mirror of https://github.com/mikaku/Monitorix.git
added the new option 'use_external_firewall' to disable the creation of the iptables rules in port.pm #262
This commit is contained in:
parent
d06c496f96
commit
cfabc3ce41
87
lib/port.pm
87
lib/port.pm
|
@ -129,52 +129,59 @@ sub port_init {
|
||||||
logger("$myself: WARNING: 'max' option indicates less ports than really defined in 'list'.");
|
logger("$myself: WARNING: 'max' option indicates less ports than really defined in 'list'.");
|
||||||
}
|
}
|
||||||
|
|
||||||
if($config->{os} eq "Linux") {
|
# initialize to 'n' (default) the option 'use_external_firewall'
|
||||||
my $num;
|
if(!$port->{use_external_firewall}) {
|
||||||
my @line;
|
$port->{use_external_firewall} = "n";
|
||||||
|
}
|
||||||
|
|
||||||
# set the iptables rules for each defined port
|
if(lc($port->{use_external_firewall} || "") eq "n") {
|
||||||
my @pl = split(',', $port->{list});
|
if($config->{os} eq "Linux") {
|
||||||
for($n = 0; $n < min($port->{max}, scalar(@pl)); $n++) {
|
my $num;
|
||||||
$pl[$n] = trim($pl[$n]);
|
my @line;
|
||||||
my ($np) = ($pl[$n] =~ m/^(\d+).*?/);
|
|
||||||
|
|
||||||
if(!$port->{desc}->{$pl[$n]}) {
|
# set the iptables rules for each defined port
|
||||||
logger("$myself: port number '$np' listed but not defined.");
|
my @pl = split(',', $port->{list});
|
||||||
next;
|
for($n = 0; $n < min($port->{max}, scalar(@pl)); $n++) {
|
||||||
}
|
$pl[$n] = trim($pl[$n]);
|
||||||
# support for port range (i.e: 49152:65534)
|
my ($np) = ($pl[$n] =~ m/^(\d+).*?/);
|
||||||
if(index($pl[$n], ":") != -1) {
|
|
||||||
($np) = ($pl[$n] =~ m/^(\d+:\d+).*?/);
|
if(!$port->{desc}->{$pl[$n]}) {
|
||||||
}
|
logger("$myself: port number '$np' listed but not defined.");
|
||||||
if($pl[$n] && $np) {
|
|
||||||
my $p = trim(lc((split(',', $port->{desc}->{$pl[$n]}))[1])) || "";
|
|
||||||
if(! grep {$_ eq $p} ("tcp", "udp", "tcp6", "udp6")) {
|
|
||||||
logger("$myself: Invalid protocol name '$p' in port '$pl[$n]'.");
|
|
||||||
next;
|
next;
|
||||||
}
|
}
|
||||||
$cmd = "iptables" . $config->{iptables_wait_lock};
|
# support for port range (i.e: 49152:65534)
|
||||||
if(grep {$_ eq $p} ("tcp6", "udp6")) {
|
if(index($pl[$n], ":") != -1) {
|
||||||
if(lc($config->{ipv6_disabled} || "") eq "y") {
|
($np) = ($pl[$n] =~ m/^(\d+:\d+).*?/);
|
||||||
logger("$myself: IPv6 is explicitly disabled, you shouldn't want to monitor 'tcp6' or 'udp6' protocols.");
|
}
|
||||||
|
if($pl[$n] && $np) {
|
||||||
|
my $p = trim(lc((split(',', $port->{desc}->{$pl[$n]}))[1])) || "";
|
||||||
|
if(! grep {$_ eq $p} ("tcp", "udp", "tcp6", "udp6")) {
|
||||||
|
logger("$myself: Invalid protocol name '$p' in port '$pl[$n]'.");
|
||||||
next;
|
next;
|
||||||
}
|
}
|
||||||
$cmd = "ip6tables" . $config->{iptables_wait_lock};
|
$cmd = "iptables" . $config->{iptables_wait_lock};
|
||||||
$p =~ s/6//;
|
if(grep {$_ eq $p} ("tcp6", "udp6")) {
|
||||||
}
|
if(lc($config->{ipv6_disabled} || "") eq "y") {
|
||||||
my $conn = trim(lc((split(',', $port->{desc}->{$pl[$n]}))[2]));
|
logger("$myself: IPv6 is explicitly disabled, you shouldn't want to monitor 'tcp6' or 'udp6' protocols.");
|
||||||
if($conn eq "in" || $conn eq "in/out") {
|
next;
|
||||||
system("$cmd -t $table -N monitorix_IN_$n 2>/dev/null");
|
}
|
||||||
system("$cmd -t $table -I INPUT -p $p --sport 1024:65535 --dport $np -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j monitorix_IN_$n -c 0 0");
|
$cmd = "ip6tables" . $config->{iptables_wait_lock};
|
||||||
system("$cmd -t $table -I OUTPUT -p $p --sport $np --dport 1024:65535 -m conntrack --ctstate ESTABLISHED,RELATED -j monitorix_IN_$n -c 0 0");
|
$p =~ s/6//;
|
||||||
}
|
}
|
||||||
if($conn eq "out" || $conn eq "in/out") {
