The iptables plugin gathers packets and bytes counters for rules within a set of table and chain from the Linux’s iptables firewall.
Rules are identified through associated comment. Rules without comment are ignored. Indeed we need a unique ID for the rule and the rule number is not a constant: it may vary when rules are inserted/deleted at start-up or by automatic tools (interactive firewalls, fail2ban, …). Also when the rule set is becoming big (hundreds of lines) most people are interested in monitoring only a small part of the rule set.
Before using this plugin you must ensure that the rules you want to monitor are named with a unique comment. Comments are added using the
-m comment --comment "my comment" iptables options.
The iptables command requires CAP_NET_ADMIN and CAP_NET_RAW capabilities. You have several options to grant agent to run iptables:
- Run agent as root. This is strongly discouraged.
- Configure systemd to run agent with CAP_NET_ADMIN and CAP_NET_RAW. This is the simplest and recommended option.
- Configure sudo to grant agent to run iptables. This is the most restrictive option, but require sudo setup.
Using systemd capabilities
You may run
systemctl edit circonus-unified-agent.service and add the following:
[Service] CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN AmbientCapabilities=CAP_NET_RAW CAP_NET_ADMIN
Since the agent will fork a process to run iptables,
AmbientCapabilities is required to transmit the capabilities bounding set to the forked process.
You will need the following in your config:
[[inputs.iptables]] use_sudo = true
You will also need to update your sudoers file:
$ visudo # Add the following line: Cmnd_Alias IPTABLESSHOW = /usr/bin/iptables -nvL * cua ALL=(root) NOPASSWD: IPTABLESSHOW Defaults!IPTABLESSHOW !logfile, !syslog, !pam_session
Using IPtables lock feature
Defining multiple instances of this plugin in circonus-unified-agent.conf can lead to concurrent IPtables access resulting in “ERROR in input [inputs.iptables]: exit status 4” messages in the log and missing metrics. Setting ‘use_lock = true’ in the plugin configuration will run IPtables with the ‘-w’ switch, allowing a lock usage to prevent this error.
# use sudo to run iptables use_sudo = false # run iptables with the lock option use_lock = false # Define an alternate executable, such as "ip6tables". Default is "iptables". # binary = "ip6tables" # defines the table to monitor: table = "filter" # defines the chains to monitor: chains = [ "INPUT" ]