Editing Traffic accounting with iptables
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.
The edit can be undone.
Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
− | Suppose you need to know how much traffic your [[ | + | Suppose you need to know how much traffic your [[VE]]s eat. It can be easily done |
using iptables. | using iptables. | ||
== Situation description == | == Situation description == | ||
− | Let's consider the very simple situation: one | + | Let's consider the very simple situation: one VE with one IP address on the [[Hardware Node]] |
− | with only one network interface. To be more exact, assume that [[ | + | with only one network interface. To be more exact, assume that [[VE]] ID is <tt>200</tt>, the IP address of the [[HN]] |
− | is <tt>192.168.0.56</tt>, the network interface name is <tt>eth0</tt>, and the IP address of the [[ | + | is <tt>192.168.0.56</tt>, the network interface name is <tt>eth0</tt>, and the IP address of the [[VE]] is <tt>192.168.0.117</tt>. |
− | You wish to know how | + | You wish to know how much bytes VE 200 eats. One more assumption is that there are no iptables rules |
on HN now. All these assumption are only for clarity! | on HN now. All these assumption are only for clarity! | ||
== Solution == | == Solution == | ||
− | Almost any traffic that goes to and from a | + | Almost any traffic that goes to and from a VE can be catched by FORWARD chain of iptables module in [[VE0]], |
thus we add such rules: | thus we add such rules: | ||
<pre> | <pre> | ||
Line 18: | Line 18: | ||
</pre> | </pre> | ||
It means that all traffic forwarded to IP 192.168.0.117 and from IP 192.168.0.117 will be accounted. | It means that all traffic forwarded to IP 192.168.0.117 and from IP 192.168.0.117 will be accounted. | ||
− | To obtain current traffic usage of | + | To obtain current traffic usage of VE you can issue the command: |
<pre> | <pre> | ||
# iptables -nv -L FORWARD | # iptables -nv -L FORWARD | ||
Line 26: | Line 26: | ||
15 1052 all -- * * 0.0.0.0/0 192.168.0.117 | 15 1052 all -- * * 0.0.0.0/0 192.168.0.117 | ||
</pre> | </pre> | ||
− | '''Bytes''' column is the column we need. It's worth | + | '''Bytes''' column is the column we need. It's worth to say, that restarting a VE doesn't affect accounting, |
it remains right. But if you restart your [[hardware node]], all the rules and consequently statistics are dropped. | it remains right. But if you restart your [[hardware node]], all the rules and consequently statistics are dropped. | ||
So it is recommended to | So it is recommended to | ||
Line 32: | Line 32: | ||
* add init script that creates iptables rules on [[HN]] start. | * add init script that creates iptables rules on [[HN]] start. | ||
− | + | As is easy to see, it's not per-VE statistic, but rather per-IP statistic. Thus you must be careful | |
− | + | then changing VE IP addresses, otherwise you'll get mess of results. | |
− | |||
− | |||
− | |||
− | |||
− | As is easy to see, it's not per- | ||
− | then changing | ||
− | By saying ''almost any traffic'' I mean that traffic between a [[ | + | By saying ''almost any traffic'' I mean that traffic between a [[VE]] and [[VE0]] is not accounted by rules above. |
Not sure if it can be useful for anybody, but to account such traffic these rules are needed: | Not sure if it can be useful for anybody, but to account such traffic these rules are needed: | ||
<pre> | <pre> | ||
Line 50: | Line 44: | ||
To observe results: | To observe results: | ||
<pre> | <pre> | ||
