-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathcheck-iptables.sh
executable file
·154 lines (130 loc) · 2.37 KB
/
check-iptables.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
#!/bin/sh
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
PROGNAME=${0##*/}
PROGPATH=`echo $0 | sed -e 's,[\\/][^\\/][^\\/]*$,,'`
REVISION=`echo '$Revision: 1.6 $' | sed -e 's/[^0-9.]//g'`
ARGS="$*"
. $PROGPATH/utils.sh
iptables=/sbin/iptables
sudo=/usr/bin/sudo
chain=INPUT
table=filter
verbose=0
warning=1
critical=1
setup_sudo=0
print_usage() {
echo "Usage: $PROGNAME -C CHAIN -t TABLE"
echo "Usage: $PROGNAME --help"
echo "Usage: $PROGNAME --version"
}
print_help() {
print_revision $PROGNAME $REVISION
echo ""
print_usage
echo ""
echo "This plugin tests if iptables has needed amount of rules loaded"
echo ""
echo "-C CHAIN"
echo " Chain to list. Default: $chain"
echo "-t TABLE"
echo " Table to list. Default: $table"
echo "-S"
echo " Install sudo rules"
echo "-v"
echo " Enable verbose run"
echo "--help"
echo " Print this help screen"
echo "--version"
echo " Print version and license information"
echo ""
support
exit 0
}
#setup_sudoers() {
# new=/etc/sudoers.$$.new
# umask 0227
# cat /etc/sudoers > $new
# cat >> $new <<-EOF
#
# # Lines matching CHECK_IPTABLES added by $0 $ARGS on $(date)
# User_Alias CHECK_IPTABLES=nagios
# CHECK_IPTABLES ALL=(root) NOPASSWD: $list_iptables
# EOF
#
# if visudo -c -f $new; then
# mv -f $new /etc/sudoers
# exit 0
# fi
# rm -f $new
# exit 1
#}
#
#list_iptables() {
# # if running as root, skip sudo
# [ "$(id -u)" != 0 ] || sudo=
#
# $sudo $list_iptables | grep -Fc /
#}
while [ $# -gt 0 ]; do
case "$1" in
--help)
print_help
exit 0
;;
-h)
print_help
exit 0
;;
--version)
print_revision $PROGNAME $REVISION
exit 0
;;
-V)
print_revision $PROGNAME $REVISION
exit 0
;;
-v)
verbose=1
;;
-S)
setup_sudo=1
;;
-C)
chain=$2; shift
;;
-t)
table=$2; shift
;;
-w)
warning=$2; shift
;;
-c)
critical=$2; shift
;;
*)
echo >&2 "Unknown argument: $1"
print_usage
exit $STATE_UNKNOWN
;;
esac
shift
done
rc=$STATE_UNKNOWN
#list_iptables="$sudo $iptables -n -t $table -L $chain"
#if [ "$setup_sudo" = 1 ]; then
# setup_sudoers
#fi
count=`$sudo $iptables -n -t $table -L $chain | wc -l`
if [ "$count" -lt "$critical" ]; then
rc=$STATE_CRITICAL
state=CRITICAL
elif [ "$count" -lt "$warning" ]; then
rc=$STATE_WARNING
state=WARNING
else
rc=$STATE_OK
state=OK
fi
echo "$state: $count iptables rules in $chain chain of $table table"
exit $rc