[packages/nagios-plugin-check_iptables.git] / check_iptables.sh

#!/bin/sh
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin

PROGNAME=${0##*/}
PROGPATH=`echo $0 | sed -e 's,[\\/][^\\/][^\\/]*$,,'`
VERSION=0.2
ARGS="$*"

. $PROGPATH/utils.sh

iptables=iptables
sudo=sudo
chain=INPUT
table=filter
verbose=0
warning=1
critical=1
setup_sudo=0

print_usage() {
    echo "Usage: $PROGNAME -C CHAIN -t TABLE"
    echo "Usage: $PROGNAME --help"
    echo "Usage: $PROGNAME --version"
}

print_help() {
	print_revision $PROGNAME $VERSION
	echo ""
	print_usage
	echo ""
	echo "This plugin tests if iptables has needed amount of rules loaded"
	echo ""

	echo "-C CHAIN"
	echo "   Chain to list. Default: $chain"
	echo "-t TABLE"
	echo "   Table to list. Default: $table"
	echo "-S"
	echo "   Install sudo rules"
	echo "-v"
	echo "   Enable verbose run"
	echo "--help"
	echo "   Print this help screen"
	echo "--version"
	echo "   Print version and license information"
	echo ""

	support
	exit 0
}

setup_sudoers() {
	new=/etc/sudoers.$$.new
	umask 0227
	cat /etc/sudoers > $new
	cat >> $new <<-EOF

	# Lines matching CHECK_IPTABLES added by $0 $ARGS on $(date)
	User_Alias CHECK_IPTABLES=nagios
	CHECK_IPTABLES ALL=(root) NOPASSWD: $list_iptables
	EOF

	if visudo -c -f $new; then
		mv -f $new /etc/sudoers
		exit 0
	fi
	rm -f $new
	exit 1
}

list_iptables() {
	# if running as root, skip sudo
	[ "$(id -u)" != 0 ] || sudo=

	$sudo $list_iptables | grep -Fc /
}

while [ $# -gt 0 ]; do
	case "$1" in
	--help)
		print_help
		exit 0
		;;

	-h)
		print_help
		exit 0
		;;

	--version)
		print_revision $PROGNAME $VERSION
		exit 0
		;;

	-V)
		print_revision $PROGNAME $VERSION
		exit 0
		;;

	-v)
		verbose=1
		;;

	-S)
		setup_sudo=1
		;;

	-C)
		chain=$2; shift
		;;

	-t)
		table=$2; shift
		;;

	-w)
		warning=$2; shift
		;;

	-c)
		critical=$2; shift
		;;

	*)
		echo >&2 "Unknown argument: $1"
		print_usage
		exit $STATE_UNKNOWN
		;;
	esac
	shift
done

rc=$STATE_UNKNOWN

list_iptables="$iptables -n -t $table -L $chain"

if [ "$setup_sudo" = 1 ]; then
	setup_sudoers
fi

count=$(list_iptables)
if [ "$count" -lt "$critical" ]; then
	rc=$STATE_CRITICAL
	state=CRITICAL
elif [ "$count" -lt "$warning" ]; then
	rc=$STATE_WARNING
	state=WARNING
else
	rc=$STATE_OK
	state=OK
fi

echo "$state: $count iptables rules in $chain chain of $table table"

