GUIDELINES FOR INSTALLATION OF MRTG ON LINUX

(Version-3/3-1-2003)

In order to monitor the load on different NIB links and also to aid in the systematic augmentation
of internodal bandwidth, Multi Router Traffic Grapher (MRTG) is proposed to be used. MRTG
is a software to monitor the traffic load on network links. MRTG generates HTML pages
containing graphical images, which provide a LIVE visual representation of this traffic.

MRTG is to be installed by all the "A" type of nodes except Ludhiana. Chandigarh would
be installing MRTG in place of Ludhiana. Apart from MRTG of their own interfaces these
nodes would also configure MRTG for the nodes as given in Table-1.

The MRTG PC would be used only for MRTG purposes, no other activity like browsing ,
mail etc. is to be carried out from that PC. All the security guidelines as given in Section (g)
of this document must be implemented.

The details of user-id and password must be sent to Sh Dhirendra Verma, DE(Tech-1)
(DNW) on routemaster@sancharnet.in

Following steps are required to implement MRTG.

a) Arrange a PC
b) Procure Red Hat Linux 7.1
c) Connect the PC to the NIB LAN .
d) Install Red Hat Linux (Use the IP address as specified in Table-1)
e) Configure Apache Web server
f) Down load and install MRTG
g) Securing the MRTG PC

(The procedure written has been tested with RedHat Linux 7.1)

A. PC :- A normal Pentium III machine with 128 MB RAM , 20 GB hard disk , CD ROM
drive , Network Interface card should be sufficient for the installation of MRTG.

B. Red Hat Linux 7.1 :- This should be easily available from the market. Generally Linux
books also come along with the Linux CD.

C. Connect PC to LAN :- Special permission has been given to connect this PC to NIB
LAN. On this PC, no browsing, sending or receiving of mail etc. is to be done for
security reasons. This PC would remain ON forever and is not supposed to be switched
off.

D. Linux Installation: The installation procedure given below has been tested with
RedHat 7.1. The PC should not be loaded with any variant of Windows operating
system. (The PC is not to be made dual bootable). After inserting the Linux CD into CD
ROM drive, following are the main options which must be selected while Linux
installation is ON.
I. System should be installed as Server System, not as a work station or anything else.
II. IP address, mask and gateway should be provided as per details in table-1.
III. Firewall should be configured as Medium.

Data Networks Circle, Jan 2003 -1-

 IV. "GNOME", "Webserver" & "X WINDOW system" package should be selected.
Other should not be selected as they may pose security threats.
V. Chose your login type as text. (Not Graphical)

E. Apache Web Server : After the loading of Linux is over , enter into the system and give
the following command at the Unix prompt.
#ps -ef |grep httpd
If it shows httpd as running, then fine. Else proceed as below
#cd /etc/init.d
#ls httpd
# ./httpd start

After giving this command, check the default webpage running on this PC by giving the URL as
http://<IP address of the LINUX machine>. If it shows the default page, then fine. Else proceed
as below
#setup
After giving this command a menu would be displayed , then do as given below

Choose firewall- mediumCustomizeenable www(http)

Now the default webpage should be opened from another PC.

F. MRTG : After the above steps are over , check the output of the following commands.
The output of the following commands should not give a response like
"type: xxx : not found" where xxx is gcc/perl/wget
#type gcc
#type perl
#type wget

F-1 Library Compilation :

Give following commands in sequence:
#mkdir -p /usr/local/src
#cd /usr/local/src
#wget ftp://sunsite.cnlab-switch.ch/mirror/infozip/zlib/zlib.tar.gz
#gunzip -c zlib.tar.gz | tar xf -
#mv zlib-?.?.?/ zlib
#cd zlib
#./configure
#make
#cd ..

#wget http://www.libpng.org/pub/png/src/libpng-1.0.12.tar.gz
#wget http://www.libpng.org/pub/png/src/libpng-1.2.3.tar.gz
#wget http://www.libpng.org/pub/png/src/libpng-1.2.5.tar.gz
#gunzip -c libpng-*.tar.gz | tar xf -
#rm libpng-*.tar.gz
#mv libpng-* libpng
#cd libpng
#make -f scripts/makefile.std CC=gcc ZLIBLIB=../zlib ZLIBINC=../zlib
#cd ..

