【功能】:實時監控Iptables,防止人爲關閉後,忘了開啓,或者監控規則是否有增刪。
【說明】腳本來至官方,這個腳本是通過獲取iptables規則條數來判斷iptables是否正常。運行參數:./check_iptables.sh -T filter -r 1(filter爲表名) (1爲規則條數)原腳本是當檢測到的規則條數大於-r參數時提示正常,否則不正常。(我改成了當等於規則條數時,提示正常。如果你的規則是動態的增加的則可以改爲大於時提示正常)同時將當前用戶寫入/var/log/iptables/iptables.log中。
ps:當然這個腳本缺點是不能監控規則更改,不過目前我採用了另外一種方法。暫時不公開。
【設置】
在nrpe端
1、新建iptables監控日誌目錄 /var/log/iptables/
2、將check_iptables.sh(在下面或下載附件)腳本授權並修改屬主放入..nagios/libexec/ 目錄中。
修改nrpe.cfg 添加
- command[check_iptables]=/usr/local/nagios/libexec/check_iptables.sh -T filter -r n (n爲條數)
腳本調用了iptables,iptables默認只允許root調用。所以需要修改sudo
使用visodu命令添加以下語句,表示只允許nagios用戶不用密碼使用該條命令(包括參數)。使用其它iptables參數是不行的,可以自己測試。最大程度保障安全。
- nagios ALL= NOPASSWD: /sbin/iptables -n -t filter -L
重啓nrpe進程。
(如果遇到nagios沒有權限調用iptables 則參考http://xikder.blog.51cto.com/1423200/785618處理方法)
在nagios端
service中添加
- define service {
- use web-service
- host_name XX
- service_description iptables_status
- check_command check_nrpe!check_iptables
- }
檢測配置並重啓nagios。
【腳本】check_iptables.sh
- #!/bin/bash
- #
- # Developers: Rhommel Lamas
- # Purpose: Nagios Plugin for Iptables Rules load check
- # Version 0.5
- #
- # ---------------------------------------- License -----------------------------------------------------
- #
- # This program is free software: you can redistribute it and/or modify
- # it under the terms of the GNU General Public License as published by
- # the Free Software Foundation, either version 3 of the License, or
- # (at your option) any later version.
- #
- # This program is distributed in the hope that it will be useful,
- # but WITHOUT ANY WARRANTY; without even the implied warranty of
- # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- # GNU General Public License for more details.
- #
- # You should have received a copy of the GNU General Public License
- # along with this program. If not, see <http://www.gnu.org/licenses/>.
- #
- # ---------------------------------------- Documentation -------------------------------------------------
- #
- # Documentation about iptables: ~:# man iptables
- #
- # This scripts is intended to be used to check if your iptables rules are set correctly load at any time,
- # I didn't find a better way to check if a server has your rules loaded so I check the number of
- # configured rules and if they are less than they should be Nagios will send an alert using it
- # notify service.
- #
- # -----------------------------------------------------------------------------------------------------
- # Plugin Description
- # -----------------------------------------------------------------------------------------------------
- #
- # This Plugin handled 2 States
- # OK - The number of Iprules equal o more than the minimun that we setup on the -r variable
- # CRITICAL - The number of IPrules are less than the minimun required.
- # UNKNOWN - It could be something about validation on the parameters
- #
- # This plugin also send and log every check to the file $LOG so if the plugins goes critical we can se who
- # disable the iptables comparing the time with the auth file.
- #----------------------------------------------------------------------------------------------------------
- # Initialization
- #----------------------------------------------------------------------------------------------------------
- PARAM1=$1
- TABLE=$2
- MINRULES=$3
- PARAM4=$4
- LOG=/var/log/iptables/iptables.log
- CHKIPTBLS=`sudo /sbin/iptables -n -t filter -L |wc -l`
- #
- # Parameter Validation
- ##
- if [ "$PARAM1" != "-T" -o "$TABLE" == "" -o "$MINRULES" != "-r" -o "$PARAM4" == "" ]; then
- echo "Usage: $0 -T <table> -r <min rules>"
- echo ""
- exit 3
- # Nagios exit code 3 = status UNKNOWN = orange
- if [ "$PARAM1" == "-h" ]; then
- echo ""
- echo " -h = Display's this Help"
- echo " -T = Table to check"
- echo " Available Tables:"
- echo " nat"
- echo " mangle"
- echo " filter"
- echo " -r = Minimun quantity of rules"
- echo ""
- # Nagios exit code 3 = status UNKNOWN = orange
- exit 3
- fi
- fi
- ##
- # DO NOT MODIFY ANYTHING BELOW THIS
- ##
- $CHKIPTBLS >/dev/null 2>/dev/null
- if [ "$CHKIPTBLS" == 0 ]; then
- TOTRULES=$CHKIPTBLS
- else
- TOTRULES=$[$CHKIPTBLS-8]
- fi
- if [ "$TOTRULES" == "$PARAM4" ]; then
- echo "OK - Iptables are OK The Table $TABLE and Chain $CHAIN has $TOTRULES rules configured"
- # Nagios exit code 0 = status OK = green
- exit 0
- else
- echo " CRITICAL - Iptables are CRITICAL The Table $TABLE and Chain $CHAIN has $TOTRULES rules configured"
- for i in `w -h | cut -f1 -d" " | sort | uniq`
- do
- echo "`date '+%d/%m/%Y - %H:%M:%S'` - CRITICAL - $i is logged in and there are only $TOTRULES loaded" >> $LOG
- done
- # Nagios exit code 2 = status CRITICAL = red
- exit 2
- fi
附件已上傳,在下面。