Some dependencies not need any configuration.
Some dependencies may be replaced on analogues. If you use other tool than described you probably know what you doing.
Flow-tools configuration.
Flow-tools used by lightwrapper for export netflow data into lightsquid reports. You need to edit flow-capture.conf which resides in debian in /etc/flow-tools/ dir as follows: -N 0 -w /tmp -R /usr/sbin/lw-export -n 95 0/127.0.0.1/2055
It means that flow-capture listens UDP port 2055 on 127.0.0.1, flows is exported every 15 minutes. Analyzed data files will be deleted by lightwrapper. If you want, you may change all of this settings, see flow-capture(1).
If you installed lightwrapper in /usr/local then you need use /usr/local/sbin/lw-export path.
Restart flow-capture daemon for apply configuration: /etc/init.d/flow-capture restart
Softflowd configuration (may be replaced on analogue).
Softflowd is used for send netflow data to flow-capture. You may use any other netflow sensor.
Edit softflowd configuration file which resides in debian in /etc/default/softflowd as follows: INTERFACE="name of you local network interface, e.g. eth0" OPTIONS="-n 127.0.0.1:2055"
Restart softflowd for apply configuration: /etc/init.d/softflowd restart
WARNING!
Softflowd is pretty simple but it has performance issues. Run softflowctl statistics
and you will see than libpcap drop some packets. Better choise is ipt-netflow. At this moment it not contains in linux kernel and you need to compile it independently. You may see comprehensive tests there (russian language).
Apache2 configuration (may be replaced on analogue).
Apache2 used by lightwrapper for show web gui for administrators and error message for not allowed users.
Lightwrapper distribution has example config file for apache2 (lightwrapper.conf) and example html error page (access_denied.html). This files resides in usr/share/doc/lightwrapper/examples.
Put access_denied.html in you www root dir (/var/www in debian).
Remove lightsquid-related virtualhost config if any. In debian you must remove links to /etc/apache2/conf-available/lightsquid.conf from /etc/apache2/conf-enabled dir.
Put lightwrapper.conf in apache2 config dir and turn it on.
In debian you may replace /etc/apache2/sites-enabled/000-default.conf by this file for enable this configuration. To enable execution of cgi scripts you also must turn on cgi module (in debian, make link for /etc/apache2/mods-available/cgi.load in /etc/apache2/mods-enabled.
In other linux distribution you need disable default virtualhost configuration and put next string in apache2.conf file: Include lightwraper.conf
Check contents of lightwrapper.conf and correct it for you needs. WARNING!
You must restrict access to lightsquid/lightwrapper cgi path to administrators only.
Mkdir "etc" in you www root: mkdir /www/etc
Install htpasswd utility if need. In debian it contains in apache2-utils. Generate passwd file by: htpasswd -c /www/etc/passwd administrator
Add other user with: htpasswd /www/etc/passwd username
Restart apache2 for apply configuration: /etc/init.d/apache2 restart
You may reach web interface from address: http://ip-addr-of-web-server/admin
Lightsquid configuration.
Lightsquid configuration file is changed automatically with any type of installation. Paths to lightsquid internals are not checked and must contains valid values ($cfgpath, $langpath etc). If you not use *.deb then you manually must check for lightsquid parser not run from cron job. Some not related to lightwrapper variables in lightsquid.cfg may be configured manually. Next variables in lightsquid.cfg is applied and should not be changed:
$graphmaxuser=1
$graphmaxall=1
$showgroupid=0
$showputpost=1
$templatename='lightwrapper'
$logpath='/var/log/lightwrapper'
$lang='lw-eng'
or other supported language (lw-ru)
Ipset configuration (optionally).
Manually ipset configuration need only if you need to block some user traffic.
Lightwrapper creates and destroys sets in ipset automatically for internal needs. You need configure manually only block sets. If you linux distribution not supports debian-compatible init scripts then script ipset-persistent will not be installed in your system and "ipblock" feature will not work for you. If user has flag "ipblock" and lightwrapper has option "ipblock" in "supported_flags" all traffic where destination address matches any of block sets will be dropped.
