【功能】:实时监控Iptables,防止人为关闭后,忘了开启,或者监控规则是否有增删。
【说明】脚本来至官方,这个脚本是通过获取iptables规则条数来判断iptables是否正常。运行参数:./check_iptables.sh -T filter -r 1(filter为表名) (1为规则条数)原脚本是当检测到的规则条数大于-r参数时提示正常,否则不正常。(我改成了当等于规则条数时,提示正常。如果你的规则是动态的增加的则可以改为大于时提示正常)同时将当前用户写入/var/log/iptables/iptables.log中。
ps:当然这个脚本缺点是不能监控规则更改,不过目前我采用了另外一种方法。暂时不公开。
【设置】
在nrpe端
1、新建iptables监控日志目录 /var/log/iptables/
2、将check_iptables.sh(在下面或下载附件)脚本授权并修改属主放入..nagios/libexec/ 目录中。
修改nrpe.cfg 添加
- command[check_iptables]=/usr/local/nagios/libexec/check_iptables.sh -T filter -r n (n为条数)
脚本调用了iptables,iptables默认只允许root调用。所以需要修改sudo
使用visodu命令添加以下语句,表示只允许nagios用户不用密码使用该条命令(包括参数)。使用其它iptables参数是不行的,可以自己测试。最大程度保障安全。
- nagios ALL= NOPASSWD: /sbin/iptables -n -t filter -L
重启nrpe进程。
(如果遇到nagios没有权限调用iptables 则参考http://xikder.blog.51cto.com/1423200/785618处理方法)
在nagios端
service中添加
- define service {
- use web-service
- host_name XX
- service_description iptables_status
- check_command check_nrpe!check_iptables
- }
检测配置并重启nagios。
【脚本】check_iptables.sh
- #!/bin/bash
- #
- # Developers: Rhommel Lamas
- # Purpose: Nagios Plugin for Iptables Rules load check
- # Version 0.5
- #
- # ---------------------------------------- License -----------------------------------------------------
- #
- # This program is free software: you can redistribute it and/or modify
- # it under the terms of the GNU General Public License as published by
- # the Free Software Foundation, either version 3 of the License, or
- # (at your option) any later version.
- #
- # This program is distributed in the hope that it will be useful,
- # but WITHOUT ANY WARRANTY; without even the implied warranty of
- # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- # GNU General Public License for more details.
- #
- # You should have received a copy of the GNU General Public License
- # along with this program. If not, see <http://www.gnu.org/licenses/>.
- #
- # ---------------------------------------- Documentation -------------------------------------------------
- #
- # Documentation about iptables: ~:# man iptables
- #
- # This scripts is intended to be used to check if your iptables rules are set correctly load at any time,
- # I didn't find a better way to check if a server has your rules loaded so I check the number of
- # configured rules and if they are less than they should be Nagios will send an alert using it
- # notify service.
- #
- # -----------------------------------------------------------------------------------------------------
- # Plugin Description
- # -----------------------------------------------------------------------------------------------------
- #
- # This Plugin handled 2 States
- # OK - The number of Iprules equal o more than the minimun that we setup on the -r variable
- # CRITICAL - The number of IPrules are less than the minimun required.
- # UNKNOWN - It could be something about validation on the parameters
- #
- # This plugin also send and log every check to the file $LOG so if the plugins goes critical we can se who
- # disable the iptables comparing the time with the auth file.
- #----------------------------------------------------------------------------------------------------------
- # Initialization
- #----------------------------------------------------------------------------------------------------------
- PARAM1=$1
- TABLE=$2
- MINRULES=$3
- PARAM4=$4
- LOG=/var/log/iptables/iptables.log
- CHKIPTBLS=`sudo /sbin/iptables -n -t filter -L |wc -l`
- #
- # Parameter Validation
- ##
- if [ "$PARAM1" != "-T" -o "$TABLE" == "" -o "$MINRULES" != "-r" -o "$PARAM4" == "" ]; then
- echo "Usage: $0 -T <table> -r <min rules>"
- echo ""
- exit 3
- # Nagios exit code 3 = status UNKNOWN = orange
- if [ "$PARAM1" == "-h" ]; then
- echo ""
- echo " -h = Display's this Help"
- echo " -T = Table to check"
- echo " Available Tables:"
- echo " nat"
- echo " mangle"
- echo " filter"
- echo " -r = Minimun quantity of rules"
- echo ""
- # Nagios exit code 3 = status UNKNOWN = orange
- exit 3
- fi
- fi
- ##
- # DO NOT MODIFY ANYTHING BELOW THIS
- ##
- $CHKIPTBLS >/dev/null 2>/dev/null
- if [ "$CHKIPTBLS" == 0 ]; then
- TOTRULES=$CHKIPTBLS
- else
- TOTRULES=$[$CHKIPTBLS-8]
- fi
- if [ "$TOTRULES" == "$PARAM4" ]; then
- echo "OK - Iptables are OK The Table $TABLE and Chain $CHAIN has $TOTRULES rules configured"
- # Nagios exit code 0 = status OK = green
- exit 0
- else
- echo " CRITICAL - Iptables are CRITICAL The Table $TABLE and Chain $CHAIN has $TOTRULES rules configured"
- for i in `w -h | cut -f1 -d" " | sort | uniq`
- do
- echo "`date '+%d/%m/%Y - %H:%M:%S'` - CRITICAL - $i is logged in and there are only $TOTRULES loaded" >> $LOG
- done
- # Nagios exit code 2 = status CRITICAL = red
- exit 2
- fi
附件已上传,在下面。