checkIPtables

Submit review Recommend Print Contact Owner Visit

Rating

0 votes

Favoured:

Current Version

0.1

Last Release Date

2012-04-28

Compatible With

Nagios 3.x

Owner

tobi

Website

project.brain-force.ch/Nagios/wiki/plugins/security/firewall

Download URL

project.brain-force.ch/Nagios/browser/checkIPtables/trunk/ch...

License

GPL

Hits

70216

Files:

File	Description
check_iptables.sh	plugin file for checkIPtables

Network Monitoring Software - Download Nagios XI

Log Management Software - Nagios Log Server - Download

Netflow Analysis Software - Nagios Network Analyzer - Download

Plugin written as bash script to check the health of iptables and the rules in there. It performs several check:
* checks command ($DEF_IPT and $DEF_IPS) and rulefiles ($DEF_IPT_RFILE and $DEF_IPS_RFILE), returns 3 in case of error
* checks if iptables command can be called with no error,
if not return 2
* checks INPUT, FORWARD and OUTPUT and returns 2 if
no rules are found in chain AND default policy is NOT
according to $DEF_POL_XXX
* checks every chain for $DEF_POL_XXX and returns 1 in error case
* checks iptables -L -n output and compares to a rules
file returns 1 if rules in place are not the same than
in the file
* checks ipset definitions and compares the actual rules
to a rules file ($DEF_IPS_RFILE) returns 1 upon error

The script is quite strict. If only the order of rules in iptables change compared to rules config, the script issues a WARNING

* Prequisites
* nagios (>=3), icigna, iptables, ipset, bash ...
* see here for (https://project.brain-force.ch/Nagios/wiki/plugins/security/firewall/checkIPtables#preq) more complete list
* it might run with other shells than bash although not tested with others
* it should work with older versions of nagios (<3) too.[[BR]]As this plugin can return several lines it's recommended to use >=3 because only from this version onward multiline support for return values is included
* On which platforms does it run?
* it should run in most Unix-Linux enviorements
* currently only tested on debian-squeeze but as long as (https://project.brain-force.ch/Nagios/wiki/plugins/security/firewall/checkIPtables#preq) the prequisites are satisfied it should run on almost every NIX :-)
* Common pitfalls:
* nagios user cannot access the command files
* ensure a non-root user can run the code (https://project.brain-force.ch/Nagios/wiki/plugins/security/firewall/checkIPtables#important)
* consistency check always fails
* generate rule file content (https://project.brain-force.ch/Nagios/wiki/plugins/security/firewall/checkIPtablesConfig#point3)
>>
iptables -L -n > $DEF_IPT_RFILE
ipset -L > $DEF_IPS_RFILE
>>
* if you use fail2ban (or similar software) see (https://project.brain-force.ch/Nagios/ticket/1)
* plugin does nothing
* don't forget that the plugin is NOT running as root but (mostly) as nagios. Ensure that nagios is allowed to access the commands and files needed
* test as user nagios (https://project.brain-force.ch/Nagios/wiki/plugins/security/firewall/checkIPtablesConfig#point4)
>>
su nagios -s /bin/bash -c /usr/lib/nagios/plugins/check_iptables
>>

Reviews (0)

Be the first to review this listing!

Nagios, the Nagios logo, and Nagios graphics are the servicemarks, trademarks, or registered trademarks owned by Nagios Enterprises. All other servicemarks and trademarks are the property of their respective owner. The files and information on this site are the property of their respective owner(s). Nagios Enterprises makes no claims or warranties as to the fitness of any file or information on this website, for any purpose whatsoever. In fact, we officially disclaim all liability. We do, however, think these community contributions are pretty damn cool. Website Copyright © 2009-2024 Nagios Enterprises, LLC. All rights reserved.