT -s 192.168.0.1/24 -p tcp -m comment --comment ACCT-subnet1-tcp-out`

			`Then add the plugin to your munin configuration:`
			`ln -s /opt/munin/lib/plugins/accounting_ /etc/opt/munin/plugins/accounting_ipv4_subnet1`

			`=head1 BUGS`

			`Accounting-names should not contain underline "_" in the name. So instead of "This_Is_A_Cool_Name" use "This-Is-A-Cool-Name".`

			`=head1 NOTES`

			`This plugin is based on the ip_ plugin.`

			`=head1 MAGIC MARKERS`

			`#%# family=auto`
			`#%# capabilities=autoconf suggest`

			`=head1 VERSION`

			`1.0`

			`=head1 HISTORY`

			`2013-06-29: initial release`

			`=head1 AUTHOR`

			`Thomas Frey <thomas.frey-munin@hugga.org>`

			`=head1 LICENSE`

			`GPLv2`

			`=cut`


			`PARAM=${0##*accounting_}`
			`SUBCHAIN=$(echo $PARAM \| cut -d '_' -f 2)`
			`PROTO=$(echo $PARAM \| cut -d '_' -f 1)`

			`if [ $PROTO = "ipv4" ]; then`
			`IPTABLES="/sbin/iptables"`
			`elif [ $PROTO == "ipv6" ]; then`
			`IPTABLES="/sbin/ip6tables"`
			`else`
			`echo "Configuration error: invalid protocol name: not ipv4 or ipv6."`
			`echo "Use accounting_<ipv4\|ipv6>_accountingname."`
			`exit 1`
			`fi`


			`if [ "$1" == "autoconf" ]; then`
			`if [ -r /proc/net/dev ]; then`
iptables-related plugins: use "-w" for consistent results The parameter "-w" forces iptables to wait for a lock before printing data. The parameter requires iptables 1.6 (released 2015). See https://github.com/munin-monitoring/munin/issues/586 2018-02-24 22:58:04 +01:00			`$IPTABLES -L INPUT -v -n -x -w >/dev/null 2>/dev/null`
Create accounting_ Wildcard-plugin for tcp, udp and icmp traffic-accounting (IPv4 or IPv6) going through iptables. This plugin can monitor a single ip as well as a entire subnets. Lists tcp, udp and icmp separately. 2013-06-29 23:08:20 +02:00			`if [ $? -gt 0 ]; then`
			echo "no (could not run iptables as user `whoami`)"
			`exit 1`
			`else`
			`echo yes`
			`exit 0`
			`fi`
			`else`
			`echo "no (/proc/net/dev not found)"`
			`exit 1`
			`fi`
			`fi`

			`if [ "$1" = "suggest" ]; then`

			`if [ $PROTO = "ipv4" ]; then`
iptables-related plugins: use "-w" for consistent results The parameter "-w" forces iptables to wait for a lock before printing data. The parameter requires iptables 1.6 (released 2015). See https://github.com/munin-monitoring/munin/issues/586 2018-02-24 22:58:04 +01:00			`$IPTABLES -L INPUT -v -x -n -w 2>/dev/null \| sed -n 's/^.\/\ ACCT\-\([a-zA-Z\-]\) \\/.*$/\ipv4_\1/p'`
			`$IPTABLES -L OUTPUT -v -x -n -w 2>/dev/null \| sed -n 's/^.\/\ ACCT\-\([a-zA-Z\-]\) \\/.*$/\ipv4_\1/p'`
Create accounting_ Wildcard-plugin for tcp, udp and icmp traffic-accounting (IPv4 or IPv6) going through iptables. This plugin can monitor a single ip as well as a entire subnets. Lists tcp, udp and icmp separately. 2013-06-29 23:08:20 +02:00			`elif [ $PROTO == "ipv6" ]; then`
iptables-related plugins: use "-w" for consistent results The parameter "-w" forces iptables to wait for a lock before printing data. The parameter requires iptables 1.6 (released 2015). See https://github.com/munin-monitoring/munin/issues/586 2018-02-24 22:58:04 +01:00			`$IPTABLES -L INPUT -v -x -n -w 2>/dev/null \| sed -n 's/^.\/\ ACCT\-\([a-zA-Z\-]\) \\/.*$/\ipv6_\1/p'`
			`$IPTABLES -L OUTPUT -v -x -n -w 2>/dev/null \| sed -n 's/^.\/\ ACCT\-\([a-zA-Z\-]\) \\/.*$/\ipv6_\1/p'`
Create accounting_ Wildcard-plugin for tcp, udp and icmp traffic-accounting (IPv4 or IPv6) going through iptables. This plugin can monitor a single ip as well as a entire subnets. Lists tcp, udp and icmp separately. 2013-06-29 23:08:20 +02:00			`fi`