Data Networks Circle, Jan 2003 -2-

 #wget http://www.boutell.com/gd/http/gd-1.8.3.tar.gz
#gunzip –c gd-1.8.3.tar.gz |tar xf -
#mv gd-1.8.3 gd
#cd gd

Following command is to be given in a single line.

#make INCLUDEDIRS="-I. -I../zlib -I../libpng" LIBDIRS="-L../zlib -L.
-L../libpng" LIBS="-lgd -lpng -lz -lm"

#cd ..
#cd /usr/local/src

#wget http://people.ee.ethz.ch/~oetiker/webtools/mrtg/pub/mrtg-2.9.18pre4.tar.gz
#gunzip -c mrtg-2.9.18pre5.tar.gz | tar xvf –
#cd mrtg-2.9.18pre4
#wget http://people.ee.ethz.ch/~oetiker/webtools/mrtg/pub/mrtg-2.9.18.tar.gz
#gunzip -c mrtg-2.9.18.tar.gz | tar xvf -
#cd mrtg-2.9.18

Following command is to be given in single line.

#./configure --prefix=/usr/local/mrtg-2 --with-gd=/usr/local/src/gd --with-z=/usr/local/src/zlib --
with-png=/usr/local/src/libpng

#make
#make install

F-2 Configuring MRTG for a node e.g Shimla (Shimla MRTG is to be

implemented at Chandigarh as given in Table-1) :

#cd /usr/local/mrtg-2/bin
#mkdir –p /var/www/html/<node-name>

In this case<node-name> would be shimla.

Before proceeding ahead, please ensure that all the interfaces on Shimla router
have the proper description i.e. description command should have been specified
for all the interfaces. (For this Chandigarh node-in-charge must coordinate with
Shimla node-in-charge)

Following command is to be given in single line. <snmp-community> for nodes

must be asked from Data Networks on phone number: 011-3737572/3737571.In
this case <snmp-community> for Shimla would be required. Node router IPs are
given in Table 2. In this case <node-router-ip>,would be 61.0.237.144 and in
the field <node-name>, shimla should be given

#./cfgmaker --no-down --global 'WorkDir: /var/www/html/<node-name>' --global

'Options[_]: bits,growright' <snmp-community>@<node router-ip> > <node-name>.cfg

Run MRTG for the node like Shimla in this case by giving the command
#/usr/local/mrtg-2/bin/mrtg /usr/local/mrtg-2/bin/<node-name>.cfg &

Data Networks Circle, Jan 2003 -3-

 It will generate many files in /var/www/html/<node-name>

#cd /etc
Now to configure MRTG to run continuously. Put the following line at the end
of the crontab file with the help of vi editor. (A summary of vi commands can be
obtained from Internet at http://www.bris.ac.uk/is/selfhelp/documentation/vi-r2/vi-
r2.htm).

#vi crontab

*/5 * * * * root /usr/local/mrtg-2/bin/mrtg /usr/local/mrtg-2/bin/<node-name>.cfg --logging

/var/log/mrtg.log

After adding the above line save crontab file and exit then restart crond by
giving following commands

#cd /etc/init.d/
#./crond restart

Now make html file for the node.

#cd /usr/local/mrtg-2/bin/

Following is the single command.

#/usr/local/mrtg-2/bin/indexmaker -section=descr -sort=descr -columns=2 --show=none -title="MRTG
for <node-name> Router" <node-name>.cfg > /var/www/html/<node-name>/<node-name>.html

Now the MRTG graphs can be seen for the node in this case Shimla from any
Internet connected browser by giving URL as
http://<ip_of_MRTG PC>/<node-name>/<node_name>.html

The step number F-2 is to be repeated for all the nodes whose MRTG is to be
implemented as defined in Table-1.

F-3 Procedure for protecting the MRTG with password :

In order to protect MRTG from unauthorized viewing, password protection to

MRTG site should be implemented.
#cd /var/www/html

Create a file .htaccess with the vi editor

#vi .htaccess

The following lines must be inserted in this file . <your-node-name> is the name
of the node which is implementing MRTG , like in this case Chandigarh.

