Search Exchange

Search All Sites

Nagios Live Webinars

Let our experts show you how Nagios can help your organization.

Contact Us

Phone: 1-888-NAGIOS-1
Email: sales@nagios.com

Login

Remember Me

Directory Tree

check_iptables

Rating
3 votes
Favoured:
1
Hits
108157
Files:
FileDescription
check_iptables.shcheck_iptables.sh
Network Monitoring Software - Download Nagios XI
Log Management Software - Nagios Log Server - Download
Netflow Analysis Software - Nagios Network Analyzer - Download
Bash script to do basic checking of iptables.
The script does not (and can not) detect "stupid" rules. It's purpose is to ensure that iptables and the configured rules (whatever they may be) are loaded.

It is useful to identify situations such as:
- forgetting to start iptables at boot
- stopping iptables for testing and forgetting to restart
- etc

Normal condition is where all tables have 1 or more rules.
Critical condition is when a table (any table) has 0 rules.
Reviews (3)
byrhousand, July 19, 2013
Added $TABLE
CHKIPTBLS=`/sbin/iptables -n -t $TABLE -L |wc -l`

Added nrpe user to sudoers
Defaults!/usr/local/nagios/libexec/check_iptables.sh !requiretty
nagios ALL=NOPASSWD: /usr/local/nagios/libexec/check_iptables.sh


I would not recommend adding to following to sudoers.
nagios ALL= NOPASSWD: /sbin/iptables

I also imported utils.sh and used it's exit codes but this may not be required.
. /usr/local/nagios/libexec/utils.sh

exit $STATE_OK
exit $STATE_CRITICAL
bystephan, April 15, 2012
Thanks for the check.

I like to be able to check both IPv6 and IPv4, so that is what the edit below does:
(Paths used in this script are adapted for Debian/ Ubuntu based systems.)

#!/bin/bash

case $# in
1)
case $1 in
-4)
IPT='/sbin/iptables'
;;
-6)
IPT='/sbin/ip6tables'
;;
*)
;;
esac

GREP='/bin/grep'
AWK='/usr/bin/awk'
EXPR='/usr/bin/expr'
WC='/usr/bin/wc'

STAT=0
OUTPUT=''
CHAINS=`$IPT -nvL | $GREP 'Chain' | $AWK '{ print $2 }'`

for CHAIN in $CHAINS ; do
if [ "$CHAIN" != 'FORWARD' ] && [ "$CHAIN" != 'OUTPUT' ] && [ `$EXPR substr $CHAIN 1 4` != "LOG_" ] ; then
CNT=`expr $($IPT -S $CHAIN | $WC -l) '-' 1`
if [ $CNT -eq 0 ] ; then
OUTPUT="${OUTPUT}ERROR $CHAIN $CNT rules!"
STAT=2
else
OUTPUT="${OUTPUT}OK $CHAIN $CNT rules"
fi
fi
done

echo $OUTPUT

exit $STAT
;;
*)
echo "Usage: $0 [-4][-6]"
exit 1
;;
esac
i've coded similar plugin independently when found this plugin already exist...

http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/nagios-plugin-check_iptables/check_iptables

differences are with my plugin:
- can setup needed sudo rules if invoked with -S argument
- you can specify warning and critical levels how many rules you need to have present
- can check other tables/chains than filter/INPUT via command line args.

License: GPL v2 (same as Nagios)