Home Directory Plugins Security checkIPtables

Search Exchange

Search All Sites

Nagios Live Webinars

Let our experts show you how Nagios can help your organization.

Contact Us

Phone: 1-888-NAGIOS-1
Email: sales@nagios.com


Remember Me

Directory Tree


Current Version
Last Release Date
Compatible With
  • Nagios 3.x
check_iptables.shplugin file for checkIPtables
Network Monitoring Software - Download Nagios XI
Log Management Software - Nagios Log Server - Download
Netflow Analysis Software - Nagios Network Analyzer - Download
Plugin written as bash script to check the health of iptables and the rules in there. It performs several check:
* checks command ($DEF_IPT and $DEF_IPS) and rulefiles ($DEF_IPT_RFILE and $DEF_IPS_RFILE), returns 3 in case of error
* checks if iptables command can be called with no error,
if not return 2
* checks INPUT, FORWARD and OUTPUT and returns 2 if
no rules are found in chain AND default policy is NOT
according to $DEF_POL_XXX
* checks every chain for $DEF_POL_XXX and returns 1 in error case
* checks iptables -L -n output and compares to a rules
file returns 1 if rules in place are not the same than
in the file
* checks ipset definitions and compares the actual rules
to a rules file ($DEF_IPS_RFILE) returns 1 upon error

The script is quite strict. If only the order of rules in iptables change compared to rules config, the script issues a WARNING
* Prequisites
* nagios (>=3), icigna, iptables, ipset, bash ...
* see here for (https://project.brain-force.ch/Nagios/wiki/plugins/security/firewall/checkIPtables#preq) more complete list
* it might run with other shells than bash although not tested with others
* it should work with older versions of nagios (<3) too.[[BR]]As this plugin can return several lines it's recommended to use >=3 because only from this version onward multiline support for return values is included
* On which platforms does it run?
* it should run in most Unix-Linux enviorements
* currently only tested on debian-squeeze but as long as (https://project.brain-force.ch/Nagios/wiki/plugins/security/firewall/checkIPtables#preq) the prequisites are satisfied it should run on almost every NIX :-)
* Common pitfalls:
* nagios user cannot access the command files
* ensure a non-root user can run the code (https://project.brain-force.ch/Nagios/wiki/plugins/security/firewall/checkIPtables#important)
* consistency check always fails
* generate rule file content (https://project.brain-force.ch/Nagios/wiki/plugins/security/firewall/checkIPtablesConfig#point3)
iptables -L -n > $DEF_IPT_RFILE
ipset -L > $DEF_IPS_RFILE
* if you use fail2ban (or similar software) see (https://project.brain-force.ch/Nagios/ticket/1)
* plugin does nothing
* don't forget that the plugin is NOT running as root but (mostly) as nagios. Ensure that nagios is allowed to access the commands and files needed
* test as user nagios (https://project.brain-force.ch/Nagios/wiki/plugins/security/firewall/checkIPtablesConfig#point4)
su nagios -s /bin/bash -c /usr/lib/nagios/plugins/check_iptables