Security

checkIPtables

Write a Review

Description:

Plugin written as bash script to check the health of iptables and the rules in there. It performs several check:
* checks command ($DEF_IPT and $DEF_IPS) and rulefiles ($DEF_IPT_RFILE and $DEF_IPS_RFILE), returns 3 in case of error
* checks if iptables command can be called with no error,
if not return 2
* checks INPUT, FORWARD and OUTPUT and returns 2 if
no rules are found in chain AND default policy is NOT
according to $DEF_POL_XXX
* checks every chain for $DEF_POL_XXX and returns 1 in error case
* checks iptables -L -n output and compares to a rules
file returns 1 if rules in place are not the same than
in the file
* checks ipset definitions and compares the actual rules
to a rules file ($DEF_IPS_RFILE) returns 1 upon error

The script is quite strict. If only the order of rules in iptables change compared to rules config, the script issues a WARNING

Current Version

0.1

Last Release Date

2012-04-28

Compatible With

  • Nagios 3.x

Owner

Tobi

Website

https://project.brain-force.ch/Nagios/wiki/plugins/security/firewall/checkIPtables

Download URL

https://project.brain-force.ch/Nagios/browser/checkIPtables/trunk/check_iptables.sh?rev=head

License

GPL

Copy Page Link Recommend Contact Owner Login to Add to Favorites
Project Files
FileDescription
check_iptables.sh

plugin file for checkIPtables

Project Notes
* Prequisites * nagios (>=3), icigna, iptables, ipset, bash ... * see here for (https://project.brain-force.ch/Nagios/wiki/plugins/security/firewall/checkIPtables#preq) more complete list * it might run with other shells than bash although not tested with others * it should work with older versions of nagios (<3) too.[[BR]]As this plugin can return several lines it's recommended to use >=3 because only from this version onward multiline support for return values is included * On which platforms does it run? * it should run in most Unix-Linux enviorements * currently only tested on debian-squeeze but as long as (https://project.brain-force.ch/Nagios/wiki/plugins/security/firewall/checkIPtables#preq) the prequisites are satisfied it should run on almost every NIX :-) * Common pitfalls: * nagios user cannot access the command files * ensure a non-root user can run the code (https://project.brain-force.ch/Nagios/wiki/plugins/security/firewall/checkIPtables#important) * consistency check always fails * generate rule file content (https://project.brain-force.ch/Nagios/wiki/plugins/security/firewall/checkIPtablesConfig#point3) >> iptables -L -n > $DEF_IPT_RFILE ipset -L > $DEF_IPS_RFILE >> * if you use fail2ban (or similar software) see (https://project.brain-force.ch/Nagios/ticket/1) * plugin does nothing * don't forget that the plugin is NOT running as root but (mostly) as nagios. Ensure that nagios is allowed to access the commands and files needed * test as user nagios (https://project.brain-force.ch/Nagios/wiki/plugins/security/firewall/checkIPtablesConfig#point4) >> su nagios -s /bin/bash -c /usr/lib/nagios/plugins/check_iptables >>
Reviews (0) Add a Review
Add a Review

You must be logged in to submit a review.

Thank you for your review!

Your review has been submitted and is pending approval.

Recommend

To:


From:


Thank you for your recommendation!

Your recommendation has been sent.

Page Sections
Project Overview Project Files Project Notes Reviews
Project Stats
Rating
0 (0)
Favorites
1
Views
70,584