exit $rc
Commit	Line	Data
ac1ff40f ER	1	#!/bin/sh
	2	PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
	3
f3708dd1	4	PROGNAME=${0##*/}
ac1ff40f	5	PROGPATH=`echo $0 \| sed -e 's,[\\/][^\\/][^\\/]*$,,'`
53b26018	6	VERSION=0.2
66c92905	7	ARGS="$*"
ac1ff40f ER	8
	9	. $PROGPATH/utils.sh
	10
164127df ER	11	iptables=iptables
164127df ER	12	sudo=sudo
ac1ff40f ER	13	chain=INPUT
	14	table=filter
	15	verbose=0
	16	warning=1
	17	critical=1
045c1338	18	setup_sudo=0
ac1ff40f ER	19
	20	print_usage() {
	21	echo "Usage: $PROGNAME -C CHAIN -t TABLE"
	22	echo "Usage: $PROGNAME --help"
	23	echo "Usage: $PROGNAME --version"
	24	}
	25
	26	print_help() {
53b26018	27	print_revision $PROGNAME $VERSION
ac1ff40f ER	28	echo ""
	29	print_usage
	30	echo ""
f3708dd1	31	echo "This plugin tests if iptables has needed amount of rules loaded"
ac1ff40f ER	32	echo ""
	33
	34	echo "-C CHAIN"
	35	echo " Chain to list. Default: $chain"
	36	echo "-t TABLE"
	37	echo " Table to list. Default: $table"
	38	echo "-S"
	39	echo " Install sudo rules"
	40	echo "-v"
	41	echo " Enable verbose run"
	42	echo "--help"
	43	echo " Print this help screen"
	44	echo "--version"
	45	echo " Print version and license information"
	46	echo ""
	47
	48	support
	49	exit 0
	50	}
	51
	52	setup_sudoers() {
	53	new=/etc/sudoers.$$.new
	54	umask 0227
	55	cat /etc/sudoers > $new
	56	cat >> $new <<-EOF
	57
66c92905	58	# Lines matching CHECK_IPTABLES added by $0 $ARGS on $(date)
ac1ff40f	59	User_Alias CHECK_IPTABLES=nagios
045c1338	60	CHECK_IPTABLES ALL=(root) NOPASSWD: $list_iptables
ac1ff40f ER	61	EOF
	62
	63	if visudo -c -f $new; then
	64	mv -f $new /etc/sudoers
	65	exit 0
	66	fi
f519d7e9	67	rm -f $new
ac1ff40f ER	68	exit 1
	69	}
	70
	71	list_iptables() {
045c1338 ER	72	# if running as root, skip sudo
	73	[ "$(id -u)" != 0 ] \|\| sudo=
	74
0fefbbed	75	$sudo $list_iptables \| grep -Fc /
ac1ff40f ER	76	}
	77
	78	while [ $# -gt 0 ]; do
	79	case "$1" in
	80	--help)
	81	print_help
	82	exit 0
	83	;;
	84
	85	-h)
	86	print_help
	87	exit 0
	88	;;
	89
	90	--version)
53b26018	91	print_revision $PROGNAME $VERSION
ac1ff40f ER	92	exit 0
	93	;;
	94
	95	-V)
53b26018	96	print_revision $PROGNAME $VERSION
ac1ff40f ER	97	exit 0
	98	;;
	99
	100	-v)
	101	verbose=1
	102	;;
	103
	104	-S)
045c1338	105	setup_sudo=1
ac1ff40f ER	106	;;
	107
	108	-C)
	109	chain=$2; shift
	110	;;
	111
	112	-t)
	113	table=$2; shift
	114	;;
	115
	116	-w)
	117	warning=$2; shift
	118	;;
	119
	120	-c)
	121	critical=$2; shift
	122	;;
	123
	124	*)
	125	echo >&2 "Unknown argument: $1"
	126	print_usage
	127	exit $STATE_UNKNOWN
	128	;;
	129	esac
	130	shift
	131	done
	132
ac1ff40f ER	133	rc=$STATE_UNKNOWN
ac1ff40f ER	134
0fefbbed	135	list_iptables="$iptables -n -t $table -L $chain"
045c1338 ER	136
	137	if [ "$setup_sudo" = 1 ]; then
	138	setup_sudoers
	139	fi
ac1ff40f ER	140
	141	count=$(list_iptables)
	142	if [ "$count" -lt "$critical" ]; then
	143	rc=$STATE_CRITICAL
	144	state=CRITICAL
	145	elif [ "$count" -lt "$warning" ]; then
	146	rc=$STATE_WARNING
	147	state=WARNING
	148	else
	149	rc=$STATE_OK
	150	state=OK
	151	fi
	152
	153	echo "$state: $count iptables rules in $chain chain of $table table"
	154
	155	exit $rc