Edit file File name : check_a2_fw.sh.internal Content :#!/bin/bash # # Icinga Plugin: Firewall rules check compatible with iptables/firewalld/imunify360 # Destination: Internal servers # Refactored from: check_fw.sh.internal # # Minimum firewalld rules expected MIN_FIREWALLD_RULES=3 # Check if firewalld is enabled if systemctl -q is-enabled firewalld 2>/dev/null; then NUM_FIREWALLD_RULES=$(firewall-offline-cmd --list-rich | wc -l) DEFAULT_ZONE=$(firewall-cmd --get-default-zone) DROP_CHECK=$(firewall-offline-cmd --list-all --zone="$DEFAULT_ZONE" | grep target: | awk '{print $2}') if systemctl -q is-active firewalld; then if [ "$DEFAULT_ZONE" == "a2-internal" ] && [ "$DROP_CHECK" != "default" ] && [ "$DROP_CHECK" != "DROP" ]; then echo "CRITICAL - Firewalld is active but the zone target is not set to DROP or default. May be open to the world!" exit 2 fi if [ "$NUM_FIREWALLD_RULES" -lt "$MIN_FIREWALLD_RULES" ]; then echo "WARNING - Firewalld is active but has only $NUM_FIREWALLD_RULES rules (min: $MIN_FIREWALLD_RULES)" exit 1 fi echo "OK - Firewalld is active with $NUM_FIREWALLD_RULES rules" exit 0 else echo "CRITICAL - Firewalld is enabled but not active, with $NUM_FIREWALLD_RULES rules" exit 2 fi fi # Check iptables rules IPT=$(iptables -S | grep -wE 'INPUT|DROP|REJECT') IDRP=$(echo "$IPT" | grep -c 'INPUT DROP') DRP=$(echo "$IPT" | grep -c DROP) REJ=$(echo "$IPT" | grep -c REJECT) IMUNIFY=$(echo "$IPT" | grep -c "imunify360_log_bl -j DROP") if [ "$IDRP" -eq 0 ] && [ "$IMUNIFY" -eq 0 ]; then echo "CRITICAL - Firewall rules not loaded, no default DROP policy!" exit 2 elif [ "$DRP" -eq 0 ] && [ "$REJ" -eq 0 ]; then echo "CRITICAL - Firewall DROP/REJECT rules missing!" exit 2 fi CHAINS=$(iptables -nvL | grep 'Chain' | awk '{print $2}') for CHAIN in $CHAINS; do if [[ "$CHAIN" != "FORWARD" && "$CHAIN" != "OUTPUT"* && "$CHAIN" != "LOG_"* && "$CHAIN" != "SOLUS"* && ! "$CHAIN" =~ "imunify360" ]]; then CNT=$(iptables -S "$CHAIN" | wc -l) if [ "$CNT" -le 1 ]; then echo "CRITICAL - Firewall rules are missing!" exit 2 fi fi done echo "OK - Firewall is working properly!" exit 0 Save