Build precise queries to find exactly what you need
Press ESC to close
Join our next live webinar: “Advanced Nagios Monitoring Techniques” – Register Now
Your review has been submitted and is pending approval.
Bash script to do basic checking of iptables.
Current Version
Last Release Date
May 28, 2009
Owner
Nagios Exchange
Compatible With
check_iptables.sh
The script does not (and can not) detect "stupid" rules. It's purpose is to ensure that iptables and the configured rules (whatever they may be) are loaded. It is useful to identify situations such as: - forgetting to start iptables at boot - stopping iptables for testing and forgetting to restart - etc Normal condition is where all tables have 1 or more rules. Critical condition is when a table (any table) has 0 rules.
Added $TABLE CHKIPTBLS=`/sbin/iptables -n -t $TABLE -L |wc -l` Added nrpe user to sudoers Defaults!/usr/local/nagios/libexec/check_iptables.sh !requiretty nagios ALL=NOPASSWD: /usr/local/nagios/libexec/check_iptables.sh I would not recommend adding to following to sudoers. nagios ALL= NOPASSWD: /sbin/iptables I also imported utils.sh and used it's exit codes but this may not be required. . /usr/local/nagios/libexec/utils.sh exit $STATE_OK exit $STATE_CRITICAL
Thanks for the check. I like to be able to check both IPv6 and IPv4, so that is what the edit below does: (Paths used in this script are adapted for Debian/ Ubuntu based systems.) #!/bin/bash case $# in 1) case $1 in -4) IPT='/sbin/iptables' ;; -6) IPT='/sbin/ip6tables' ;; *) ;; esac GREP='/bin/grep' AWK='/usr/bin/awk' EXPR='/usr/bin/expr' WC='/usr/bin/wc' STAT=0 OUTPUT='' CHAINS=`$IPT -nvL | $GREP 'Chain' | $AWK '{ print $2 }'` for CHAIN in $CHAINS ; do if [ "$CHAIN" != 'FORWARD' ] && [ "$CHAIN" != 'OUTPUT' ] && [ `$EXPR substr $CHAIN 1 4` != "LOG_" ] ; then CNT=`expr $($IPT -S $CHAIN | $WC -l) '-' 1` if [ $CNT -eq 0 ] ; then OUTPUT="${OUTPUT}ERROR $CHAIN $CNT rules!" STAT=2 else OUTPUT="${OUTPUT}OK $CHAIN $CNT rules" fi fi done echo $OUTPUT exit $STAT ;; *) echo "Usage: $0 [-4][-6]" exit 1 ;; esac
i've coded similar plugin independently when found this plugin already exist... http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/nagios-plugin-check_iptables/check_iptables differences are with my plugin: - can setup needed sudo rules if invoked with -S argument - you can specify warning and critical levels how many rules you need to have present - can check other tables/chains than filter/INPUT via command line args. License: GPL v2 (same as Nagios)
You must be logged in to submit a review.
To:
From: