Search Exchange
Search All Sites
Nagios Live Webinars
Let our experts show you how Nagios can help your organization.Login
Directory Tree
check_iptables
Meet The New Nagios Core Services Platform
Built on over 25 years of monitoring experience, the Nagios Core Services Platform provides insightful monitoring dashboards, time-saving monitoring wizards, and unmatched ease of use. Use it for free indefinitely.
Monitoring Made Magically Better
- Nagios Core on Overdrive
- Powerful Monitoring Dashboards
- Time-Saving Configuration Wizards
- Open Source Powered Monitoring On Steroids
- And So Much More!
The script does not (and can not) detect "stupid" rules. It's purpose is to ensure that iptables and the configured rules (whatever they may be) are loaded.
It is useful to identify situations such as:
- forgetting to start iptables at boot
- stopping iptables for testing and forgetting to restart
- etc
Normal condition is where all tables have 1 or more rules.
Critical condition is when a table (any table) has 0 rules.
It is useful to identify situations such as:
- forgetting to start iptables at boot
- stopping iptables for testing and forgetting to restart
- etc
Normal condition is where all tables have 1 or more rules.
Critical condition is when a table (any table) has 0 rules.
Reviews (3)
byrhousand, July 19, 2013
Added $TABLE
CHKIPTBLS=`/sbin/iptables -n -t $TABLE -L |wc -l`
Added nrpe user to sudoers
Defaults!/usr/local/nagios/libexec/check_iptables.sh !requiretty
nagios ALL=NOPASSWD: /usr/local/nagios/libexec/check_iptables.sh
I would not recommend adding to following to sudoers.
nagios ALL= NOPASSWD: /sbin/iptables
I also imported utils.sh and used it's exit codes but this may not be required.
. /usr/local/nagios/libexec/utils.sh
exit $STATE_OK
exit $STATE_CRITICAL
CHKIPTBLS=`/sbin/iptables -n -t $TABLE -L |wc -l`
Added nrpe user to sudoers
Defaults!/usr/local/nagios/libexec/check_iptables.sh !requiretty
nagios ALL=NOPASSWD: /usr/local/nagios/libexec/check_iptables.sh
I would not recommend adding to following to sudoers.
nagios ALL= NOPASSWD: /sbin/iptables
I also imported utils.sh and used it's exit codes but this may not be required.
. /usr/local/nagios/libexec/utils.sh
exit $STATE_OK
exit $STATE_CRITICAL
bystephan, April 15, 2012
Thanks for the check.
I like to be able to check both IPv6 and IPv4, so that is what the edit below does:
(Paths used in this script are adapted for Debian/ Ubuntu based systems.)
#!/bin/bash
case $# in
1)
case $1 in
-4)
IPT='/sbin/iptables'
;;
-6)
IPT='/sbin/ip6tables'
;;
*)
;;
esac
GREP='/bin/grep'
AWK='/usr/bin/awk'
EXPR='/usr/bin/expr'
WC='/usr/bin/wc'
STAT=0
OUTPUT=''
CHAINS=`$IPT -nvL | $GREP 'Chain' | $AWK '{ print $2 }'`
for CHAIN in $CHAINS ; do
if [ "$CHAIN" != 'FORWARD' ] && [ "$CHAIN" != 'OUTPUT' ] && [ `$EXPR substr $CHAIN 1 4` != "LOG_" ] ; then
CNT=`expr $($IPT -S $CHAIN | $WC -l) '-' 1`
if [ $CNT -eq 0 ] ; then
OUTPUT="${OUTPUT}ERROR $CHAIN $CNT rules!"
STAT=2
else
OUTPUT="${OUTPUT}OK $CHAIN $CNT rules"
fi
fi
done
echo $OUTPUT
exit $STAT
;;
*)
echo "Usage: $0 [-4][-6]"
exit 1
;;
esac
I like to be able to check both IPv6 and IPv4, so that is what the edit below does:
(Paths used in this script are adapted for Debian/ Ubuntu based systems.)
#!/bin/bash
case $# in
1)
case $1 in
-4)
IPT='/sbin/iptables'
;;
-6)
IPT='/sbin/ip6tables'
;;
*)
;;
esac
GREP='/bin/grep'
AWK='/usr/bin/awk'
EXPR='/usr/bin/expr'
WC='/usr/bin/wc'
STAT=0
OUTPUT=''
CHAINS=`$IPT -nvL | $GREP 'Chain' | $AWK '{ print $2 }'`
for CHAIN in $CHAINS ; do
if [ "$CHAIN" != 'FORWARD' ] && [ "$CHAIN" != 'OUTPUT' ] && [ `$EXPR substr $CHAIN 1 4` != "LOG_" ] ; then
CNT=`expr $($IPT -S $CHAIN | $WC -l) '-' 1`
if [ $CNT -eq 0 ] ; then
OUTPUT="${OUTPUT}ERROR $CHAIN $CNT rules!"
STAT=2
else
OUTPUT="${OUTPUT}OK $CHAIN $CNT rules"
fi
fi
done
echo $OUTPUT
exit $STAT
;;
*)
echo "Usage: $0 [-4][-6]"
exit 1
;;
esac
byglen, March 18, 2010
i've coded similar plugin independently when found this plugin already exist...
http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/nagios-plugin-check_iptables/check_iptables
differences are with my plugin:
- can setup needed sudo rules if invoked with -S argument
- you can specify warning and critical levels how many rules you need to have present
- can check other tables/chains than filter/INPUT via command line args.
License: GPL v2 (same as Nagios)
http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/nagios-plugin-check_iptables/check_iptables
differences are with my plugin:
- can setup needed sudo rules if invoked with -S argument
- you can specify warning and critical levels how many rules you need to have present
- can check other tables/chains than filter/INPUT via command line args.
License: GPL v2 (same as Nagios)