«

»

Mar 21 2016

Fix munin ip_ plugin showing network traffic from wrong IP

I’ve installed munin on a Ubuntu Server 12.04 yesterday. When checking the repots I’ve noticed 3 ip’s graphed, like the image below.

munin_showing_wrong_ip

Image with one of the wrong IP’s in munin

These IP’s are shown when I run munin-node-configure –suggest

 

# munin-node-configure --suggest

Plugin                     | Used | Suggestions
------                     | ---- | -----------
acpi                       | no   | no [cannot read /proc/acpi/thermal_zone/*/temperature]
amavis                     | no   | no
apache_accesses            | yes  | yes
...
ip_                        | yes  | yes (103.6.117.3 202.52.48.182 94.23.183.114)

So it seems that the ip_ plugin is reporting the IP’s in question : 103.6.117.3 202.52.48.182 94.23.183.114

Looking inside of /usr/share/munin/plugins/ip_ we find a description :

=head3 IPv4

For the IP address "192.0.2.0", you will need the rules:

iptables -I INPUT -d 192.0.2.1
iptables -I OUTPUT -s 192.0.2.1

These rules will insert, at the top of the iptables chains INPUT and
OUTPUT one rule which will act as a packet counter.

Since the rule does not include a "-j" argument, it will not
explicitly allow or block anything.

Let’s examine my iptables rules :

# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  94.23.183.114        0.0.0.0/0
DROP       all  --  202.52.48.182        0.0.0.0/0
DROP       all  --  103.6.117.3          0.0.0.0/0
...

So, because i have a few IP’s manually banned in /etc/rc.d/rc.local, the munin ip_ plugin sees them at the top, and tries to count the traffic.
The solution is to add the server’s IP first in the iptables chain :

#iptables -I INPUT -d 89.90.91.92
#iptables -I OUTPUT -s 89.90.91.92

Replace 89.90.91.92 with the server’s IP. To make this permanently, add the two lines above to /etc/rc.d/rc.local

So, if you are using a firewall, you need to make sure that the top rules of the INPUT and OUTPUT chains contain the IP of the server.

The next step is to remove the existing graphs from munin. We need to delete the symlink

# rm /etc/munin/plugins/ip_103.6.117.3

Then we need to recreate the symlink with the correct IP address.

# ln -s /usr/share/munin/plugins/ip_ /etc/munin/plugins/ip_89.90.91.92

Finally, restart munin-node.

# service munin-node restart

Wait a few minutes, then check the network graphs again.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*