#!/bin/bash
# Check that there is some INPUT iptables and ip6tables rules loaded with DROP OR REJECT
# Check that there is no changes since last known state
# Required sudoers:
#    nagios ALL=NOPASSWD: /sbin/iptables-save
#    nagios ALL=NOPASSWD: /sbin/ip6tables-save

IPTABLES=/sbin/iptables-save
IP6TABLES=/sbin/ip6tables-save
CACHE_DIR=/var/lib/nagios/check_ee_iptables
TMP=`mktemp`

trap "rm -f $TMP" EXIT

opt_help=0
opt_ipv6=0
opt_init=0
opt_auto_init=0
opt_exclude=""

while getopts ":hi6ae:c:" opt; do
  case $opt in
    h)
        opt_help=1
      ;;
    i)
        opt_init=1
      ;;
    6)
        opt_ipv6=1
      ;;
    a)
        opt_auto_init=1
      ;;
    e)
        opt_exclude=$OPTARG
      ;;
    c)
        opt_chain=$OPTARG
      ;;
    \?)
      echo "Invalid option: -$OPTARG" >&2
      exit 1
      ;;
    :)
      echo "Option -$OPTARG requires an argument." >&2
      exit 1
      ;;
  esac
done

# Set default chain to INPUT if not define from command line
opt_chain=${opt_chain:-INPUT}

function get_v4_rules() {
    if [ -n "$opt_exclude" ]
    then
        sudo $IPTABLES | sed 's/^:\(.*\)\[.*$/:\1/' | grep -Ev '^# Generated|^# Completed|fail2ban|f2b-' | grep -Ev "$opt_exclude"
    else
        sudo $IPTABLES | sed 's/^:\(.*\)\[.*$/:\1/' | grep -Ev '^# Generated|^# Completed|fail2ban|f2b-'
    fi
}

function get_v6_rules() {
    if [ -n "$opt_exclude" ]
    then
        sudo $IP6TABLES | sed 's/^:\(.*\)\[.*$/:\1/' | grep -Ev '^# Generated|^# Completed|fail2ban|f2b-' | grep -Ev "$opt_exclude"
    else
        sudo $IP6TABLES | sed 's/^:\(.*\)\[.*$/:\1/' | grep -Ev '^# Generated|^# Completed|fail2ban|f2b-'
    fi
}

if [ $opt_help -eq 1 ]
then
    echo "check_ee_iptables [OPTIONS]"
    echo " -i: save current state"
    echo " -a: auto save current state if needed"
    echo " -h: display this helpfull message"
    echo " -6: check/save also ipv6 rules"
    echo " -c \"STRING\": string to define CHAIN on which REJECT or DROP must be define (arg passed to grep -Ev) Default: INPUT"
    echo " -e \"STRING\": string to exclude from ip(6)tables-save (arg passed to grep -Ev)"
    exit 0
fi


if [ ! -x $IPTABLES ]
then
    echo "CRITICAL: $IPTABLES not installed"
    exit 2
fi

if [ $opt_ipv6 -eq 1 ]
then
    if [ ! -x $IP6TABLES ]
    then
        echo "CRITICAL: $IP6TABLES not installed"
        exit 2
    fi
fi


if [ ! -d $CACHE_DIR ]
then
    err_msg=$(mkdir -p $CACHE_DIR 2>&1)
    if [ $? -ne 0 ]
    then
        echo "CRITICAL: unable to create cache dir $CACHE_DIR: $err_msg"
        exit 2
    fi
fi

if [ $opt_init -eq 1 ]
then

    get_v4_rules > $CACHE_DIR/iptables.state
    [ $opt_ipv6 -eq 1 ] && get_v6_rules > $CACHE_DIR/ip6tables.state
    exit 0
fi

# Check that there is at least one INPUT rule with DROP or REJECT
if [ `get_v4_rules | grep -Ec "${opt_chain}.*DROP|${opt_chain}.*REJECT"` -lt 1 ]
then
    echo "CRITICAL: no drop/reject iptables rules defined in $opt_chain"
    exit 2
fi

if [ $opt_ipv6 -eq 1 ]
then
    if [ `get_v6_rules | grep -Ec "${opt_chain}.*DROP|${opt_chain}.*REJECT"` -lt 1 ]
    then
        echo "CRITICAL: no drop/reject ip6tables rules defined in $opt_chain"
        exit 2
    fi
fi

# Check for changes

if [ $opt_auto_init -eq 1 ]
then
    [ -f $CACHE_DIR/iptables.state ] || get_v4_rules > $CACHE_DIR/iptables.state
fi

get_v4_rules > $TMP
cmp -s $CACHE_DIR/iptables.state $TMP
if [ $? -ne 0 ]
then
    echo "WARNING: iptables rules changed"
    diff -Naur $CACHE_DIR/iptables.state $TMP
    exit 1
fi

if [ $opt_ipv6 -eq 1 ]
then

    if [ $opt_auto_init -eq 1 ]
    then
        [ -f $CACHE_DIR/ip6tables.state ] || get_v6_rules > $CACHE_DIR/ip6tables.state
    fi

    get_v6_rules > $TMP
    cmp -s $CACHE_DIR/ip6tables.state $TMP
    if [ $? -ne 0 ]
    then
        echo "WARNING: ip6tables rules changed"
        diff -Naur $CACHE_DIR/ip6tables.state $TMP
        exit 1
    fi
fi

if [ $opt_ipv6 -eq 1 ]
then
    echo "OK: iptables and ip6tables rules loaded without changes"
else
    echo "OK: iptables rules loaded without changes"
fi
exit 0
