Build precise queries to find exactly what you need
Press ESC to close
Your review has been submitted and is pending approval.
Plugin written as bash script to check the health of iptables and the rules in there. It performs several check: * checks command ($DEF_IPT and $DEF_IPS) and rulefiles ($DEF_IPT_RFILE and $DEF_IPS_RFILE), returns 3 in case of error * checks if iptables command can be called with no error, if not return 2 * checks INPUT, FORWARD and OUTPUT and returns 2 if no rules are found in chain AND default policy is NOT according to $DEF_POL_XXX * checks every chain for $DEF_POL_XXX and returns 1 in error case * checks iptables -L -n output and compares to a rules file returns 1 if rules in place are not the same than in the file * checks ipset definitions and compares the actual rules to a rules file ($DEF_IPS_RFILE) returns 1 upon error The script is quite strict. If only the order of rules in iptables change compared to rules config, the script issues a WARNING
Current Version
0.1
Last Release Date
2012-04-28
Owner
Tobi
Website
https://project.brain-force.ch/Nagios/wiki/plugins/security/firewall/checkIPtables
Download URL
https://project.brain-force.ch/Nagios/browser/checkIPtables/trunk/check_iptables.sh?rev=head
License
GPL
Compatible With
* Prequisites * nagios (>=3), icigna, iptables, ipset, bash ... * see here for (https://project.brain-force.ch/Nagios/wiki/plugins/security/firewall/checkIPtables#preq) more complete list * it might run with other shells than bash although not tested with others * it should work with older versions of nagios (<3) too.[[BR]]As this plugin can return several lines it's recommended to use >=3 because only from this version onward multiline support for return values is included * On which platforms does it run? * it should run in most Unix-Linux enviorements * currently only tested on debian-squeeze but as long as (https://project.brain-force.ch/Nagios/wiki/plugins/security/firewall/checkIPtables#preq) the prequisites are satisfied it should run on almost every NIX :-) * Common pitfalls: * nagios user cannot access the command files * ensure a non-root user can run the code (https://project.brain-force.ch/Nagios/wiki/plugins/security/firewall/checkIPtables#important) * consistency check always fails * generate rule file content (https://project.brain-force.ch/Nagios/wiki/plugins/security/firewall/checkIPtablesConfig#point3) >> iptables -L -n > $DEF_IPT_RFILE ipset -L > $DEF_IPS_RFILE >> * if you use fail2ban (or similar software) see (https://project.brain-force.ch/Nagios/ticket/1) * plugin does nothing * don't forget that the plugin is NOT running as root but (mostly) as nagios. Ensure that nagios is allowed to access the commands and files needed * test as user nagios (https://project.brain-force.ch/Nagios/wiki/plugins/security/firewall/checkIPtablesConfig#point4) >> su nagios -s /bin/bash -c /usr/lib/nagios/plugins/check_iptables >>
You must be logged in to submit a review.
To:
From: