Bandwidth monitoring with iptables

Most of the time we use iptables to set up a firewall on a machine, but iptables also provides packet and byte counters. Every time an iptables rule is matched by incoming or outgoing data streams, the software tracks the number of packets and the amount of data that passes through the rules.

It is easy to make use of this feature and create a number of "pass-through rules" in the firewall. These rules do not block or reroute any data, but rather keep track of the amount of data passing through the machine. By using this feature, we can build a simple, effective bandwidth monitoring system that does not require additional software.

Depending on how the firewall rules are set up, the setup for bandwidth monitoring may be very simple or very complex. For a desktop computer, you may need to create only two rules to log the total input and output. A system acting as a router could be set up with additional rules to show the totals for one or more subnets, right down to the individual IP address within each subnet. In addition to knowing exactly how much bandwidth each host and subnet on the network is using, this system could be used for billing or chargeback purposes as well.

Rules setup

The rules setup itself is quick and straightforward, and takes only a few minutes. Obviously, you need to be root or use sudo to insert iptables rules.

The examples in this article are based on a router that provides Internet service to various towns. The iptables rules keep track of how much bandwidth each town uses and how much bandwidth each customer in that town uses. At the end of each month, an administrator checks the counters. Individuals who use more than they were supposed to get billed for over usage, the counters are reset to zero, and the process is repeated at the beginning of the next month.

The IP addresses in this article are modified from the real addresses. We'll use the private IP space 192.168.0.0/16, subnetted into smaller blocks.

First, we will create two custom chains for the two towns and put town-specific rules in them. This will keep the built-in FORWARD chain relatively clean and easy to read. In this example, the FORWARD chain will only provide the global counters (all customers combined on a per-town basis).

iptables -N town-a
iptables -N town-b

The next data element is the total bandwidth counter. Because this machine is a router only, the INPUT and OUTPUT chains are of little interest. This machine will not be generating a significant amount of bandwidth (i.e., it is not serving as a mail or Web server), nor will it be receiving significant uploads from other hosts.

Total bandwidth downloaded by and uploaded to the two towns combined:

iptables -A FORWARD

This is the easiest of rules. The rule will match any source and any destination. Everything that is being passed through this router matches this rule and will provide the total of combined downloaded and uploaded data.

We also want to see how much each town downloads and uploads separately:

# Town A Downloads
iptables -A FORWARD -d 192.168.1.0/26 -j town-a

# Town A Uploads
iptables -A FORWARD -s 192.168.1.0/26 -j town-a

# Town B Downloads
iptables -A FORWARD -d 192.168.1.64/27 -j town-b

# Town B Uploads
iptables -A FORWARD -s 192.168.1.64/27 -j town-b

The use of source and destination in the above rules may be a source of confusion. Destinations are often equated with uploads, and sources are downloads. This would be true whether the data was destined for the router or originated from the router itself.

In this application, however, we reverse the perspective. This router is forwarding (uploading) data to a destination, but from a customer perspective, data is being received. In other words, the customer is downloading that data. When dealing with customers, the terminology is data they downloaded, not what the router uploaded to them. This is why in the FORWARD chain, the terms destination and source typically have reversed meanings.

The rules created above give us separate totals for all downloads to and uploads from each individual town. This is accomplished by matching the source and destination of all traffic through the router for a town's specific subnet. After a rule is matched, the -j option invokes a jump to one of the custom chains. These custom chains can then be used to add additional rules pertaining to the subnet. For instance, rules can be created for each individual IP address in that subnet to track bandwidth on a per-host basis:

# Town A, Host 192.168.1.10 Download
iptables -A town-a -d 192.168.1.10

# Town A, Host 192.168.1.10 Upload
iptables -A town-a -s 192.168.1.10

You could repeat this process for every IP address for all towns within the subnet.

Bandwidth statistics

Viewing the current bandwidth usage is a matter of running iptables with the -L and -v options. The -L outputs the statistics for a chain (or all chains if none is provided). The -v option provides verbose output, including the packet and byte counters that we are interested in. I recommend using the -n option as well to prevent DNS lookups, meaning iptables will show the IP addresses without attempting to resolve the hostnames for the IP addresses, which would put additional and unnecessary load on the router.

The output below is modified from the full output for brevity:


root@raptor:~# iptables -L -v -n

Chain FORWARD (policy ACCEPT 7936M packets, 3647G bytes)bytes target source destination
338G 0.0.0.0/0 0.0.0.0/0
104G town-a 0.0.0.0/0 192.168.1.0/26
40G town-a 192.168.1.0/26 0.0.0.0/0
20G town-b 0.0.0.0/0 192.168.1.64/27
12G town-b 192.168.1.64/27 0.0.0.0/0


This snippet shows that towns A and B combined have downloaded and uploaded a total of 338GB. Town A is responsible for 104GB downloaded and 40GB uploaded. In the first line of output of the chain itself is a "more" total number -- 3,647GB. This is the total amount of data routed through since the last time this router was restarted, or more accurately, since the last time the iptables modules were inserted into the kernel.

When a chain is "zeroed" (resetting all counters in a chain to zero) with the -Z option, this number is not reset. For this reason, I recommend creating a real total rule to make it easier to reset the total counter. It then takes one command to reset the counters, and you do not need to remove modules, restart the server, or work with the iptables-save and iptables-restore commands to reset the counter.

Scrolling further down the output shows the individual IP addresses. Example for Town A:


Chain town-a (2 references)
bytes source destination
32G 0.0.0.0/0 192.168.1.10
282M 192.168.1.10 0.0.0.0/0
1521M 0.0.0.0/0 192.168.1.11
656M 192.168.1.11 0.0.0.0/0


This output further breaks down the total bandwidth of Town A down to the individual customers.

The "2 references" shown in the iptables output refer to the two rules in the FORWARD chain that jump to this chain.

Saving data across reboots

If you reboot the machine or remove the iptables kernel modules, you'll lose all of your packet and byte counters. if these counters are to be used for billing purposes, you will want to make backups of the running counters, and in the event of a reboot, restore the counters rather than starting from zero.

The iptables package comes with two programs that aid in this: iptables-save and iptables-restore. Both programs need to be told to explicitly use the packet and byte counters during backup and restore using the -c command line option.

The backup and restore process is fairly straightforward. To back up your iptables data, use iptables-save -c > iptables-backup.txt. To restore the data, after reboot, use iptables-restore -c < iptables-backup.txt.

Conclusion

Iptables provides a quick and easy way to track bandwidth usage without having to install additional software. You have, and probably already use, the tools needed to accomplish this monitoring.

The flexibility and power of iptables allows for more complex monitoring scenarios. You can create rules to not only track different subnets, but also to track specific ports and protocols, which lets you track exactly how much of each customer's traffic is Web, email, file sharing, etc.

In addition, these bandwidth monitoring rules can also become blocking rules. If a host has used too much bandwidth, its rule in a town's specific chain can be modified by adding -j DROP to both the download and upload rules. This effectively stops traffic being routed to and from that host.

You can see original source here.

CONCURSO ESTATAL DE PROGRAMACIÓN El ITSZ

Bien pues aquí dejo la noticia de cuando el equipo Tuxinator (Miguel Angel, Jonathan y su servidor Armando) fuimos ganadores del primer concurso estatal de programación ACM hace casi un año, donde por cierto, la escuela que representamos nunca nos dió el reconocimiento público que merecíamos por haber puesto en alto el nombre de nuestra institución.

ZAMORA, MICH.- El ITESZ fue sede del primer Concurso Estatal de Programación. En la imagen se muestra a los ganadores del primer lugar, estudiantes del Tecnológico de Morelia.



