Home Directory Plugins Security checkIPtables

Search Exchange

Search All Sites

Nagios Live Webinars

Let our experts show you how Nagios can help your organization.

Contact Us

Phone: 1-888-NAGIOS-1
Email: sales@nagios.com

Login

Remember Me

Directory Tree

checkIPtables

Current Version
0.1
Last Release Date
2012-04-28
Compatible With
  • Nagios 3.x
Owner
License
GPL
Hits
70647
Files:
FileDescription
check_iptables.shplugin file for checkIPtables
Nagios CSP

Meet The New Nagios Core Services Platform

Built on over 25 years of monitoring experience, the Nagios Core Services Platform provides insightful monitoring dashboards, time-saving monitoring wizards, and unmatched ease of use. Use it for free indefinitely.

Monitoring Made Magically Better

  • Nagios Core on Overdrive
  • Powerful Monitoring Dashboards
  • Time-Saving Configuration Wizards
  • Open Source Powered Monitoring On Steroids
  • And So Much More!
Plugin written as bash script to check the health of iptables and the rules in there. It performs several check:
* checks command ($DEF_IPT and $DEF_IPS) and rulefiles ($DEF_IPT_RFILE and $DEF_IPS_RFILE), returns 3 in case of error
* checks if iptables command can be called with no error,
if not return 2
* checks INPUT, FORWARD and OUTPUT and returns 2 if
no rules are found in chain AND default policy is NOT
according to $DEF_POL_XXX
* checks every chain for $DEF_POL_XXX and returns 1 in error case
* checks iptables -L -n output and compares to a rules
file returns 1 if rules in place are not the same than
in the file
* checks ipset definitions and compares the actual rules
to a rules file ($DEF_IPS_RFILE) returns 1 upon error

The script is quite strict. If only the order of rules in iptables change compared to rules config, the script issues a WARNING
* Prequisites
* nagios (>=3), icigna, iptables, ipset, bash ...
* see here for (https://project.brain-force.ch/Nagios/wiki/plugins/security/firewall/checkIPtables#preq) more complete list
* it might run with other shells than bash although not tested with others
* it should work with older versions of nagios (<3) too.[[BR]]As this plugin can return several lines it's recommended to use >=3 because only from this version onward multiline support for return values is included
* On which platforms does it run?
* it should run in most Unix-Linux enviorements
* currently only tested on debian-squeeze but as long as (https://project.brain-force.ch/Nagios/wiki/plugins/security/firewall/checkIPtables#preq) the prequisites are satisfied it should run on almost every NIX :-)
* Common pitfalls:
* nagios user cannot access the command files
* ensure a non-root user can run the code (https://project.brain-force.ch/Nagios/wiki/plugins/security/firewall/checkIPtables#important)
* consistency check always fails
* generate rule file content (https://project.brain-force.ch/Nagios/wiki/plugins/security/firewall/checkIPtablesConfig#point3)
>>
iptables -L -n > $DEF_IPT_RFILE
ipset -L > $DEF_IPS_RFILE
>>
* if you use fail2ban (or similar software) see (https://project.brain-force.ch/Nagios/ticket/1)
* plugin does nothing
* don't forget that the plugin is NOT running as root but (mostly) as nagios. Ensure that nagios is allowed to access the commands and files needed
* test as user nagios (https://project.brain-force.ch/Nagios/wiki/plugins/security/firewall/checkIPtablesConfig#point4)
>>
su nagios -s /bin/bash -c /usr/lib/nagios/plugins/check_iptables
>>