AuthName "Restricted Access for MRTG of <your-node-name>"

AuthType Basic
AuthUserFile /var/www/html/.htpasswd
AuthGroupFile /dev/null
Require user mrtg-<your-node-name>

Data Networks Circle, Jan 2003 -4-

After inserting these lines , save the file .htaccess and exit from vi.
Now give the command
#htpasswd -c /var/www/html/.htpasswd mrtg-<your-node-name>

This command will prompt for the password, give the password and remember this password.
This password along with the login name which is mrtg-<your-node-name>, should be
communicated to the concerned Circle Coordinator, Mr Dhirendra Verma, ADET,Data Networks
(011-3737572) and the nodes whose MRTG has been implemented in this machine.

Now give the following command :

#cd /etc/httpd/conf
Open the file httpd.conf with vi editor
# vi httpd.conf

In this file look for the following line :

"This controls which options the .htaccess files in directories can override. Can also be "All", or
any combination of "Options", "FileInfo", "AuthConfig"", and "Limit".
AllowOverride None

Change the line, "AllowOverride None" to "AllowOverride All" ,if required

Now restart the Apache web server by following commands

#cd /etc/init.d
# ./httpd restart

G. Securing the MRTG PC: (The implementation of this section is mandatory)

To secure the MRTG PC , it is essential to do the following:-

1. PC power-on password must be configured.
2. Only these services: xinetd, httpd, crond, ipchains, iptable and network should be enabled. This
can be done by giving the following command
#setup
Then choose "system services", and select only the services mentioned above. De-select all
the others.

3. Use IPCHAINS to prevent unauthorized access to the MRTG PC. The following commands are
to be given
#ipchains -F input
#ipchains -P input DENY
#ipchains -A input -j ACCEPT -p tcp -s 61.0.0.0/15 -d <IP addr. of MRTG PC>/32
#ipchains -A input -j ACCEPT -p tcp -s 210.212.79.224/27 -d <IP addr. of MRTG PC>/32
#ipchains -A input -j ACCEPT -p udp -s 61.0.0.0/15 -d <IP addr. of MRTG PC>/32
#ipchains -A input -j ACCEPT -p udp -s 210.212.79.224/27 -d <IP addr. of MRTG PC>/32

After carrying out all the steps , the MRTG is ready for use. MRTG PC must be kept on and is
not to be switched off. MRTG PC would be used only for MRTG purposes, no activities like
browsing and mail are allowed from this PC. Node-in-charges must check daily, that the MRTG
is running.

Data Networks Circle, Jan 2003 -5-

H. Procedure for reinstalling the MRTG after the new cards insertion:

Assumption: MRTG is running and updating the data after every 5 minutes.

Procedure:
Go to the html directory.
#cd /var/www/html

First take the backup of the existing running MRTG for all the nodes. The following
command would move existing directory with a different name (e.g. for taking backup of shimla
on 25-Dec,2002 the backup directory name would become shimla-251202)

#mv <node-name> <node-name>-ddmmyy

Repeat the above command for all the nodes for which MRTG is working from a particular node.

Now follow the given commands set below (in orange color) for each node for which MRTG has
to be installed.
#mkdir -p /var/www/html/<node-name>

#cd /usr/local/mrtg-2/bin/

#./cfgmaker --no-down --global 'WorkDir: /var/www/html/<node-name>' --global

'Options[_]: bits,growright' <snmp-community>@<node router-ip> > <node-name>.cfg

Now restart the Apache web server by following commands

#cd /etc/init.d
# ./httpd restart

Wait here for at-least 10 minutes.

#cd /usr/local/mrtg-2/bin/

#/usr/local/mrtg-2/bin/indexmaker -section=descr -sort=descr -columns=2 --show=none -title="MRTG

for <node-name> Router" <node-name>.cfg > /var/www/html/<node-name>/<node-name>.html

Now the MRTG graphs can be seen for the node from any Internet connected
browser by giving URL as
http://<ip_of_MRTG PC>/<node-name>/<node_name>.html

After every 5 minutes, the data should be updated and the WAN links on new
cards slot should be visible in MRTG.

