nagios 实时监控 iptables 状态

【功能】：实时监控Iptables，防止人为关闭后，忘了开启，或者监控规则是否有增删。

【说明】脚本来至官方，这个脚本是通过获取iptables规则条数来判断iptables是否正常。运行参数：./check_iptables.sh -T filter -r 1（filter为表名） (1为规则条数)原脚本是当检测到的规则条数大于-r参数时提示正常，否则不正常。（我改成了当等于规则条数时，提示正常。如果你的规则是动态的增加的则可以改为大于时提示正常）同时将当前用户写入/var/log/iptables/iptables.log中。

ps：当然这个脚本缺点是不能监控规则更改，不过目前我采用了另外一种方法。暂时不公开。

【设置】 

在nrpe端

1、新建iptables监控日志目录 /var/log/iptables/

2、将check_iptables.sh（在下面或下载附件）脚本授权并修改属主放入..nagios/libexec/ 目录中。

修改nrpe.cfg 添加 

command[check_iptables]=/usr/local/nagios/libexec/check_iptables.sh -T filter -r n   (n为条数)

脚本调用了iptables，iptables默认只允许root调用。所以需要修改sudo

使用visodu命令添加以下语句，表示只允许nagios用户不用密码使用该条命令(包括参数)。使用其它iptables参数是不行的，可以自己测试。最大程度保障安全。

nagios ALL= NOPASSWD: /sbin/iptables -n -t filter -L

重启nrpe进程。

（如果遇到nagios没有权限调用iptables 则参考http://xikder.blog.51cto.com/1423200/785618处理方法） 

在nagios端

service中添加

define service {
        use                  web-service
        host_name             XX
        service_description   iptables_status
        check_command         check_nrpe!check_iptables
        }

检测配置并重启nagios。

【脚本】check_iptables.sh

#!/bin/bash
#
# Developers: Rhommel Lamas
# Purpose: Nagios Plugin for Iptables Rules load check
# Version 0.5
#
# ---------------------------------------- License -----------------------------------------------------
#
# This program is free software: you can redistribute it and/or modify
#   it under the terms of the GNU General Public License as published by
#   the Free Software Foundation, either version 3 of the License, or
#   (at your option) any later version.
#
#  This program is distributed in the hope that it will be useful,
#   but WITHOUT ANY WARRANTY; without even the implied warranty of
#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#   GNU General Public License for more details.
#
#   You should have received a copy of the GNU General Public License
#   along with this program.  If not, see <http://www.gnu.org/licenses/>.
#
# ---------------------------------------- Documentation -------------------------------------------------
#
# Documentation about iptables: ~:# man iptables
#
# This scripts is intended to be used to check if your iptables rules are set correctly load at any time,
#   I didn't find a better way to check if a server has your rules loaded so I check the number of
#   configured rules and if they are less than they should be Nagios will send an alert using it
#   notify service.
#
# -----------------------------------------------------------------------------------------------------
#  Plugin Description
# -----------------------------------------------------------------------------------------------------
#
# This Plugin handled 2 States
#   OK - The number of Iprules equal o more than the minimun that we setup on the -r variable
#   CRITICAL - The number of IPrules are less than the minimun required.
#   UNKNOWN - It could be something about validation on the parameters
#
# This plugin also send and log every check to the file $LOG so if the plugins goes critical we can se who
# disable the iptables comparing the time with the auth file.
#----------------------------------------------------------------------------------------------------------
#   Initialization
#----------------------------------------------------------------------------------------------------------
PARAM1=$1
TABLE=$2
MINRULES=$3
PARAM4=$4
LOG=/var/log/iptables/iptables.log
CHKIPTBLS=`sudo /sbin/iptables -n -t filter -L |wc -l`

#
# Parameter Validation
##

if [ "$PARAM1" != "-T" -o "$TABLE" == "" -o "$MINRULES" != "-r" -o "$PARAM4" == "" ]; then
        echo "Usage: $0 -T <table> -r <min rules>"
        echo ""
        exit 3
                # Nagios exit code 3 = status UNKNOWN = orange


if [ "$PARAM1" == "-h" ]; then
        echo ""
        echo "      -h = Display's this Help"
        echo "      -T = Table to check"
        echo "               Available Tables:"
        echo "                  nat"
        echo "                  mangle"
        echo "                  filter"
        echo "      -r = Minimun quantity of rules"
        echo ""
        # Nagios exit code 3 = status UNKNOWN = orange
                exit 3
   fi
fi

##
#   DO NOT MODIFY ANYTHING BELOW THIS
##

$CHKIPTBLS >/dev/null 2>/dev/null

if [ "$CHKIPTBLS" == 0 ]; then
    TOTRULES=$CHKIPTBLS
else
    TOTRULES=$[$CHKIPTBLS-8]
fi


if [ "$TOTRULES" == "$PARAM4" ]; then
                    echo "OK - Iptables are OK The Table $TABLE and Chain $CHAIN has $TOTRULES rules configured"
                    # Nagios exit code 0 = status OK = green
                    exit 0
else
                    echo " CRITICAL - Iptables are CRITICAL The Table $TABLE and Chain $CHAIN has $TOTRULES rules configured"
                    for i in `w  -h | cut -f1 -d" " | sort | uniq`
                    do

                        echo "`date '+%d/%m/%Y - %H:%M:%S'` - CRITICAL - $i is logged in and there are only $TOTRULES loaded" >> $LOG
                    done
                    # Nagios exit code 2 = status CRITICAL = red
                    exit 2
fi

 附件已上传，在下面。