WARNING!
If user has 'squid' flag then http traffic goes through squid independently of 'ipset' flag and therefore will not be blocked by this rules.
Example - how to block mail.ru.
Subnets values are relevant at the time of writing.
Check if next option is set in etc/lightwrapper/cfg file: supported_flags = ipblock
To create block set, run: ipset create mail.ru hash:net
To add net addr in block set, run: ipset add mail.ru 5.61.232.0/21 ipset add mail.ru 94.100.176.0/20 ipset add mail.ru 94.100.186.0/23 ipset add mail.ru 95.163.32.0/19 ipset add mail.ru 128.140.168.0/21 ipset add mail.ru 178.22.88.0/21 ipset add mail.ru 178.237.16.0/20 ipset add mail.ru 185.5.136.0/22 ipset add mail.ru 188.93.56.0/21 ipset add mail.ru 188.93.60.0/24 ipset add mail.ru 188.93.63.0/24 ipset add mail.ru 194.186.63.0/24 ipset add mail.ru 195.211.20.0/22 ipset add mail.ru 217.69.128.0/20
For simplification you may use next long one-line command:
foriin5.61.232.0/2194.100.176.0/2094.100.186.0/2395.163.32.0/19128.140.168.0/21178.22.88.0/21178.237.16.0/20185.5.136.0/22188.93.56.0/21188.93.60.0/24188.93.63.0/24194.186.63.0/24195.211.20.0/22217.69.128.0/20; do ipset add mail.ru $i; done
Save changes by: /etc/init.d/ipset-persistent save
Add mail.ru set to etc/lightwrapper/cfg: block = mail.ru
Every time you change option block in configuration file you must run lw-geniprules script for apply changes and restart lw-daemon: lw-geniprules iptables-restore < /etc/iptables/rules.v4 /etc/init.d/lw-daemon restart
Any types of sets is supported, see ipset(8) for details. All users that have "ipblock" flag is checked for all block sets.
Iptables configuration (optionally).
Iptables configuration need if you want to:
redirect traffic to transparent proxy for users with "squid" flag
block traffic for users with "ipblock" flag
automatically open nat for authorized users
block any unauthorized users
WARNING!
If you linux distribution not supports debian-compatible init scripts then installer automatically must set option "custom_init = true" in cfg file. If this option is set then iptables ip v4 rules is applying by lw-refresh script every time after ipset changes his configuration. Ipset rules not saves across reboot.
lw-geniprules script is designed for generate iptables rules. It generates iptables-restore compatible file /etc/iptables/rules.v4. Each block of rules are accompanied by commentaries. You need to run lw-geniprules in next cases:
initial lightwrapper config, after etc/lightwrapper/cfg edition.
at change network address of local network interface in_if
at change next options in cfg file:
in_if
out_if
supported_flags
block
For using this script, run and follow prompts: lw-geniprules iptables-restore < /etc/iptables/rules.v4
If lw-daemon is running then you must restart it: /etc/init.d/lw-daemon restart
Every lightwrapper rule contains comment "lightwrapper". To clean rules run: sh -c 'cd /etc/iptables/ && grep -v lightwrapper rules.v4 >rules.v4.clean && mv rules.v4.clean rules.v4'
For nat you must once enable ip v4 forwarding.
Usually you need add next string in /etc/sysctl.conf net.ipv4.ip_forward = 1
and run sysctl --system
Squid v3 configuration (optionally).
Since netflow statistics provides only ip address squid may be used for more detailed reports. Also it may be used for any other things that it can do (url rewriting, caching etc). Extremely small example of squid v3 config file named squid.conf resides in usr/share/doc/lightwrapper/examples dir. Replace default squid 3 config file /etc/squid3/squid.conf with it and apply changes: squid3 -k reconfigure
You must not drop all ip v6 traffic since squid3 rely on it. Either not add any ip v6 ip6tables rules or put next minimum configuration in /etc/iptables/rules.v6: *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i lo -j ACCEPT COMMIT
Also you must check if next options in etc/lightwrapper/cfg file is set: supported_flags = squid
If you change this option then you must run lw-geniprules script as described above.
Last edit: Grigoriy Bilichenko 2014-12-30
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Some dependencies not need any configuration.
Some dependencies may be replaced on analogues. If you use other tool than described you probably know what you doing.
Flow-tools configuration.
Flow-tools used by lightwrapper for export netflow data into lightsquid reports. You need to edit flow-capture.conf which resides in debian in /etc/flow-tools/ dir as follows:
-N 0 -w /tmp -R /usr/sbin/lw-export -n 95 0/127.0.0.1/2055
It means that flow-capture listens UDP port 2055 on 127.0.0.1, flows is exported every 15 minutes. Analyzed data files will be deleted by lightwrapper. If you want, you may change all of this settings, see flow-capture(1).
If you installed lightwrapper in /usr/local then you need use /usr/local/sbin/lw-export path.
Restart flow-capture daemon for apply configuration:
/etc/init.d/flow-capture restart
Softflowd configuration (may be replaced on analogue).
Softflowd is used for send netflow data to flow-capture. You may use any other netflow sensor.
Edit softflowd configuration file which resides in debian in /etc/default/softflowd as follows:
INTERFACE="name of you local network interface, e.g. eth0"
OPTIONS="-n 127.0.0.1:2055"
Restart softflowd for apply configuration:
/etc/init.d/softflowd restart
WARNING!
Softflowd is pretty simple but it has performance issues. Run
softflowctl statistics
and you will see than libpcap drop some packets. Better choise is ipt-netflow. At this moment it not contains in linux kernel and you need to compile it independently. You may see comprehensive tests there (russian language).
Apache2 configuration (may be replaced on analogue).
Apache2 used by lightwrapper for show web gui for administrators and error message for not allowed users.
Lightwrapper distribution has example config file for apache2 (lightwrapper.conf) and example html error page (access_denied.html). This files resides in usr/share/doc/lightwrapper/examples.
Put access_denied.html in you www root dir (/var/www in debian).
Remove lightsquid-related virtualhost config if any. In debian you must remove links to /etc/apache2/conf-available/lightsquid.conf from /etc/apache2/conf-enabled dir.
Put lightwrapper.conf in apache2 config dir and turn it on.
In debian you may replace /etc/apache2/sites-enabled/000-default.conf by this file for enable this configuration. To enable execution of cgi scripts you also must turn on cgi module (in debian, make link for /etc/apache2/mods-available/cgi.load in /etc/apache2/mods-enabled.
In other linux distribution you need disable default virtualhost configuration and put next string in apache2.conf file:
Include lightwraper.conf
Check contents of lightwrapper.conf and correct it for you needs.
WARNING!
You must restrict access to lightsquid/lightwrapper cgi path to administrators only.
Mkdir "etc" in you www root:
mkdir /www/etc
Install htpasswd utility if need. In debian it contains in apache2-utils. Generate passwd file by:
htpasswd -c /www/etc/passwd administrator
Add other user with:
htpasswd /www/etc/passwd username
Restart apache2 for apply configuration:
/etc/init.d/apache2 restart
You may reach web interface from address:
http://ip-addr-of-web-server/admin
Lightsquid configuration.
Lightsquid configuration file is changed automatically with any type of installation. Paths to lightsquid internals are not checked and must contains valid values ($cfgpath, $langpath etc). If you not use *.deb then you manually must check for lightsquid parser not run from cron job. Some not related to lightwrapper variables in lightsquid.cfg may be configured manually. Next variables in lightsquid.cfg is applied and should not be changed:
or other supported language (lw-ru)
Ipset configuration (optionally).
