check_iptables

Submit review Recommend Print

Rating

3 votes

Favoured:

Owner

nagiosexchange

Hits

111099

Files:

File	Description
check_iptables.sh	check_iptables.sh

Network Monitoring Software - Download Nagios XI

Log Management Software - Nagios Log Server - Download

Netflow Analysis Software - Nagios Network Analyzer - Download

Bash script to do basic checking of iptables.

The script does not (and can not) detect "stupid" rules. It's purpose is to ensure that iptables and the configured rules (whatever they may be) are loaded.

It is useful to identify situations such as:
- forgetting to start iptables at boot
- stopping iptables for testing and forgetting to restart
- etc

Normal condition is where all tables have 1 or more rules.
Critical condition is when a table (any table) has 0 rules.

Reviews (3)

Changes required

byrhousand, July 19, 2013

Added $TABLE
CHKIPTBLS=`/sbin/iptables -n -t $TABLE -L |wc -l`

Added nrpe user to sudoers
Defaults!/usr/local/nagios/libexec/check_iptables.sh !requiretty
nagios ALL=NOPASSWD: /usr/local/nagios/libexec/check_iptables.sh

I would not recommend adding to following to sudoers.
nagios ALL= NOPASSWD: /sbin/iptables

I also imported utils.sh and used it's exit codes but this may not be required.
. /usr/local/nagios/libexec/utils.sh

exit $STATE_OK
exit $STATE_CRITICAL

Added IPv6 support

bystephan, April 15, 2012

Thanks for the check.

I like to be able to check both IPv6 and IPv4, so that is what the edit below does:
(Paths used in this script are adapted for Debian/ Ubuntu based systems.)

#!/bin/bash

case $# in
1)
case $1 in
-4)
IPT='/sbin/iptables'
;;
-6)
IPT='/sbin/ip6tables'
;;
*)
;;
esac

GREP='/bin/grep'
AWK='/usr/bin/awk'
EXPR='/usr/bin/expr'
WC='/usr/bin/wc'

STAT=0
OUTPUT=''
CHAINS=`$IPT -nvL | $GREP 'Chain' | $AWK '{ print $2 }'`

for CHAIN in $CHAINS ; do
if [ "$CHAIN" != 'FORWARD' ] && [ "$CHAIN" != 'OUTPUT' ] && [ `$EXPR substr $CHAIN 1 4` != "LOG_" ] ; then
CNT=`expr $($IPT -S $CHAIN | $WC -l) '-' 1`
if [ $CNT -eq 0 ] ; then
OUTPUT="${OUTPUT}ERROR $CHAIN $CNT rules!"
STAT=2
else
OUTPUT="${OUTPUT}OK $CHAIN $CNT rules"
fi
fi
done

echo $OUTPUT

exit $STAT
;;
*)
echo "Usage: $0 [-4][-6]"
exit 1
;;
esac

different code, same task

byglen, March 18, 2010

i've coded similar plugin independently when found this plugin already exist...

http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/nagios-plugin-check_iptables/check_iptables

differences are with my plugin:
- can setup needed sudo rules if invoked with -S argument
- you can specify warning and critical levels how many rules you need to have present
- can check other tables/chains than filter/INPUT via command line args.

License: GPL v2 (same as Nagios)

Nagios, the Nagios logo, and Nagios graphics are the servicemarks, trademarks, or registered trademarks owned by Nagios Enterprises. All other servicemarks and trademarks are the property of their respective owner. The files and information on this site are the property of their respective owner(s). Nagios Enterprises makes no claims or warranties as to the fitness of any file or information on this website, for any purpose whatsoever. In fact, we officially disclaim all liability. We do, however, think these community contributions are pretty damn cool. Website Copyright © 2009-2024 Nagios Enterprises, LLC. All rights reserved.