#!/bin/sh ##----------------------------------------------------------------------------- ## /etc/rc.d/rc861.accounting - insert accounting-rules __FLI4LVER__ ## ## Creation: 05.06.2002 Michael Knipping ## Last Update: $Id$ ## ## Copyright (c) 2002-2009 - Michael Knipping ## Copyright (c) 2009-2016 - fli4l-Team ##----------------------------------------------------------------------------- if [ "$OPT_ACCOUNTING" = yes ]; then begin_script ACCOUNTING "inserting accounting rules ..." iplist='' workdir="/var/run/accounting" mkdir -p $workdir # Chains erzeugen for i in accin accout accinlive accoutlive do add_chain $i flush_chain $i # do we really have to do this? done fw_def_end=$(cat /var/run/FORWARD_def_end) if [ "$ACCOUNTING_METHOD" = old ]; then ins_rule filter FORWARD "accout" 1 "Accounting out" ins_rule filter FORWARD "accin" 1 "Accounting in" ins_rule filter FORWARD "accoutlive" 1 "Accounting LiveTraf out" ins_rule filter FORWARD "accinlive" 1 "Accounting LiveTraf in" fw_def_end=`expr $fw_def_end + 4` if [ "$ACCOUNTING_LOCALTRAF" != yes ]; then # Ausschließen von Traffic zwischen maskierten Netzen masq=`iptables -t nat -nL POSTROUTING | sed -ne '/^MASQUERADE/s/[[:space:]]\+/ /gp' | cut -d' ' -f 4` [ "$masq" ] && for m in $masq; do add_rule filter accin "$m any RETURN" "exclude traffic between masquerade networks" add_rule filter accinlive "$m any RETURN" "exclude traffic between masquerade networks" add_rule filter accout "any $m RETURN" "exclude traffic between masquerade networks" add_rule filter accoutlive "any $m RETURN" "exclude traffic between masquerade networks" done fi else for i in $ACCOUNTING_INT do ins_rule filter FORWARD "if:$i:any accin" 1 "Acc in $i" ins_rule filter FORWARD "if:any:$i accout" 1 "Acc out $i" ins_rule filter FORWARD "if:$i:any accinlive" 1 "Acc in LiveTraf $i" ins_rule filter FORWARD "if:any:$i accoutlive" 1 "Acc out LiveTraf $i" fw_def_end=`expr $fw_def_end + 4` done for i in $ACCOUNTING_VPNINT do /sbin/iptables -I FORWARD -i $i -p all -j accin -m comment --comment "Acc in $i" /sbin/iptables -I FORWARD -o $i -p all -j accout -m comment --comment "Acc out $i" /sbin/iptables -I FORWARD -i $i -p all -j accinlive -m comment --comment "Acc LiveTraf in $i" /sbin/iptables -I FORWARD -o $i -p all -j accoutlive -m comment --comment "Acc LiveTraf out $i" fw_def_end=`expr $fw_def_end + 4` done for i in `iptables -nvL FORWARD | sed -ne 's/[[:space:]]\+/ /g;/tun[0-9]\+/d;s/^[[:space:]]*//;/accout /p' | cut -d' ' -f 7`; do acc_ifs="$acc_ifs $i" done fi echo $fw_def_end > /var/run/FORWARD_def_end # Traffic von/zum Router erfassen z.B.: Proxy if [ "$ACCOUNTING_LOCALTRAF" = yes ]; then ins_rule filter INPUT "accout" 1 "Acc out" ins_rule filter INPUT "accoutlive" 1 "Acc out LiveTraf" ins_rule filter INPUT "accin" 1 "Acc in" ins_rule filter INPUT "accinlive" 1 "Acc in