Manually ipset configuration need only if you need to block some user traffic.
Lightwrapper creates and destroys sets in ipset automatically for internal needs. You need configure manually only block sets. If you linux distribution not supports debian-compatible init scripts then script ipset-persistent will not be installed in your system and "ipblock" feature will not work for you. If user has flag "ipblock" and lightwrapper has option "ipblock" in "supported_flags" all traffic where destination address matches any of block sets will be dropped.
WARNING!
If user has 'squid' flag then http traffic goes through squid independently of 'ipset' flag and therefore will not be blocked by this rules.
Example - how to block mail.ru.
Subnets values are relevant at the time of writing.
Check if next option is set in etc/lightwrapper/cfg file:
supported_flags = ipblock
To create block set, run:
ipset create mail.ru hash:net
To add net addr in block set, run:
ipset add mail.ru 5.61.232.0/21
ipset add mail.ru 94.100.176.0/20
ipset add mail.ru 94.100.186.0/23
ipset add mail.ru 95.163.32.0/19
ipset add mail.ru 128.140.168.0/21
ipset add mail.ru 178.22.88.0/21
ipset add mail.ru 178.237.16.0/20
ipset add mail.ru 185.5.136.0/22
ipset add mail.ru 188.93.56.0/21
ipset add mail.ru 188.93.60.0/24
ipset add mail.ru 188.93.63.0/24
ipset add mail.ru 194.186.63.0/24
ipset add mail.ru 195.211.20.0/22
ipset add mail.ru 217.69.128.0/20
For simplification you may use next long one-line command:
Save changes by:
/etc/init.d/ipset-persistent save
Add mail.ru set to etc/lightwrapper/cfg:
block = mail.ru
Every time you change option block in configuration file you must run lw-geniprules script for apply changes and restart lw-daemon:
lw-geniprules
iptables-restore < /etc/iptables/rules.v4
/etc/init.d/lw-daemon restart
Any types of sets is supported, see ipset(8) for details. All users that have "ipblock" flag is checked for all block sets.
Iptables configuration (optionally).
Iptables configuration need if you want to:
WARNING!
If you linux distribution not supports debian-compatible init scripts then installer automatically must set option "custom_init = true" in cfg file. If this option is set then iptables ip v4 rules is applying by lw-refresh script every time after ipset changes his configuration. Ipset rules not saves across reboot.
lw-geniprules script is designed for generate iptables rules. It generates iptables-restore compatible file /etc/iptables/rules.v4. Each block of rules are accompanied by commentaries. You need to run lw-geniprules in next cases:
For using this script, run and follow prompts:
lw-geniprules
iptables-restore < /etc/iptables/rules.v4
If lw-daemon is running then you must restart it:
/etc/init.d/lw-daemon restart
Every lightwrapper rule contains comment "lightwrapper". To clean rules run:
sh -c 'cd /etc/iptables/ && grep -v lightwrapper rules.v4 >rules.v4.clean && mv rules.v4.clean rules.v4'
For nat you must once enable ip v4 forwarding.
Usually you need add next string in /etc/sysctl.conf
net.ipv4.ip_forward = 1
and run
sysctl --system
Squid v3 configuration (optionally).
Since netflow statistics provides only ip address squid may be used for more detailed reports. Also it may be used for any other things that it can do (url rewriting, caching etc). Extremely small example of squid v3 config file named squid.conf resides in usr/share/doc/lightwrapper/examples dir. Replace default squid 3 config file /etc/squid3/squid.conf with it and apply changes:
squid3 -k reconfigure
You must not drop all ip v6 traffic since squid3 rely on it. Either not add any ip v6 ip6tables rules or put next minimum configuration in /etc/iptables/rules.v6:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
COMMIT
Also you must check if next options in etc/lightwrapper/cfg file is set:
supported_flags = squid
If you change this option then you must run lw-geniprules script as described above.
Last edit: Grigoriy Bilichenko 2014-12-30