ZAMORA, MICH.- Con éxito se llevó a cabo en Zamora el Concurso Estatal de Programación de la Association for Computing Machinery (ACM), realizado en el Instituto Tecnológico de Estudios Superiores de Zamora (ITESZ), y del cual es sede estatal.

«La actualización y la superación académica basada en las nuevas técnicas del conocimiento para el alumno, son los objetivos fundamentales que se buscan con la realización de justas académicas, como este Concurso Estatal de Programación», señaló Jesús Chávez Anaya, director académico del ITESZ, al llevar a cabo la ceremonia de entrega de premios a los tres primeros lugares de este concurso, en el que participaron más de 100 estudiantes de 11 institutos tecnológicos, entre federales y descentralizados que se encuentran en el estado de Michoacán.

La primera posición fue para los estudiantes de sistemas computacionales del Instituto Tecnológico de Morelia Armando de Jesús Montoya Hernández, Jonathan Israel Fernández Abarca y Miguel Angel Alcalá Ordaz, quienes se hicieron acreedores a 5 mil pesos y su derecho de pase al regional.

El segundo lugar fue obtenido por estudiantes del Instituto Tecnológico Superior de Los Reyes, jóvenes que se hicieron acreedores a 3 mil pesos; ellos son Justo Diego Ulises David, Arturo Emanuel García Contreras y Cristóbal Sánchez Ceja. El tercer lugar fue para los alumnos del ITESZ, José David Jacobo Guillén, Daniel Eduardo Madrigal Díaz y Gustavo Armando O´Henrry, quienes se adjudicaron una memoria de 16 gigabytes cada uno.

El evento se realizó en el aula de usos múltiples de la institución. Ahí estuvieron presentes Amauri López Calderón, director de Planeación del ITESZ, así como el director académico, Jesús Chávez Anaya. Participaron también Celia Villanueva González, regidora de Educación, Cultura y Capacidades Especiales del Ayuntamiento de Zamora; José Luis Manzo Bautista, coordinador de las carreras de Licenciatura en Informática e Ingeniería en Sistemas Computacionales, también Agustín Rosas Nava, subdirector administrativo del Tecnológico y como juez y representante de ACM en México, Alberto la Madrid Alvarez.

Al hablar a nombre del director general del ITESZ, Jorge Delgado Contreras, el director académico, Jesús Chávez, resaltó que con este concurso estatal se sienta un precedente en la vida académica de Michoacán, pues es la primera ocasión en la que en el estado se realizada un evento con estas características.

Destacó que el mismo concurso es propicio para generar un intercambio de conocimientos entre los estudiantes de los institutos tecnológicos de Michoacán, así como generar una sana competencia que en base a la misma, se pueda medir el desempeño y el nivel de conocimientos que tienen los escolapios del ITESZ.

El ITESZ buscará para el próximo año ser la sede regional de este evento, mismo que contemplará la participación de alumnos de institutos tecnológicos y universidades de al menos 8 estados de la República mexicana.

Finalmente el representante de ACM, una filial de IBM México, exhortó a los estudiantes a seguir participando en eventos como este, el que tiene entre sus fines la creación de software y programas que sean útiles al desempeño y desarrollo de los sectores productivos.

Los estudiantes ganadores, participarán para finales de este mes en el concurso regional en la ciudad de Querétaro, para luego pasar al nacional y quienes resulten triunfadores, tendrán el pase al mundial que será en China para finales de año.
 
La fuente original está aquí.

Oracle MySQL rival PostgreSQL updated

While Oracle trumpets its open source MySQL database management system this week at the company's OpenWorld conference, the creators behind MySQL's rival, PostgreSQL, have released a major new version of their rival database software.

The newly released version 9 of PostgreSQL includes a number of new features that are potentially appealing to enterprise users. It includes the ability to do streaming replication, the upgrade process has been made considerably easier, and for the first time, it can run natively on clients running the 64-bit version of Microsoft Windows.

For this release, the developers applied "the mainstream polish on the database, and not [have] it just be something for open-source people," said Bruce Momjian, a core developer to the open-source project, in a previous interview with the IDG News Service.

"We're now focusing on ease of use, ease of administration, and providing the type of facilities that we think large organizations need," he said.

In conjunction with this release, EnterpriseDB, which offers enterprise support and related software for PostgreSQL, has updated its Postgres Plus line of products to support PostgeSQL version 9.

Original Source can be found here.

Scientists develop device to enable improved global data transmission

Researchers have developed a new data transmission system that could substantially improve the transmission capacity and energy efficiency of the world’s optical communication networks.

Transmission of data through optical networks is currently limited by ‘phase noise’ from optical amplifiers and ‘cross talk’ induced by interaction of the signal with the many other signals (each at a different wavelength) simultaneously circulating through the network. ‘Phase noise’ is the rapid, short-term, random fluctuations in the phase of a signal, which affects the quality of the information sent and results in data transmission errors. ‘Cross talk’ refers to any signal unintentionally affecting another signal.

Now, researchers working on the EU-funded FP7 PHASORS project, led by the University of Southampton’s Optoelectronics Research Centre (ORC), have announced a major advance in the potential elimination of this interference.

Traditionally optical data has been sent as a sequence of bits that were coded in the amplitude of the light beam, a system that was simple and practical but inefficient in its use of bandwidth. Until recent years, this wasn’t a problem given the enormous data-carrying capacity of an optical fibre. However, the introduction of bandwidth-hungry video applications, such as YouTube, and the continued growth of the internet itself have led to increasing interest in finding more efficient data signalling formats – in particular, schemes that code data in the phase rather than amplitude of an optical beam.

In a paper published this week in the journal Nature Photonics, scientists on the PHASORS project announced the development of the first practical phase sensitive amplifier and phase regenerator for high-speed binary phase encoded signals. This device, unlike others developed in the past, eliminates the phase noise directly without the need for conversion to an electronic signal, which would inevitably slow the speeds achievable.

The device takes an incoming noisy data signal and restores its quality by reducing the build up of phase noise and also any amplitude noise at the same time.

ORC Deputy Director and PHASORS Director, Professor David Richardson comments: “This result is an important first step towards the practical implementation of all-optical signal processing of phase encoded signals, which are now being exploited commercially due to their improved data carrying capacity relative to conventional amplitude coding schemes.

“Our regenerator can clean noise from incoming data signals and should allow for systems of extended physical length and capacity. In order to achieve this result, a major goal of the PHASORS project, has required significant advances in both optical fibre and semiconductor laser technology across the consortium. We believe this device and associated component technology will have significant applications across a range of disciplines beyond telecommunications – including optical sensing, metrology, as well as many other basic test and measurement applications in science and engineering.”

The PHASORS project, which started in 2008, was tasked with developing new technology and components to substantially improve the transmission capacity and energy efficiency of today’s optical communication networks.

The project combines the world-leading expertise of research teams from the ORC, Chalmers University of Technology (Sweden), The Tyndall National Institute at University College Cork (Ireland), the National and Kapodestrian University of Athens (Greece), and leading industrial partners Onefive GmbH (Switzerland), Eblana Photonics (Ireland) and OFS (Denmark).


Original Source here.

Instalación de Centreon/Nagios

Bien, pues lo prometido es deuda, aquí dejo la un poco de la documentación de Centreon en español, hago la aclaración que no es toda, ya que es demasiado extensa para traducirla toda y la verdad el trabajo no me deja. Sin embargo si es suficiente para poder hacer funcionar un sistema de monitoreo basado en Centreon/Nagios.

http://es.scribd.com/doc/53331474/Instalacion-y-configuracion-de-Centreon-2-con-FAN

http://es.scribd.com/doc/54214705/Instalacion-y-configuracion-de-Centreon-2

En caso de no poder accederlo, por favor envíenme un email a: decibel.elektrobeat en gmail