NeTAMS on PC-router

In the majority of the cases the diagram of connection PC-routera to the network is the following: in the computer there are two net maps, one of them conducts into the local network of office or domestic network, another to the provider the Internet. Between the net interfaces is disposed the routing and (possibly) the translation of addresses. Neokhodimo to consider traffic of users, and if necessary to block by certain of them the access into the external network.

Let us leave the procedure of installation and tuning of operating system, MySQL, Apache, routing, the translation of addresses etcetera on the conscience of administrator. We will consider that everything (except the calculation of traffic) already works. Program NeTAMS of skachana, is compiled, the usable files are rewritten where must, but there is no configurative file still.

Let us assume that the internal address of interface eth1 of server 192.168.0.1, net mask 255.255.255.0. The computers of internal network can have addresses with 192.168.0.2 on 192.168.0.254, while are actually thus far established only three computers with addresses 10, 11 and 12.

It is necessary to count general traffic, traffic only to the Russian networks, and entire HTTP-traffic.
The configurative file of /etc/netams.cfg appears as follows:

debug none
user name admin real-name Vasya_Pupkin 
	password aaa email root permit all
schedule time daily action "send report 
	to admin on LAN on NETWORK+"

service server 0
login local
listen 20001
max-conn 6

service processor 0
lookup-delay 20
flow-lifetime 120
policy name ip target proto ip
policy name www target proto tcp ports 80 
policy name rus target file /etc/ru-networks.txt
restrict all drop local pass
unit group name NETWORK acct-policy ip tcp !rus
unit net name LAN ip 192.168.0.0 mask 255.255.255.0 
	no-local-pass acct-policy ip tcp !rus
unit host name server ip 192.168.0.1 parent NETWORK 
	acct-policy ip tcp !rus
unit user name petya ip 192.168.0.10 parent NETWORK password abc 
	acct-policy ip tcp !rus
unit user name fedya ip 192.168.0.11 parent NETWORK password def 
	acct-policy ip tcp !rus
unit user name masha ip 192.168.0.12 parent NETWORK password ghi 
	acct-policy ip tcp !rus
storage 1 all

service storage 1
type mysql

service data-source 1
type libpcap
source eth1
rule 11 "ip"

service alerter 0
report oid 06100 name rep1 type traffic period day detail simple
smtp-server 127.0.0.1

service html 0
path /var/www/traffic
language en
run 5min
htaccess yes
client-pages all

It is useful to dismantle entire configurative file on the lines.

1	debug none
2	user name admin real-name Vasya_Pupkin password 
	aaa email root permit all
3	schedule time daily action “send report to admin on LAN on NETWORK+”

By these commands is tuned service main; moreover clearly to write "service main" is not necessary. The conclusion of entire check-out information at first is disconnected - this is necessary for the decrease of size of ravine- file. Further, zapoditsya the user of system NeTAMS, that has in it the administrative rights (permit all). The password "aaa indicated" will be then stored in the encoded form. To the address "root" will be sent away the informations about the traffic. With the third line is planned the dispatch of daily informations about the traffic to user admin to address root@, on yunitam LAN and NETWORK (together with all entering the group yunitami).

Empty line after number 4 separates tuning different services (in this case of main and server)

5	service server 0
6	login local
7	listen 20001
8	max-conn 6

By these commands is tuned service server, which ensures the connection of administrator and scripts to the working copy NeTAMS on protocol telnet. Incoming circuits start only to local address 127.0.0.1, port 20001, and not possible more than six simultaneous connections. According to the previous lines, to be connected will be able only one user loginom "admin" and by password "aaa" - others simply no.

9

Empty line, separates the commands of services server and processor from each other.