|
my $conn = trim(lc((split(',', $port->{desc}->{$pl[$n]}))[2]));
|
||||||
system("$cmd -t $table -N monitorix_OUT_$n 2>/dev/null");
|
if($conn eq "in" || $conn eq "in/out") {
|
||||||
system("$cmd -t $table -I INPUT -p $p --sport $np --dport 1024:65535 -m conntrack --ctstate ESTABLISHED,RELATED -j monitorix_OUT_$n -c 0 0");
|
system("$cmd -t $table -N monitorix_IN_$n 2>/dev/null");
|
||||||
system("$cmd -t $table -I OUTPUT -p $p --sport 1024:65535 --dport $np -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j monitorix_OUT_$n -c 0 0");
|
system("$cmd -t $table -I INPUT -p $p --sport 1024:65535 --dport $np -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j monitorix_IN_$n -c 0 0");
|
||||||
}
|
system("$cmd -t $table -I OUTPUT -p $p --sport $np --dport 1024:65535 -m conntrack --ctstate ESTABLISHED,RELATED -j monitorix_IN_$n -c 0 0");
|
||||||
if($conn ne "in" && $conn ne "out" && $conn ne "in/out") {
|
}
|
||||||
logger("$myself: Invalid connection type '$conn'; must be 'in', 'out' or 'in/out'.");
|
if($conn eq "out" || $conn eq "in/out") {
|
||||||
|
system("$cmd -t $table -N monitorix_OUT_$n 2>/dev/null");
|
||||||
|
system("$cmd -t $table -I INPUT -p $p --sport $np --dport 1024:65535 -m conntrack --ctstate ESTABLISHED,RELATED -j monitorix_OUT_$n -c 0 0");
|
||||||
|
system("$cmd -t $table -I OUTPUT -p $p --sport 1024:65535 --dport $np -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j monitorix_OUT_$n -c 0 0");
|
||||||
|
}
|
||||||
|
if($conn ne "in" && $conn ne "out" && $conn ne "in/out") {
|
||||||
|
logger("$myself: Invalid connection type '$conn'; must be 'in', 'out' or 'in/out'.");
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -2023,6 +2023,15 @@ This is the rule number that Monitorix will use when using the \fIipfw\fP comman
|
||||||
Default value: \fI24000\fP
|
Default value: \fI24000\fP
|
||||||
.RE
|
.RE
|
||||||
.P
|
.P
|
||||||
|
.BI use_external_firewall
|
||||||
|
.RS
|
||||||
|
By default, Monitorix creates a set of iptables rules to collect the amount of network activity that generates each port defined. This might be a problem for people using an external firewall that could eventually remove such iptables rules created by Monitorix. In these cases, you may want to set this option as \fIy\fP to tell Monitorix to not create such iptables rules, but expect that they will be already created by an external software.
|
||||||
|
.P
|
||||||
|
Keep in mind that the rule names created in your Firewall must coincide with the names that Monitorix expect to find for each network port. Familiarize yourself with the iptables rules created automatically by Monitorix before enabling this option.
|
||||||
|
.P
|
||||||
|
Default value: \fIn\fP
|
||||||
|
.RE
|
||||||
|
.P
|
||||||
.BI list
|
.BI list
|
||||||
.RS
|
.RS
|
||||||
You may define here up to \fBmax\fP network port numbers. If you need to monitor the same network port with TCP and UDP protocols, you can add your own suffix to the port number (e.g: 443t and 443u) in order to distinguish it from the double definition in the <desc> block. It also support port ranges (e.g: 49152:65534) to be able to monitor the traffic of a number of consecutive ports summarized on a unique graph.
|
You may define here up to \fBmax\fP network port numbers. If you need to monitor the same network port with TCP and UDP protocols, you can add your own suffix to the port number (e.g: 443t and 443u) in order to distinguish it from the double definition in the <desc> block. It also support port ranges (e.g: 49152:65534) to be able to monitor the traffic of a number of consecutive ports summarized on a unique graph.
|
||||||
|
|
Loading…
Reference in New Issue