ip_port


#!/bin/bash
# $pup: eed88cf 2012-06-22 11:41:13 +0200 Miek Gieben$
# -*- sh -*-

: << =cut

=head1 NAME

ip_port_ - Wildcard-plugin to monitor IP ports through iptables

=head1 CONFIGURATION

This plugin needs to be run as root for iptables to work.

Additionally you can change the graph title from the ip address to a
hostname by setting hostname in the configuration.

Example configuration follows.  Only the first stanza is needed:

  [ip_port*]
    user root

=head2 ENVIRONMENT VARIABLES

This plugin does not use environment variables

=head2 WILDCARD PLUGIN

This is a wildcard plugin.  To monitor traffic to or from a port,
link ip_port_ to this file.

E.g.

  ln -s /usr/share/node/node/plugins-auto/ip_port_ \
        /etc/munin/node.d/ip_port_22

...will monitor the port numbered 22 (you may be using other directories
in your setup).

=head2 IPTABLES

You will need to set up iptables rules to create packet counters for
incoming and outgoing traffic.  The examples here covers how to create
the rules.  Given the multitude of methods used to configure iptables
firewalls, they do not show how to make them survive a reboot.

Please also note that we do not intend to make this script compatible
with anything but these rules made explicitly for the plugin.  If you
use a firewall tool to create iptables rules you may find that that
will not work.  Please add the appropriate lines by hand (or by
hand-made script) if so.

=head3 IPv4

For the IP port "22" (tcp and udp), you will need the rules:

  iptables -I INPUT -p tcp --dport 22
  iptables -I INPUT -p udp --dport 22
  iptables -I OUTPUT -p tcp --sport 22
  iptables -I OUTPUT -p udp --sport 22

These rules will insert, at the top of the iptables chains INPUT and
OUTPUT one rule which will act as a packet counter.

Since the rule does not include a "-j" argument, it will not
explicitly allow or block anything.

=head3 IPv6

To create counters you will need to use "ip6tables" instead of
"iptables".

  ip6tables -I INPUT -p tcp --dport 22
  ip6tables -I INPUT -p udp --dport 22
  ip6tables -I OUTPUT -p tcp --sport 22
  ip6tables -I OUTPUT -p udp --sport 22

=head1 BUGS

None known.

=head1 NOTES

This plugin is based on the ip_ plugin.

=head1 MAGIC MARKERS

 #%# family=auto
 #%# capabilities=autoconf suggest

=head1 AUTHOR

Unknown.  Suspected to be some Linpro employee.

=head1 LICENSE

Unknown.

=cut

. $MUNIN_LIBDIR/plugins/plugin.sh

PORT=${0##*/ip_port_}
INPUT=${input:-INPUT}
OUTPUT=${output:-OUTPUT}

# This is a fun hack to make the plugin ip6 compatible.
# Suggested in ticket #439 by "jodal".
eval 'function iptables() {
    /sbin/iptables "$@"
}'

if [ "$1" = "autoconf" ]; then
	if [ -r /proc/net/dev ]; then
		iptables -L ${INPUT} -v -n -x >/dev/null 2>/dev/null
		if [ $? -gt 0 ]; then
			echo "no (could not run iptables as user `whoami`)"
			exit 0
		else
			echo yes
			exit 0
		fi
	else
		echo "no (/proc/net/dev not found)"
		exit 0
	fi
fi

if [ "$1" = "suggest" ]; then
    iptables -L ${INPUT} -v -n -x 2>/dev/null | awk --posix '$8 ~ /^([0-9]{1,3}\.){3}[0-9]{1,3}$/ { if (done[$8]!=1) {print $8; done[$8]=1;}}'
    if [ -x /sbin/ip6tables ]; then
 	ip6tables -L ${INPUT} -v -n -x 2>/dev/null | awk --posix '$7 ~ /\/128$/ { if (done[$7]!=1) {a=$7;gsub(/\/128$/, "", a); print a; done[$7]=1;}}'
    fi
    exit 0
fi

title=$(getent services $PORT | awk ' { print $1 } ')

if [ "$1" = "config" ]; then

        echo "graph_order out_tcp out_udp in_tcp in_udp"
        if [ -n $title ]; then
            title="$title ($PORT)"
        else
            title="unknown ($PORT)"
        fi
        echo "graph_title traffic for $title"
        echo 'graph_args --base 1000'
        echo 'graph_vlabel bits per ${graph_period}'
	echo 'graph_category Terraria'
        echo 'out_tcp.label sent TCP'
        echo 'out_tcp.type DERIVE'
        echo 'out_tcp.min 0'
        echo 'out_tcp.cdef out_tcp,8,*'
        echo 'out_udp.label sent UDP'
        echo 'out_udp.type DERIVE'
        echo 'out_udp.min 0'
        echo 'out_udp.cdef out_udp,8,*'

        echo 'in_tcp.label recv TCP'
        echo 'in_tcp.type DERIVE'
        echo 'in_tcp.min 0'
        echo 'in_tcp.cdef in_tcp,8,*'
        echo 'in_udp.label recv UDP'
        echo 'in_udp.type DERIVE'
        echo 'in_udp.min 0'
        echo 'in_udp.cdef in_udp,8,*'

	print_warning out_tcp
	print_critical out_tcp
	print_warning out_udp
	print_critical out_udp
	print_warning in_tcp
	print_critical in_tcp
	print_warning in_udp
	print_critical in_udp
        exit 0
fi;

iptables -L ${INPUT} -v -n -x   | awk "/tcp dpt:$PORT"'/ { print "in_tcp.value " $2; exit 0; }'
iptables -L ${INPUT} -v -n -x   | awk "/udp dpt:$PORT"'/ { print "in_udp.value " $2; exit 0; }'

iptables -L ${OUTPUT} -v -n -x  | awk "/tcp spt:$PORT"'/ { print "out_tcp.value " $2; exit 0; }'
iptables -L ${OUTPUT} -v -n -x  | awk "/udp spt:$PORT"'/ { print "out_udp.value " $2; exit 0; }'