LiveTraf" in_def_end=$(cat /var/run/INPUT_def_end) in_def_end=`expr $in_def_end + 4` echo $in_def_end > /var/run/INPUT_def_end fi # Regeln aus den IPs in der dns_dhcp.txt erzeugen [ 0$HOST_N -eq 0 ] || for i in `seq 1 $HOST_N` do eval acc_ip="\$HOST_"$i"_IP4" case $iplist in *$acc_ip*) continue ;; # already present esac iplist="$iplist $acc_ip" for acc_c in "" live; do add_rule filter accin$acc_c "any $acc_ip RETURN" "added from hosts_$i" add_rule filter accout$acc_c "$acc_ip any RETURN" "added from hosts_$i" done done # Regeln aus den IPs in der index.acc erzeugen if [ -f $ACCOUNTING_DIR/index.acc ]; then . $ACCOUNTING_DIR/index.acc # XXXX we really mean lower case 'n' at the end [ 0$ACCOUNTING_HOST_n -eq 0 ] || for idx in `seq 1 $ACCOUNTING_HOST_n` do eval acc_ip='$ACCOUNTING_HOST_'${idx}'_IP' if [ "$acc_ip" ]; then case $iplist in *$acc_ip*) continue ;; # already present esac iplist="$iplist $acc_ip" for c in "" live; do add_rule filter accin$c "any $acc_ip RETURN" "add from index.acc" add_rule filter accout$c "$acc_ip any RETURN" "add from index.acc" done fi done fi # save iplist if [ "$iplist" ]; then for acc_ip in $iplist; do echo $acc_ip done > "$workdir/iplist" fi # CRON Einstellungen für accounting.sh if [ "$ACCOUNTING_CRON" ]; then add_crontab_entry "$ACCOUNTING_CRON" "/usr/local/bin/accounting.sh" fi # ARP & CRON Einstellungen für automatische IP Erkennung if [ "$ACCOUNTING_LEARNIPS" = yes ]; then : ${ACCOUNTING_LEARNIPS_INTERVAL:=5} if [ "$ACCOUNTING_LEARNIPS_INTERVAL" != 0 ]; then arptimeout=`expr $ACCOUNTING_LEARNIPS_INTERVAL \* 60` [ 0$IP_NET_N -eq 0 ] || for idx in `seq 1 $IP_NET_N` do eval interface="\$IP_NET_"$idx"_DEV" case $interface in *:*) ;; # XXX do we actually still support virtual devices like eth0:0? *) echo $arptimeout > /proc/sys/net/ipv4/neigh/$interface/gc_stale_time ;; esac done add_crontab_entry "*/$ACCOUNTING_LEARNIPS_INTERVAL * * * *" "/usr/local/bin/acclearnips.sh" fi fi # check accounting dir acc_dir="$ACCOUNTING_DIR" [ -d $acc_dir ] || mkdir -p $acc_dir 2> /tmp/acc.$$ [ -d $acc_dir ] && > $acc_dir/.test.$$ 2> /tmp/acc.$$ if [ ! -f $acc_dir/.test.$$ ]; then log_error "invalid accounting dir '$acc_dir'" log_error < /tmp/acc.$$ log_error "using /var/db/accounting ..." acc_dir=/var/db/accounting mkdir -p $acc_dir fi rm -f /tmp/acc.$$ $acc_dir/.test.$$ # accounting.conf schreiben : ${ACCOUNTING_MAXINT:=4294967296} cat < /etc/accounting.conf ACCOUNTING_DIR='$acc_dir' ACCOUNTING_INT='$acc_ifs' ACCOUNTING_MAXINT='$ACCOUNTING_MAXINT' ACCOUNTING_DEBUG_INT='$ACCOUNTING_DEBUG_INT' ACCOUNTING_LEARNFROMINT='$ACCOUNTING_LEARNFROMINT' workdir='$workdir' EOF # Link im Web Interface erzeugen if [ -f /srv/www/admin/accounting.cgi -a -f /usr/local/bin/httpd-menu.sh ]; then /usr/local/bin/httpd-menu.sh add "accounting.cgi" "Accounting" "" accounting fi # acc.sh end_script fi