			`exit 0`
			`fi`


			`if [ "$1" = "config" ]; then`

			`echo 'multigraph '${0##*/}'_in'`
typofixes - https://github.com/vlajos/misspell_fixer Suspicious sections: plugins/mail/postfix_mail_stats recieved.label plugins/nginx/nginx_vhost_traffic 2014-12-05 00:37:42 +01:00			`echo 'graph_title '$SUBCHAIN' traffic incoming ('$PROTO')'`
Create accounting_ Wildcard-plugin for tcp, udp and icmp traffic-accounting (IPv4 or IPv6) going through iptables. This plugin can monitor a single ip as well as a entire subnets. Lists tcp, udp and icmp separately. 2013-06-29 23:08:20 +02:00			`echo 'graph_args --base 1024 -l 0'`
			`echo 'graph_vlabel bytes per ${graph_period}'`
			`echo 'graph_order tcpIN udpIN icmpIN'`
Category Tree: reduce number of categories 2017-02-22 02:54:01 +01:00			`echo 'graph_category network'`
Create accounting_ Wildcard-plugin for tcp, udp and icmp traffic-accounting (IPv4 or IPv6) going through iptables. This plugin can monitor a single ip as well as a entire subnets. Lists tcp, udp and icmp separately. 2013-06-29 23:08:20 +02:00			`echo 'tcpIN.label tcp received'`
			`echo 'tcpIN.cdef tcpIN,8,*'`
			`echo 'tcpIN.type DERIVE'`
			`echo 'tcpIN.draw AREA'`
			`echo 'tcpIN.min 0'`
			`echo 'udpIN.label udp received'`
			`echo 'udpIN.cdef udpIN,8,*'`
			`echo 'udpIN.type DERIVE'`
			`echo 'udpIN.draw STACK'`
			`echo 'udpIN.min 0'`
			`echo 'icmpIN.label icmp received'`
			`echo 'icmpIN.cdef icmpIN,8,*'`
			`echo 'icmpIN.type DERIVE'`
			`echo 'icmpIN.draw STACK'`
			`echo 'icmpIN.min 0'`

			`echo 'multigraph '${0##*/}'_out'`
			`echo 'graph_title '$SUBCHAIN' traffic outgoing ('$PROTO')'`
			`echo 'graph_args --base 1024 -l 0'`
			`echo 'graph_vlabel bytes per ${graph_period}'`
			`echo 'graph_order tcpOUT udpOUT icmpOUT'`
Category Tree: reduce number of categories 2017-02-22 02:54:01 +01:00			`echo 'graph_category network'`
Create accounting_ Wildcard-plugin for tcp, udp and icmp traffic-accounting (IPv4 or IPv6) going through iptables. This plugin can monitor a single ip as well as a entire subnets. Lists tcp, udp and icmp separately. 2013-06-29 23:08:20 +02:00			`echo 'tcpOUT.label tcp sent'`
			`echo 'tcpOUT.cdef tcpOUT,8,*'`
			`echo 'tcpOUT.type DERIVE'`
			`echo 'tcpOUT.draw AREA'`
			`echo 'tcpOUT.min 0'`
			`echo 'udpOUT.label udp sent'`
			`echo 'udpOUT.cdef udpOUT,8,*'`
			`echo 'udpOUT.type DERIVE'`
			`echo 'udpOUT.draw STACK'`
			`echo 'udpOUT.min 0'`
			`echo 'icmpOUT.label icmp sent'`
			`echo 'icmpOUT.cdef icmpOUT,8,*'`
			`echo 'icmpOUT.type DERIVE'`
			`echo 'icmpOUT.draw STACK'`
			`echo 'icmpOUT.min 0'`
			`exit 0`
			`fi;`

			`echo 'multigraph '${0##*/}'_in'`
iptables-related plugins: use "-w" for consistent results The parameter "-w" forces iptables to wait for a lock before printing data. The parameter requires iptables 1.6 (released 2015). See https://github.com/munin-monitoring/munin/issues/586 2018-02-24 22:58:04 +01:00			`$IPTABLES -L INPUT -v -n -x -w \| grep "\/\* ACCT\-"$SUBCHAIN"\-tcp\-in \\/" \| tr -s '' '-' \| awk "{ print \"tcpIN.value \" \$2 }"`
			`$IPTABLES -L INPUT -v -n -x -w \| grep "\/\* ACCT\-"$SUBCHAIN"\-udp\-in \\/" \| tr -s '' '-' \| awk "{ print \"udpIN.value \" \$2 }"`
			`$IPTABLES -L INPUT -v -n -x -w \| grep "\/\* ACCT\-"$SUBCHAIN"\-icmp\-in \\/" \| tr -s '' '-' \| awk "{ print \"icmpIN.value \" \$2 }"`
Create accounting_ Wildcard-plugin for tcp, udp and icmp traffic-accounting (IPv4 or IPv6) going through iptables. This plugin can monitor a single ip as well as a entire subnets. Lists tcp, udp and icmp separately. 2013-06-29 23:08:20 +02:00			`echo`
			`echo 'multigraph '${0##*/}'_out'`
iptables-related plugins: use "-w" for consistent results The parameter "-w" forces iptables to wait for a lock before printing data. The parameter requires iptables 1.6 (released 2015). See https://github.com/munin-monitoring/munin/issues/586 2018-02-24 22:58:04 +01:00			`$IPTABLES -L OUTPUT -v -n -x -w \| grep "\/\* ACCT\-"$SUBCHAIN"\-tcp\-out \\/" \| tr -s '' '-' \| awk "{ print \"tcpOUT.value \" \$2 }"`
			`$IPTABLES -L OUTPUT -v -n -x -w \| grep "\/\* ACCT\-"$SUBCHAIN"\-udp\-out \\/" \| tr -s '' '-' \| awk "{ print \"udpOUT.value \" \$2 }"`
			`$IPTABLES -L OUTPUT -v -n -x -w \| grep "\/\* ACCT\-"$SUBCHAIN"\-icmp\-out \\/" \| tr -s '' '-' \| awk "{ print \"icmpOUT.value \" \$2 }"`
Create accounting_ Wildcard-plugin for tcp, udp and icmp traffic-accounting (IPv4 or IPv6) going through iptables. This plugin can monitor a single ip as well as a entire subnets. Lists tcp, udp and icmp separately. 2013-06-29 23:08:20 +02:00