− | # iptables - | + | # iptables -nv -L INPUT |
Chain INPUT (policy ACCEPT 542 packets, 63745 bytes) | Chain INPUT (policy ACCEPT 542 packets, 63745 bytes) | ||
pkts bytes target prot opt in out source destination | pkts bytes target prot opt in out source destination | ||
35 4533 all -- venet0 * 0.0.0.0/0 192.168.0.117 | 35 4533 all -- venet0 * 0.0.0.0/0 192.168.0.117 | ||
− | # iptables - | + | # iptables -nv -L OUTPUT |
Chain OUTPUT (policy ACCEPT 247 packets, 27847 bytes) | Chain OUTPUT (policy ACCEPT 247 packets, 27847 bytes) | ||
pkts bytes target prot opt in out source destination | pkts bytes target prot opt in out source destination | ||
Line 63: | Line 57: | ||
# iptables -Z | # iptables -Z | ||
</pre> | </pre> | ||
− | The disadvantage is that | + | The disadvantage is that doing this way you zero all counters in all rules. If it is not what you need, |
you can just replace the rule with the same rule: | you can just replace the rule with the same rule: | ||
<pre> | <pre> | ||
− | # iptables - | + | # iptables -nv -L FORWARD |
Chain FORWARD (policy ACCEPT 101 packets, 10715 bytes) | Chain FORWARD (policy ACCEPT 101 packets, 10715 bytes) | ||
pkts bytes target prot opt in out source destination | pkts bytes target prot opt in out source destination | ||
Line 72: | Line 66: | ||
57 5564 all -- * * 0.0.0.0/0 192.168.0.117 | 57 5564 all -- * * 0.0.0.0/0 192.168.0.117 | ||
# iptables -R FORWARD 1 -s 192.168.0.117 | # iptables -R FORWARD 1 -s 192.168.0.117 | ||
− | # iptables - | + | # iptables -nv -L FORWARD |
Chain FORWARD (policy ACCEPT 101 packets, 10715 bytes) | Chain FORWARD (policy ACCEPT 101 packets, 10715 bytes) | ||
pkts bytes target prot opt in out source destination | pkts bytes target prot opt in out source destination | ||
Line 83: | Line 77: | ||
more complicated situations. | more complicated situations. | ||
− | ; More than one | + | ; More than one VE on the node |
− | : Just add the rules like above for each | + | : Just add the rules like above for each VE IP. |
− | ; More than one IP per | + | ; More than one IP per VE. |
− | : For each IP add the rules like above. When counting the complete traffic of a | + | : For each IP add the rules like above. When counting the complete traffic of a VE you have to summarize over all IPs that this VE owns. |
; More interfaces on the HN. | ; More interfaces on the HN. | ||
Line 95: | Line 89: | ||
Here are some scripting ideas | Here are some scripting ideas | ||
− | + | first a small script to get all vz id's for later on | |
<pre> | <pre> | ||
host2:~/bin# cat vz-all-running | host2:~/bin# cat vz-all-running | ||
Line 101: | Line 95: | ||
</pre> | </pre> | ||
− | + | second a small script witch get all ip's of running vz's | |
<pre> | <pre> | ||
host2:~/bin# cat vz-all-running-ip | host2:~/bin# cat vz-all-running-ip | ||
Line 107: | Line 101: | ||
</pre> | </pre> | ||
− | + | and a small script to set up all needed iptable rules | |
<pre> | <pre> | ||
host2:~/bin# cat vz-iptables-create-rules | host2:~/bin# cat vz-iptables-create-rules | ||
Line 114: | Line 108: | ||
</pre> | </pre> | ||
− | + | a small script to generate a traffic.log | |
− | |||
− | |||
− | |||
<pre> | <pre> | ||
host2:~/bin# cat vz-generate-traffic-log | host2:~/bin# cat vz-generate-traffic-log | ||
Line 125: | Line 116: | ||
echo -n `date "+%Y-%m-%d %H:%M:%S"` >> $trafficlog | echo -n `date "+%Y-%m-%d %H:%M:%S"` >> $trafficlog | ||
echo -n " $i " >> $trafficlog | echo -n " $i " >> $trafficlog | ||
