Сообщение от Lampus:
Копай в сторону stargazer, если нужно что-то действительно мощное и куча гемороя то Netup UTM5 тебе в руки. Но если юзверей меньше 20 даже не заморачивайся.
Сообщение от Mark5:
ErV, соберешь - дашь поюзать?
Сообщение от :
#!/bin/sh
#firewall script
echo firewall script started
CARD_MASK="192.168.1.2/32"
ROUTER="192.168.1.1/32"
BVF="84.17.243.19/32"
RANGE1="77.45.128.0/255.255.128.0"
RANGE2="80.82.32.0/255.255.224.0"
RANGE3="88.83.192.0/255.255.192.0"
FREE[0]=$RANGE1
FREE[1]=$RANGE2
FREE[2]=$RANGE3
FREE[3]=""
KILL[0]="80.82.32.10/32"
KILL[1]="80.82.32.19/32"
KILL[2]=""
PAID[0]="80.82.32.27/32"
PAID[1]="80.82.32.11/32"
PAID[2]=""
LOCAL="127.0.0.1/32"
iptables --flush
iptables -X
iptables -N local_in
iptables -N local_out
iptables -N extern_in
iptables -N extern_out
iptables -N total_in
iptables -N total_out
iptables -N kill_in
iptables -N kill_out
iptables -N kill_all
iptables -N extern_all
iptables -N local_all
iptables -N total_all
iptables -A local_all -j ACCEPT
iptables -A extern_all -j ACCEPT
iptables -A kill_all -j DROP
iptables -A total_all -j RETURN
iptables -A total_in -j total_all
iptables -A total_out -j total_all
iptables -A local_in -j local_all
iptables -A local_out -j local_all
iptables -A extern_in -j extern_all
iptables -A extern_out -j extern_all
iptables -A kill_in -j kill_all
iptables -A kill_out -j kill_all
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -A INPUT -s $LOCAL -d $LOCAL -i lo -j ACCEPT
iptables -A OUTPUT -s $LOCAL -d $LOCAL -o lo -j ACCEPT
iptables -A INPUT -s $ROUTER -d $CARD_MASK -j ACCEPT
iptables -A OUTPUT -s $CARD_MASK -d $ROUTER -j ACCEPT
i=0
while [ "${KILL[$i]}" != "" ]
do
iptables -A INPUT -p all -s ${KILL[$i]} -j kill_in
iptables -A OUTPUT -p all -d ${KILL[$i]} -j kill_out
i=$(($i+1))
done
iptables -A INPUT -p all -j total_in
iptables -A OUTPUT -p all -j total_out
iptables -A INPUT -p tcp -s $BVF -d $CARD_MASK -j local_in
iptables -A OUTPUT -p all -s $CARD_MASK -d $BVF -j local_out
i=0
while [ "${PAID[$i]}" != "" ]
do
iptables -A INPUT -p all -s ${PAID[$i]} -j extern_in
iptables -A OUTPUT -p all -d ${PAID[$i]} -j extern_out
i=$(($i+1))
done
i=0
while [ "${FREE[$i]}" != "" ]
do
iptables -A INPUT -p all -s ${FREE[$i]} -d $CARD_MASK -j local_in
iptables -A OUTPUT -p all -s $CARD_MASK -d ${FREE[$i]} -j local_out
i=$(($i+1))
done
iptables -A INPUT -p all -j kill_in
iptables -A OUTPUT -p all -j kill_out
#iptables -A INPUT -p icmp -j ACCEPT
#iptables -A POSTROUTING -p all -s 127.0.0.1 -d 80.82.32.27
CARD_MASK=""
RANGE1=""
RANGE2=""
RANGE3=""
LOCAL=""
Сообщение от :
#!/bin/sh
#this script is provided "as is" with no warranty of any kind.
#this script can be freely distributed on the terms of GPL license
#Made by ErV ([email protected])
BASE=/usr/lib/vsi-traf
DATA=$BASE/data
HOUR=`date +%H`
DAY=`date +%d`
WEEK=`date +%W`
WEEK=$(($WEEK%4))
MONTH=`date +%m`
YEAR=`date +%Y`
LOCK_FILE="$BASE/lock"
MONTH_DIR="$YEAR/$MONTH"
WEEK_DIR="$MONTH_DIR/weeks"
DAY_DIR="$MONTH_DIR/$DAY"
BYTES_HOUR="$DAY_DIR/$HOUR:00-$HOUR:59"
BYTES_DAY="$MONTH_DIR/$DAY.total"
BYTES_WEEK="$WEEK_DIR/$WEEK.total"
BYTES_MONTH="$YEAR/$MONTH.total"
BYTES_YEAR="$YEAR.total"
CURRENT_HOUR="this_hour"
CURRENT_DAY="this_day"
CURRENT_WEEK="this_week"
CURRENT_MONTH="this_month"
CURRENT_YEAR="this_year"
GET_BYTES=$BASE/iptable.pl
CHAINS[0]="extern_in"
CHAINS[1]="extern_out"
CHAINS[2]="local_in"
CHAINS[3]="local_out"
CHAINS[4]="total_in"
CHAINS[5]="total_out"
CHAINS[6]=""
force_directory(){
#echo "$1"
if [ ! -r "$1" ]; then
mkdir "$1";
fi;
}
#arg 1 - fuction that accepts chain name
for_each_chain(){
i=0;
while [ "${CHAINS[$i]}" != "" ]; do
$1 ${CHAINS[$i]};
i=$(($i+1))
done;
}
check_chain_dir(){
force_directory "$DATA/$1"
force_directory "$DATA/$1/$YEAR"
force_directory "$DATA/$1/$MONTH_DIR"
force_directory "$DATA/$1/$WEEK_DIR"
force_directory "$DATA/$1/$DAY_DIR"
}
force_counter(){
if [ ! -r "$1" ]; then
echo "0" > "$1";
fi
# if [ `cat "$1"` == "" ]; then
# echo "0" > "$1";
# fi
}
check_chain_counters(){
CHAIN_DIR="$DATA/$1"
force_counter "$CHAIN_DIR/$BYTES_HOUR"
force_counter "$CHAIN_DIR/$BYTES_DAY"
force_counter "$CHAIN_DIR/$BYTES_WEEK"
force_counter "$CHAIN_DIR/$BYTES_MONTH"
force_counter "$CHAIN_DIR/$BYTES_YEAR"
ln -s -f "$CHAIN_DIR/$BYTES_HOUR" "$CHAIN_DIR/$CURRENT_HOUR"
ln -s -f "$CHAIN_DIR/$BYTES_DAY" "$CHAIN_DIR/$CURRENT_DAY"
ln -s -f "$CHAIN_DIR/$BYTES_WEEK" "$CHAIN_DIR/$CURRENT_WEEK"
ln -s -f "$CHAIN_DIR/$BYTES_MONTH" "$CHAIN_DIR/$CURRENT_MONTH"
ln -s -f "$CHAIN_DIR/$BYTES_YEAR" "$CHAIN_DIR/$CURRENT_YEAR"
}
check(){
force_directory $DATA
for_each_chain check_chain_dir
for_each_chain check_chain_counters
}
#$1 is a counter file $2 is a value to add
inc_counter(){
PREV_BYTES=`cat $1`
echo "$PREV_BYTES + $2"|bc > $1;
}
#$1 is a chain name, $2 is a new added value
chain_inc_counters(){
BYTES="$2"
CHAIN_DIR="$DATA/$1"
inc_counter "$CHAIN_DIR/$BYTES_HOUR" "$BYTES"
inc_counter "$CHAIN_DIR/$BYTES_DAY" "$BYTES"
inc_counter "$CHAIN_DIR/$BYTES_WEEK" "$BYTES"
inc_counter "$CHAIN_DIR/$BYTES_MONTH" "$BYTES"
inc_counter "$CHAIN_DIR/$BYTES_YEAR" "$BYTES"
}
chain_update_normal(){
BYTES=`$GET_BYTES $1`
chain_inc_counters "$1" "$BYTES"
}
lock(){
echo "0" > "$LOCK_FILE"
}
unlock(){
rm "$LOCK_FILE"
}
update_normal(){
if [ ! -r "$LOCK_FILE" ]; then
lock;
check;
for_each_chain chain_update_normal;
unlock;
else
echo another instance already working
fi;
}
case $1 in
'check') check;;
'update') update_normal;;
'unlock') unlock;;#use only after system restart!!!
'lock') lock;;
*) echo unknown argument
echo "usage traf [update|check|lock|unlock]"
esac
Сообщение от :
#!/usr/bin/perl
##
## This is a quick perl script to
## pull bandwidth usage from iptables chains
##
## If you use/optimize this script, please let me know.
## Brian Stanback : brian [at] stanback [dot] net
#
## Example iptables rule for web bandwidth usage:
## > iptables -N WWW
## > iptables -A WWW -j ACCEPT
## > iptables -A INPUT -p tcp -m tcp --dport 80 -j WWW
## > iptables -A OUTPUT -p tcp -m tcp --sport 80 -j WWW
##
## Run "iptables.pl WWW" as root to test, note that you can
## combine more than one protocol into a single chain.
##
## Sudo Configuration (/etc/sudoers)
## > www-data ALL = NOPASSWD: /usr/share/cacti/scripts/iptables.pl
##
## The Input String should be set to "sudo <path_cacti>/scripts/iptables.pl <chain>"
## and you will need to setup an input field so that the <chain> argument can be passed.
##
## The data input type should be set to COUNTER
##
#
#
# modified by: Paul Campbell <[email protected]>
# Now returns a seperate entry for each rule. Output for a
# 3 rule chain might now be:
# rule1:123 rule2:456 rule3:789
#
# Modified by ErV. Now outputs number of bytes only.
if ($ARGV[0]) {
$chains = `/usr/sbin/iptables --line-number -xnvL $ARGV[0]`;
`/usr/sbin/iptables --zero $ARGV[0]`;
@chains = split(/\n/, $chains);
shift(@chains);
shift(@chains);
foreach( @chains ) {
/(\d+)\W+[0-9]+\W+([0-9]+)\W+/;
# print " rule$1:$2";
print"$2";
}
print "\n";
#$chains[2] =~ /[\W+]?[0-9]+\W+([0-9]+)\W+/;
} else {
print "Usage: $0 Chain\n";
}
Сообщение от :
*/5,59 * * * * /usr/bin/bash /usr/lib/vsi-traf/traffic.sh update > /dev/null