10	service processor 0
11	lookup-delay 20
12	flow-lifetime 120
13	policy name ip target proto ip
14	policy name www target proto tcp ports 80 
15	policy name rus target file /etc/ru-networks.txt
16	restrict all drop local pass

Is tuned main service - processor. In lines 10 and 11 are assigned the parameters, as it will be frequently checked the lists of yunitov and put aside record into the data base. The values of the parameters indicated are optimum for the majority of tasks. Three following lines are assigned the policy, on which will go the calculation of traffic. Politics "ip" assigns entire IP- traffic, "www" - only that, which goes on port TCP 80, "rus" - that, which is obtained with the agreement of addresses with the table of Russian networks, which is contained in the file of the prefixes of /.etch/ru-netshorks.tkht. Originally this file goes in distributive NeTAMS, in catalog addon/. last, y'-aya line defines how to enter with the packets, which traversed the calculation in the list of yunitov and coincided (or they did not coincide) with any yunitom. The configuration indicated passes packets, kotoroye belong to yunitam existing in the configurative file, and it does not pass rest. It is useful to use the precisely indicated combination, since this will help not to release into the network "illegal" computers.

17	unit group name NETWORK acct-policy ip tcp !rus
18	unit net name LAN ip 192.168.0.0 mask 255.255.255.0 
	no-local-pass acct-policy ip tcp !rus
19	unit host name server ip 192.168.0.1 parent NETWORK 
	acct-policy ip tcp !rus
20	unit user name petya ip 192.168.0.10 parent NETWORK 
	password abc acct-policy ip tcp !rus
21	unit user name fedya ip 192.168.0.11 parent NETWORK 
	password def acct-policy ip tcp !rus
22	unit user name masha ip 192.168.0.12 parent NETWORK 
	password ghi acct-policy ip tcp !rus

Here are determined yunity, or uchtnye objects. In the beginning the group, which will be parental with respect to yunitam included in it is created. Then follows it yunit, that designates entire subnetwork. Further, go yunity, which present separate computers. For each yunita is indicated identical collection the politician of calculation, you will focus attention on flag inverse, in the form of sign "!", for the policy "rus". For yunita LAN is indicated also parameter no-local- pass, which makes it necessary to consider all packets nonlocal, which belong to network, and not described for another yunitov - by this we intercept "unknown connections". For last three yunitov is indicated also the password, which can be used for the access to the individual statistics in the form HTML- pages.

23	storage 1 all

It indicates to service processor the need for preserving statistics in the depository, described by service storage after number 1. In this case to wash down will go into both tables simultaneously - raw and summary.

25	service storage 1
26	type mysql

Depository for the statistics is determined. The type of depository - MySQL, for the access to the base will be used the standard tuning: the name of user root, the empty password, which works in the same machine SQL- server (connection through unix socket). Name of the base of data - netams.

27	service data-source 1
28	type libpcap
29	source eth1
30	rule 11 "ip"

It determines, how the data about the traffic will fall in NeTAMS. For this will be used interface eth1 (OS of linuks), and will be seized entire IP- traffic, passing through it (mechanism libpcap, on base of which it is made, for example, tcpdump). Number rule, "11", in this case of sense does not bear.

32	service alerter 0
33	report oid 06100 name rep1 type traffic period day detail simple
34	smtp-server 127.0.0.1

So that the users and the administrator could obtain informations about the statistics on the electronic mail, is tuned service alerter and is indicated the type of report, and address smtp- server (in this case this is the local computer, where NeTAMS is carried out). You will trace so that in the machine indicated would be neglected and disposed to the method your sendmail/postfix/exim/etc. At the present moment the type of report cannot be assigned, and instead of this 33h it is necessary to write entire line with pillar.

36	service html 0
37	path /var/www/traffic
38	language en
39	run 5min
40	htaccess yes
41	client-pages all

Service html makes it possible to automatically generate HTML- pages with the reports. Process netams will automatically create these pages of times 5 minutes and add them into the catalog of /.var/shshsh/traffich. In this case the language of pages - English (other thus far no). Will be created both the administratorskaya part of the tree of pages and client. Access to the statistics will be protected by password (to the the administratorskuyu - admin:aaa, to clients - their loginy- passwords). If we dispose Apache then:

ServerName www.company.ru
<Directory /var/www/traffic>
	Options FollowSymLinks ExecCGI Indexes
	AllowOverride All
</Directory>
Alias /stat/ /var/www/traffic/

that administrator will obtain access according to reference http://www.company.ru/stat/, and Fedya according to reference http://www.company.ru/stat/clients/fedya/ (it will be asked Fedin login- password)