Monitoring Traffic Usage

Published on Tuesday, August 29, 2006

Status: Done!

One of the greatest benefits, in my opinion, of Cisco routers is the ability to generate netflows. In a lot of ways, I would prefer to do this than implement some appliance (say, using ntop). The ability to analyse the amount of traffic becomes extremely valuable. Not only can one measure the amount of traffic, but the type of traffic that is being generated through the network.

Using a similar configuration, I setup all four Ciscos to export netflows that stream back to a server in the States. I decided to use nfdump as a collector. After the dumps are collected, it is simple to setup nfsen to parse and analyse the received flows. It even allows you to generate really pretty graphs.

So, why do this? For starters, collecting netflows allows the basic analysis of data, which can tell you several things. You can know instantly how saturated your connection is, if there are any anomalies, if there is any file sharing going on or when heavy traffic usage is. For instance, if the connection becomes slow during the end of the day, you can analyse what protocol is used the most during that time. Or, as was my case, hunting down virus infected computers that were fully saturating a 10mbit pipe.

A week in the life of NFSEN:

Quick n' Dirty Firewall

Published on Tuesday, August 15, 2006


The following is a Quick n' Dirty method at implementing a very simple firewall.

Locate IPTables

Depending on your server, first locate iptables:

 [root@vps /]# which iptables 

Create IP Based Accept/Deny

Create a whitelist (ignored by firewall) or blacklist (packet dropped) if you wish:

 [root@vps /]# vi /usr/local/etc/whitelist.txt 


[root@vps /]# vi /usr/local/etc/blacklist.txt 

In each file, add each IP per line, for instance: Script

Then put the following in /etc/init.d/, and edit to fit your needs:

## Quick n Dirty Firewall
## List Locations


## Specify ports you wish to use.

ALLOWED="22 25 53 80 443 465 587 993"

## Specify where IP Tables is located


## Clear current rules

echo 'Clearing Tables F'
echo 'Clearing Tables X'
echo 'Clearing Tables Z'
echo 'Allowing Localhost'

#Allow localhost.
$IPTABLES -A INPUT -t filter -s -j ACCEPT

## Whitelist

for x in `grep -v ^# $WHITELIST | awk \'{print $1}\'`; do
        echo "Permitting $x..."
        $IPTABLES -A INPUT -t filter -s $x -j ACCEPT

## Blacklist

for x in `grep -v ^# $BLACKLIST | awk \'{print $1}\'`; do
        echo "Denying $x..."
        $IPTABLES -A INPUT -t filter -s $x -j DROP

## Permitted Ports

for port in $ALLOWED; do
        echo "Accepting port TCP $port..."
        $IPTABLES -A INPUT -t filter -p tcp --dport $port -j ACCEPT

for port in $ALLOWED; do
        echo "Accepting port UDP $port..."
        $IPTABLES -A INPUT -t filter -p udp --dport $port -j ACCEPT

## Drop anything else

$IPTABLES -A INPUT -p tcp --syn -j DROP

Start Firewall

 [root@vps /]# chmod 700 /etc/init.d/
  [root@vps /]# /etc/init.d/