Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket

github.com/retailnext/iptables_exporter

Package Overview
Dependencies
Alerts
File Explorer
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

github.com/retailnext/iptables_exporter

  • v0.1.0
  • Source
  • Go
  • Socket score

Version published
Created
Source

iptables_exporter

Prometheus exporter for iptables packet and byte counters, written in Go.

Usage

Required Permissions

Unfortunately, iptables-save (which this exporter uses) doesn't work without special permissions.

Including the following systemd [Service] options will allow this exporter to work without running it as root:

CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW
AmbientCapabilities=CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW

Exported Metrics

This exporter is best used in conjunction with iptables rules that cause interesting traffic flows to be counted.

For example, on a Cassandra server, the following rules will record CQL, Thrift, and inter-node traffic:

$ cat /etc/iptables.rules
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp -m tcp --dport 7000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9160 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 7199 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9042 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 7000 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 9160 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 7199 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 9042 -j ACCEPT
COMMIT

Using this exporter, you can then collect packet and byte counts for each of those categories of traffic:

# HELP iptables_default_bytes_total iptables_exporter: Total bytes matching a chain's default policy.
# TYPE iptables_default_bytes_total counter
iptables_default_bytes_total{chain="FORWARD",policy="ACCEPT",table="filter"} 0
iptables_default_bytes_total{chain="FORWARD",policy="ACCEPT",table="mangle"} 0
iptables_default_bytes_total{chain="INPUT",policy="ACCEPT",table="filter"} 3.995502612e+09
iptables_default_bytes_total{chain="INPUT",policy="ACCEPT",table="mangle"} 3.0249135048e+10
iptables_default_bytes_total{chain="OUTPUT",policy="ACCEPT",table="filter"} 1.5769783643e+10
iptables_default_bytes_total{chain="OUTPUT",policy="ACCEPT",table="mangle"} 2.1481729166e+10
iptables_default_bytes_total{chain="POSTROUTING",policy="ACCEPT",table="mangle"} 2.1481729166e+10
iptables_default_bytes_total{chain="PREROUTING",policy="ACCEPT",table="mangle"} 3.0249135756e+10
# HELP iptables_default_packets_toal iptables_exporter: Total packets matching a chain's default policy.
# TYPE iptables_default_packets_toal counter
iptables_default_packets_toal{chain="FORWARD",policy="ACCEPT",table="filter"} 0
iptables_default_packets_toal{chain="FORWARD",policy="ACCEPT",table="mangle"} 0
iptables_default_packets_toal{chain="INPUT",policy="ACCEPT",table="filter"} 5.5426298e+07
iptables_default_packets_toal{chain="INPUT",policy="ACCEPT",table="mangle"} 1.48795042e+08
iptables_default_packets_toal{chain="OUTPUT",policy="ACCEPT",table="filter"} 5.6437034e+07
iptables_default_packets_toal{chain="OUTPUT",policy="ACCEPT",table="mangle"} 1.46199076e+08
iptables_default_packets_toal{chain="POSTROUTING",policy="ACCEPT",table="mangle"} 1.46199076e+08
iptables_default_packets_toal{chain="PREROUTING",policy="ACCEPT",table="mangle"} 1.48795045e+08
# HELP iptables_rule_bytes_total iptables_exporter: Total bytes matching a rule.
# TYPE iptables_rule_bytes_total counter
iptables_rule_bytes_total{chain="INPUT",rule="-p tcp -m tcp --dport 7000 -j ACCEPT",table="filter"} 1.5726563828e+10
iptables_rule_bytes_total{chain="INPUT",rule="-p tcp -m tcp --dport 7199 -j ACCEPT",table="filter"} 968212
iptables_rule_bytes_total{chain="INPUT",rule="-p tcp -m tcp --dport 9042 -j ACCEPT",table="filter"} 1.0526099958e+10
iptables_rule_bytes_total{chain="INPUT",rule="-p tcp -m tcp --dport 9160 -j ACCEPT",table="filter"} 0
iptables_rule_bytes_total{chain="OUTPUT",rule="-p tcp -m tcp --sport 7000 -j ACCEPT",table="filter"} 3.944347161e+09
iptables_rule_bytes_total{chain="OUTPUT",rule="-p tcp -m tcp --sport 7199 -j ACCEPT",table="filter"} 1.922188e+06
iptables_rule_bytes_total{chain="OUTPUT",rule="-p tcp -m tcp --sport 9042 -j ACCEPT",table="filter"} 1.765671261e+09
iptables_rule_bytes_total{chain="OUTPUT",rule="-p tcp -m tcp --sport 9160 -j ACCEPT",table="filter"} 0
# HELP iptables_rule_packets_total iptables_exporter: Total packets matching a rule.
# TYPE iptables_rule_packets_total counter
iptables_rule_packets_total{chain="INPUT",rule="-p tcp -m tcp --dport 7000 -j ACCEPT",table="filter"} 5.6296722e+07
iptables_rule_packets_total{chain="INPUT",rule="-p tcp -m tcp --dport 7199 -j ACCEPT",table="filter"} 10582
iptables_rule_packets_total{chain="INPUT",rule="-p tcp -m tcp --dport 9042 -j ACCEPT",table="filter"} 3.7061438e+07
iptables_rule_packets_total{chain="INPUT",rule="-p tcp -m tcp --dport 9160 -j ACCEPT",table="filter"} 0
iptables_rule_packets_total{chain="OUTPUT",rule="-p tcp -m tcp --sport 7000 -j ACCEPT",table="filter"} 5.5426875e+07
iptables_rule_packets_total{chain="OUTPUT",rule="-p tcp -m tcp --sport 7199 -j ACCEPT",table="filter"} 8351
iptables_rule_packets_total{chain="OUTPUT",rule="-p tcp -m tcp --sport 9042 -j ACCEPT",table="filter"} 3.4326805e+07
iptables_rule_packets_total{chain="OUTPUT",rule="-p tcp -m tcp --sport 9160 -j ACCEPT",table="filter"} 0
# HELP iptables_scrape_duration_seconds iptables_exporter: Duration of scraping iptables.
# TYPE iptables_scrape_duration_seconds gauge
iptables_scrape_duration_seconds 0.001509662
# HELP iptables_scrape_success iptables_exporter: Whether scraping iptables succeeded.
# TYPE iptables_scrape_success gauge
iptables_scrape_success 1

FAQs

Package last updated on 28 Jun 2018

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc