Биллинговая система Nodeny

Главная категория => Nodeny 50 => Тема начата: garik24 от 05 Апреля 2010, 23:01:56



Название: нужна помощь с netgraph netflow
Отправлено: garik24 от 05 Апреля 2010, 23:01:56
пытаюсь перейти с ipcad на netflow(netgraph), бьюсь второй день.

лог админки биллинга:
Код:
cat: /var/run/flow-capture/flow-capture.pid.8888: No such file or directory
cat: /var/run/flow-capture/flow-capture.pid.8888: No such file or directory
cat: /var/run/flow-capture/flow-capture.pid.8888: No such file or directory
cat: /var/run/flow-capture/flow-capture.pid.8888: No such file or directory
cat: /var/run/flow-capture/flow-capture.pid.8888: No such file or directory
в папках /var/run/flow-capture/ и /var/db/flows/ пусто

в мониторинге ядра ноудени
Код:
Не получен трафик от netflow: local (8888:2,3).

1-ая сетевая смотрит в локалку
2,3 в инет
ось  freebsd 7.0-RELEASE-p12
все необх. модули подгружены согласно инструкции.
все крутится на одной тачке.

netflow.pl -ничего не менял
Код:
#!/usr/bin/perl

# Вход:
# 0 - порт
# 1 - название файла

$flow_base='/var/db/flows/';
$nodeny_base='/usr/local/nodeny/';
$flow_capture_pid='/var/run/flow-capture/flow-capture.pid';

$flow_print=`which flow-print` || '/usr/local/bin/flow-print';
$flow_export=`which flow-export` || '/usr/local/bin/flow-export';
$cat=`which cat` || '/bin/cat';

chomp $flow_print;
chomp $flow_export;
chomp $cat;

$flow_base=~s/\/$//;
$nodeny_base=~s/\/$//;

($port,$file_name)=@ARGV;
$port=~s/\s+//g;

if ($port=~/(\d+):(.+)$/)
  {# для данного сенсора известен номер внешнего интерфейса
   $out_int=",$2,";
   $port=$1;
  }else
  {
   undef $out_int;
   $port=int $port;
  }

$flow_file=$flow_base.'/$ARGV[0]';
$file_pl="$nodeny_base/netflow_$port.pl";


exit unless open(F,">$file_pl");

{
 $n="\n";
 unless (defined $out_int)
   {
    print F qq{#!/usr/bin/perl$n}.
      qq{ system("$flow_print -f6 < $flow_file >$file_name 2>/dev/null");$n}.
      qq{ unlink "$flow_file";$n};

netflow_8888.pl сгенерирован автоматом
Код:
#!/usr/bin/perl
$lines=`/usr/local/bin/flow-export -f2 -mdoctets,srcaddr,dstaddr,input,output,srcport,dstport,prot < /var/db/flows/$ARGV[0] 2>/dev/null`;
$out_int=',2,3,';
$out="";
foreach $line (split /\n/,$lines)
 {
  ($bytes,$src,$dst,$src_if,$dst_if,$src_port,$dst_port,$prot)=split /,/,$line;
  next if $prot<1;
  $h="$src\t$dst\t1\t$bytes\t$src_port\t$dst_port\t$prot\t";
  $out.=$h."2\n" if $out_int=~/,$src_if,/;
  $out.=$h."1\n" if $out_int=~/,$dst_if,/;
 }
exit unless open (F,'>/usr/local/nodeny/sql/1-1270498952_temp');
print F $out;
close(F);
rename '/usr/local/nodeny/sql/1-1270498952_temp','/usr/local/nodeny/sql/1-1270498952';
unlink "/var/db/flows/$ARGV[0]";

netflow.txt
Код:
mkpeer ipfw: netflow 100 iface0
name ipfw:100 netflow
msg netflow: setdlt { iface = 0 dlt = 12 }
mkpeer netflow: ksocket export inet/dgram/udp
msg netflow:export connect inet/127.0.0.1:8888

rc.firewall
Код:
#!/bin/sh -

fwcmd="/sbin/ipfw -q"
ifOut='fxp1'
ifOut2='fxp2'
mailSrvIp='xxx.xxx.xxx.xxx'


${fwcmd} table 120 flush
${fwcmd} table 120 add 224.0.0.0/4
${fwcmd} table 120 add 192.168.0.0/16
${fwcmd} table 120 add 172.16.0.0/12


${fwcmd} -f flush

${fwcmd} add 11 allow tcp from any to me dst-port 1723 in
${fwcmd} add 12 allow tcp from me 1723 to any out
${fwcmd} add 13 allow gre from any to any

${fwcmd} add 25  allow tcp from any to 10.36.3.3 dst-port 5006
${fwcmd} add 30  allow tcp from 10.36.0.0/16 to 10.36.3.3 dst-port 10000
${fwcmd} add 40 allow udp from any 53 to me #dns input
#priem pochti s ineta
${fwcmd} add 42 allow tcp from any to ${mailSrvIp} 25 in #mail
${fwcmd} add 43 allow udp from any to ${mailSrvIp} 25 in #mail
${fwcmd} add 44 allow tcp from 10.36.0.0/16 to me 25,110,143 keep-state

${fwcmd} add 50 allow tcp from any to me 22
${fwcmd} add 51 allow tcp from me 22 to any

${fwcmd} add 100 deny tcp from any to any 445

${fwcmd} add 110 allow ip from any to any via lo0
${fwcmd} add 115 allow ip from any to any via lo1
${fwcmd} add 120 skipto 1000 ip from me to any
${fwcmd} add 130 deny icmp from any to any in icmptype 5,9,13,14,15,16,17
${fwcmd} add 140 deny ip from any to "table(120)"
${fwcmd} add 150 deny ip from "table(120)" to any
${fwcmd} add 160 skipto 2000 ip from any to me

${fwcmd} add 200 skipto 500 ip from any to any via ${ifOut}
${fwcmd} add 205 skipto 500 ip from any to any via ${ifOut2}


${fwcmd} add 280 fwd 127.0.0.1,81 tcp from "table(35)" to not me dst-port 80
${fwcmd} add 290 fwd 127.0.0.1,8080 tcp from not "table(0)" to not me dst-port 80
${fwcmd} add 300 skipto 4500 ip from any to any in

#${fwcmd} add 400 skipto 450 ip from any to any recv ${ifOut}
#${fwcmd} add 405 skipto 450 ip from any to any recv ${ifOut2}
${fwcmd} add 400 ngtee 100 ip from any to any
${fwcmd} add 405 ngtee 100 ip from any to any

#${fwcmd} add 420 divert 1 ip from any to any
#${fwcmd} add 450 divert 2 ip from any to any
${fwcmd} add 490 allow ip from any to any

${fwcmd} add 500 skipto 32500 ip from any to any in
#${fwcmd} add 510 divert 1 ip from any to any
${fwcmd} add 510 ngtee 100 ip from any to any
${fwcmd} add 540 allow ip from any to any

${fwcmd} add 1000 allow udp from any 53,7723 to any
${fwcmd} add 1010 allow tcp from any to any setup keep-state
${fwcmd} add 1020 allow udp from any to any keep-state
${fwcmd} add 1100 allow ip from any to any

${fwcmd} add 2000 check-state
${fwcmd} add 2010 allow icmp from any to any
${fwcmd} add 2020 allow tcp from any to any 80,443,5222,5223
${fwcmd} add 2050 deny ip from any to any via ${ifOut}
${fwcmd} add 2055 deny ip from any to any via ${ifOut2}
${fwcmd} add 2060 allow udp from any to any 53,7723

${fwcmd} add 2100 deny ip from any to any

${fwcmd} add 32490 deny ip from any to any


rc.conf
Код:
.....
#netflow netgraph
ngnetflow_enable="YES"
# flow_capture
flow_capture_enable="NO"
.....

ngnetflow.sh
Код:
#!/bin/sh
. /etc/rc.subr

name="ngnetflow"
rcvar=`set_rcvar`

load_rc_config $name
: ${ngnetflow_enable="YES"}

start_cmd="ngnetflow_start"
stop_cmd="ngnetflow_stop"

ngnetflow_start() {

/usr/sbin/ngctl -f /usr/local/nodeny/netflow.txt

}

ngnetflow_stop() {
/usr/sbin/ngctl -f- <<-NODENY
shutdown netflow:
NODENY
}

run_rc_command "$1"

подскажите, плз., куда копать?


Название: Re: нужна помощь с netgraph netflow
Отправлено: garik24 от 06 Апреля 2010, 04:34:33
заработало. нашел пару ошибок.
1.
Код:
# netstat |grep 88
tcp4       0      0  localhost.8888         localhost.52754        ESTABLISHED
tcp4       0      0  localhost.52754        localhost.8888         ESTABLISHED
порт 8888 занят другим приложением, поменял порт.

2. подправил rc.conf (спасибо+1 Elisium) http://forum.nodeny.com.ua/index.php?topic=486.msg4791#msg4791
Код:
flow_capture_enable="YES"
flow_capture_profiles="nodeny"
flow_capture_nodeny_flags="-n1 -N0 -R /usr/local/nodeny/netflow_8888.pl"
# Ниже ип шлюза, отдающего нетфлов или 0.0.0.0, если не важна суперсекретность ))
flow_capture_nodeny_remoteip="10.0.121.1"
# Ниже ип биллинга, коллектора нетфлов или 0.0.0.0, если слушать на всех ифейсах
flow_capture_nodeny_localip="10.0.121.10"
flow_capture_nodeny_datadir="/var/db/flows"
flow_capture_nodeny_pid="/var/run/flow-capture/flow-capture.pid"
flow_capture_nodeny_port="8888"
flow_capture_nodeny_user="root"