Any feedback on this document should be forwarded to Mr. Dhirendra Verma,

DE(Tech-1),DNW on routemaster@sancharnet.in

Data Networks Circle, Jan 2003 -6-

 Annexure-1
Help URL’s for working on Linux

Following link may be referred for operation of “vi” editor.

http://www.mdstud.chalmers.se/~md0claes/vi-commands.html

For basic linux/unix commands, refer to:

http://tardis.csudh.edu/linux/commands/

Data Networks Circle, Jan 2003 -7-

 Table 1

S No Node Name IP address Mask Gateway Nodes to be

covered
1. Bangalore 61.1.128.124 255.255.255.192 61.1.128.94 Bangalore, Mysore
2. Calcutta 61.0.128.124 255.255.255.192 61.0.128.94 Calcutta, Guwahati,
Shillong
3. Chennai 61.1.192.124 255.255.255.192 61.1.192.94 Chennai, Madurai,
Coimbatore
4. Mumbai 61.1.64.124 255.255.255.192 61.1.64.94 Mumbai, Nasik
5. New Delhi 61.0.0.25 255.255.255.192 61.0.0.30 New Delhi, Agra,
Faridabad,
Ghaziabad,
Gurgaon, Meerut,
Noida
6. Pune 61.1.96.124 255.255.255.192 61.1.96.124 Pune, Nagpur
7. Ahmedabad 61.1.32.58 255.255.255.192 61.1.32.46 Ahemdabad,
Rajkot, Vadodara,
Surat
8. Ernakulam 61.1.224.58 255.255.255.192 61.1.224.46 Ernakulam,
Trivandrum
9. Hyderabad 61.1.160.124 255.255.255.128 61.1.160.94 Hyderabad,
Bhubneshwar,
Vizag
10. Indore 61.1.0.58 255.255.255.192 61.1.0.46 Indore, Bhopal,
Gwalior, Jabalpur
11. Jaipur 61.0.192.58 255.255.255.192 61.0.192.46 Jaipur, Jodhpur
12. Lucknow 61.0.96.58 255.255.255.192 61.0.96.46 Lucknow, Kanpur,
Varanasi,
Allahabad
13. Chandigarh 61.0.65.188 255.255.255.192 61.0.65.174 Ludhiana,
Amritsar,
Jallandhar, Jammu,
Shimla, Chandigarh
14. Patna 61.0.160.58 255.255.255.192 61.0.160.46 Patna

Data Networks Circle, Jan 2003 -8-

 TABLE-2

LOOPBACK ADDRESSES
A- Type Locations
61.0.239.16 Bangalore
61.0.239.32 Calcutta
61.0.239.48 Chennai
61.0.239.64 Mumbai
61.0.239.80 New Delhi
61.0.239.96 Pune
61.0.239.112 Ahmedabad
61.0.239.128 Ernakulam
61.0.239.144 Hyderabad
61.0.239.160 Indore
61.0.239.176 Jaipur
61.0.239.192 Lucknow
61.0.239.208 Ludhiana
61.0.239.224 Patna

(B Type)
61.0.238.0 Agra
61.0.238.16 Allahabad
61.0.238.32 Amritsar
61.0.238.48 Bhopal
61.0.238.64 Bhubaneshwar
61.0.238.80 Chandigarh
61.0.238.96 Coimbatore
61.0.238.112 Faridabad
61.0.238.128 Ghaziabad
61.0.238.144 Gurgaon
61.0.238.160 Guwahati
61.0.238.176 Gwalior
61.0.238.192 Jabalpur
61.0.238.208 Jallandhar
61.0.238.224 Jammu
61.0.238.240 Jodhpur
61.0.237.0 Kanpur
61.0.237.16 Madurai
61.0.237.32 Meerut
61.0.237.48 Mysore
61.0.237.64 Nagpur
61.0.237.80 Nashik
61.0.237.96 Noida
61.0.237.112 Rajkot
61.0.237.128 Shillong
61.0.237.144 Shimla
61.0.237.160 Surat
61.0.237.176 Trivandrum
61.0.237.192 Vadodara
61.0.237.208 Varansai
61.0.237.224 Vizag

Data Networks Circle, Jan 2003 -9-