− | echo `iptables - | + | echo `iptables -nv -L FORWARD | grep $i | tr -s [:blank:] |cut -d' ' -f3| awk '{sum+=$1} END {print sum;}'` >> $trafficlog |
done | done | ||
# reset the counter | # reset the counter | ||
iptables -Z | iptables -Z | ||
− | # update the | + | # update the ip table rules if there is a any change in vz's |
./vz-iptables-create-rules | ./vz-iptables-create-rules | ||
− | + | # copy the trafficlog file to a webserver where users can take their traffic | |
− | # copy the trafficlog file to a webserver where users can | ||
− | |||
# please mind to use | # please mind to use | ||
# ssh-keygen -t rsa | # ssh-keygen -t rsa | ||
# to generate ssh keys | # to generate ssh keys | ||
− | # and append the new public key from your hardware node | + | # and append the new public key from your hardware node ~/.ssh/id_rsa.pub |
# to ~/.ssh/authorized_keys2 on the HOST-TO-SHOW-THE-TRAFFIC-TO-THE-USERS | # to ~/.ssh/authorized_keys2 on the HOST-TO-SHOW-THE-TRAFFIC-TO-THE-USERS | ||
− | |||
scp $trafficlog USER@HOST-TO-SHOW-THE-TRAFFIC-TO-THE-USERS:/var/www/OPENVZ-CONTROL-WEB-SITE/tmp/$HOSTNAME-traffic | scp $trafficlog USER@HOST-TO-SHOW-THE-TRAFFIC-TO-THE-USERS:/var/www/OPENVZ-CONTROL-WEB-SITE/tmp/$HOSTNAME-traffic | ||
Line 146: | Line 134: | ||
cp /dev/null $trafficlog | cp /dev/null $trafficlog | ||
# start a php script to store the traffic in a MySQL Database on the HOST-TO-SHOW-THE-TRAFFIC-TO-THE-USERS | # start a php script to store the traffic in a MySQL Database on the HOST-TO-SHOW-THE-TRAFFIC-TO-THE-USERS | ||
− | + | wget -q http://HOST-TO-SHOW-THE-TRAFFIC-TO-THE-USERS/login/traffic-read.php?HN=$HOSTNAME -O /dev/null | |
− | wget -q http://HOST-TO-SHOW-THE-TRAFFIC-TO-THE-USERS/traffic-read.php?HN=$HOSTNAME -O /dev/null | ||
</pre> | </pre> | ||
− | + | a small sample php script to store the trafficlog in a MySQL Database on the HOST-TO-SHOW-THE-TRAFFIC-TO-THE-USERS | |
− | + | <pre> | |
− | |||
− | < | ||
− | |||
− | |||
− | |||
<? | <? | ||
$MySQL_Host="INSERT-YOUR-MYSQL-HOST-HERE"; | $MySQL_Host="INSERT-YOUR-MYSQL-HOST-HERE"; | ||
Line 162: | Line 144: | ||
$MySQL_Passw="INSERT-YOUR-MYSQL-PASSWORD-HERE"; | $MySQL_Passw="INSERT-YOUR-MYSQL-PASSWORD-HERE"; | ||
− | mysql_connect($MySQL_Host,$MySQL_User,$MySQL_Passw); | + | mysql_connect("$MySQL_Host","$MySQL_User","$MySQL_Passw"); |
$HN=trim(addslashes($_GET["HN"])); // Hardware Node | $HN=trim(addslashes($_GET["HN"])); // Hardware Node | ||
− | $handle = fopen ("tmp/ | + | $handle = fopen ("tmp/$HN","r"); |
while (!feof($handle)) { | while (!feof($handle)) { | ||
$line = fgets($handle, 4096); | $line = fgets($handle, 4096); | ||
list($date,$time,$ip,$traffic)=explode(" ",$line); | list($date,$time,$ip,$traffic)=explode(" ",$line); | ||
− | if($traffic>0) {mysql($db,"insert into Traffic (ip,measuringtime,bytes) values(' | + | if($traffic>0) {mysql($db,"insert into Traffic (ip,measuringtime,bytes) values('$ip','$date $time','$traffic')");} |
} | } | ||
fclose($handle); | fclose($handle); | ||
− | + | </pre> | |
− | </ | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | You can use crontab to run this script once per hour or day to collect your traffic statistics. | |
− | |||
− | |||
+ | As you see this way can be time-consuming in case of big number of VEs. | ||
So if anybody has scripts that automate all the process — you are welcome! | So if anybody has scripts that automate all the process — you are welcome! | ||
− | + | [[Category: HOWTO]] | |
− | |||
− | |||
[[Category: Networking]] | [[Category: Networking]] | ||
− |