0

Anyone have a good solution for doing checks on iptables to ensure that the appropriate rules are applied (and the service is running)? I am using Zenoss to monitor my environment.

Also, some of the rules in my chain that I want to check block traffic from specific networks, and as my Zenoss monitor is in a trusted network, doing just port monitoring will give false positives. Ideally I need a solution that reads and interprets the iptables process, and also gives some flexibility to an environment when the exact rules in the chain may change.

Thanks

wjimenez5271
  • 729
  • 2
  • 6
  • 16

3 Answers3

1

Make a script that will dump the rules to a file (iptables -L or iptables-save) which it will then grep for the appropriate rules.

Note that you can restrict the output to just one table. You could also take the hash of the resulting file to detect deviations without messy greps or regular expressions.

Allen
  • 1,315
  • 7
  • 12
  • That's an idea...in case the rules change I would like the check script to be able to still work...if I wanted to compare the output of iptables -L with the saved config that I use and then warn of any deviations, will grep be able to do that? Or should I use 'diff' – wjimenez5271 Aug 15 '11 at 19:01
  • 1
    You would use 'diff' for this. – cjc Aug 15 '11 at 19:11
  • Yes, `diff` will do the job. However, the hash method only works if you compare the hash to another hash. In this case, the hash of the saved configuration. – Allen Aug 16 '11 at 14:19
0

Save a known good output somewhere out the way as read only file.

Run a cron job daily to email you any non empty diff of the output of iptables -L and the saved output.

Richard Holloway
  • 7,456
  • 2
  • 25
  • 30
-2

I use Webmin (http://www.webmin.com/) for checking iptables via a GUI. You can monitor quite a few things via webmin directly, including what rules are currently applied in iptables. In addition, you can add new rules with relative ease.

If you mean monitor which ports are open and closed as a result of iptables rules that are currently running, you could set up a Nagios box that queries specific ports to see if services are responding on opened ports.

Timothy
  • 307
  • 1
  • 5
  • This is not helpful. One could have dynamic rules like rate-limit-rules you can't test with that method. And others only apply for a certain source IP range. There is more than on and off. – mailq Aug 15 '11 at 18:43
  • Thanks for the suggestion. I probably should have described the context a little more in my question. I have several rules in the chain that block traffic originating from certain networks, and that is the part I really want to make sure is working. If I were to try to monitor the ports, it would be a false positive because my Zenoss monitor is in a trusted network...I am looking for a solution that would work progaramatically with the iptables chains on the server to verify they are correct and in place. – wjimenez5271 Aug 15 '11 at 18:51
  • @mailq, good call, just did – wjimenez5271 Aug 15 '11 at 19:04