iptables + MRTG

iptables + MRTG

[Askar]

hi,

Anyone here using MRTG with iptables? for example to check iptables -L
-nvx things graphical using mrtg... or any other statistics
any possibility ?

looking forward.
regards
AskaR

-- 
(after bouncing head on desk for days trying to get mine working, I'll make
yer life a little easier)

Re: iptables + MRTG

[Marcin Sura]

Witam

Saturday, August 28, 2004, 1:28:27 PM, you wrote:

> Anyone here using MRTG with iptables? for example to check iptables -L
> -nvx things graphical using mrtg... or any other statistics
> any possibility ?

With MRTG you can graph temperature even this how many times your dog
go outside, so also you can make charts of iptables output. Simply,
you must parse iptables -L -vnx output, and provide what you want to
graph to MRTG.

You can also try a rrdtool. This is a (imo better) successor of MRTG.

Try to google. There is a lot of examples for both - MRTG and rrdtool

-- 
Pozdrawiam
 Marcin                            mailto:slacklist@op.pl

Re: iptables + MRTG

[José Irigon]

Hi all, 
I read all messages sent to list about topics like this, but none
of them solved my doubt.
I want to do a stealth firewall, a firewall + bridge which an
mallicious client can´t* find it.

This is the idea:
When a packet arrive at the bridge (from de outside) if the rules of
iptables/ebtables permit it continue, ok. If not, the bridge should
reply with packages with the client´s ip and rejecting these packages.
The problem is I tried use "-j REJECT --reject-with tcp-reset" for
example, but the bridge seems to can not reply that packages.
At begining I thought it was cause haven´t the bridge ip, it couldn´t
send packages back, but I read in
http://sourceforge.net/mailarchive/forum.php?thread_id=4073001&forum_id=8573
that it is possible.
I recompile kernel and tried anything I believe could be the erlevant,
(ip_forward, etc)
but nothing.
Can anyone tell me what could be!?

I´m using Slackware 9.1 with kernel 2.6.8.1, but I tried with 2.4.22
and didn´t work either...

[]´s!

Re: iptables + MRTG

[Jose Maria Lopez]

El sáb, 28 de 08 de 2004 a las 13:28, Askar escribió:
> hi,
> 
> Anyone here using MRTG with iptables? for example to check iptables -L
> -nvx things graphical using mrtg... or any other statistics
> any possibility ?
> 
> looking forward.
> regards
> AskaR

The module bastion-firewall-stats from our GPL firewall named
bastion-firewall does something similar to what you want, it
has a daemon that collects the data from the counters in the
chains you mark in the config files and then puts the data in
a rrdtool database and a bash script generates graphical stats
each hour.

You probably can't do what you want with MRTG but you can do it
with something like Cacti, that it's more flexible. You can create
a script that collects the data (I advice you it's really slow if
you want to collect data from a lot of chains, that's why we use
a C program that uses libiptc to do this) and then use it in
Cacti to generate the graphics like MRTG does.

Or you can simply create the script and use another script to enter
the data in the rrdtool database and then graph the data with another
one using also rrdtool.

If you want code to extract the counters from the chains using C
code you should have in mind that the Querying libiptc HOWTO has
an error in it, it allocates memory but it does not free it, so
the memory used grows and grows and grows. We sent an email to the
author of the HOWTO but we have received no response yet. You can
look at the code in the bastion-firewall-stats daemon to see where
the memory have to be freed. You can download it at:
http://www.bgsec.com

Hope it helps.

-- 
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"

Re: iptables + MRTG

[bino_oetomo]

----- Original Message ----- 
From: "Askar" <askarali@gmail.com>
To: "netfilter" <netfilter@lists.netfilter.org>
Sent: Saturday, August 28, 2004 6:28 PM
Subject: iptables + MRTG


> hi,
> 
> Anyone here using MRTG with iptables? for example to check iptables -L
> -nvx things graphical using mrtg... or any other statistics
> any possibility ?
> 

Take a look at "Passtrough" methode of extending netsnmp.
all you need is just a simple bash script
and you can "call" your snmp via MRTG and other snmp-manager.

Sincerely
-bino-