telegraf/plugins/inputs/iptables/README.md

# Iptables Input Plugin

The iptables plugin gathers packets and bytes counters for rules within a set of table and chain from the Linux's iptables firewall.

Rules are identified through associated comment. **Rules without comment are ignored**.
Indeed we need a unique ID for the rule and the rule number is not a constant: it may vary when rules are inserted/deleted at start-up or by automatic tools (interactive firewalls, fail2ban, ...).
Also when the rule set is becoming big (hundreds of lines) most people are interested in monitoring only a small part of the rule set.

Before using this plugin **you must ensure that the rules you want to monitor are named with a unique comment**. Comments are added using the `-m comment --comment "my comment"` iptables options.

The iptables command requires CAP_NET_ADMIN and CAP_NET_RAW capabilities. You have several options to grant telegraf to run iptables:

* Run telegraf as root. This is strongly discouraged.
* Configure systemd to run telegraf with CAP_NET_ADMIN and CAP_NET_RAW. This is the simplest and recommended option.
* Configure sudo to grant telegraf to run iptables. This is the most restrictive option, but require sudo setup.

## Using systemd capabilities

You may run `systemctl edit telegraf.service` and add the following:

```shell
[Service]
CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN
AmbientCapabilities=CAP_NET_RAW CAP_NET_ADMIN
```

Since telegraf will fork a process to run iptables, `AmbientCapabilities` is required to transmit the capabilities bounding set to the forked process.

## Using sudo

You will need the following in your telegraf config:

```toml
[[inputs.iptables]]
  use_sudo = true
```

You will also need to update your sudoers file:

```bash
$ visudo
# Add the following line:
Cmnd_Alias IPTABLESSHOW = /usr/bin/iptables -nvL *
telegraf  ALL=(root) NOPASSWD: IPTABLESSHOW
Defaults!IPTABLESSHOW !logfile, !syslog, !pam_session
```

## Using IPtables lock feature

Defining multiple instances of this plugin in telegraf.conf can lead to concurrent IPtables access resulting in "ERROR in input [inputs.iptables]: exit status 4" messages in telegraf.log and missing metrics. Setting 'use_lock = true' in the plugin configuration will run IPtables with the '-w' switch, allowing a lock usage to prevent this error.

## Configuration

```toml
# Gather packets and bytes throughput from iptables
[[inputs.iptables]]
  ## iptables require root access on most systems.
  ## Setting 'use_sudo' to true will make use of sudo to run iptables.
  ## Users must configure sudo to allow telegraf user to run iptables with no password.
  ## iptables can be restricted to only list command "iptables -nvL".
  use_sudo = false
  ## Setting 'use_lock' to true runs iptables with the "-w" option.
  ## Adjust your sudo settings appropriately if using this option ("iptables -w 5 -nvl")
  use_lock = false
  ## Define an alternate executable, such as "ip6tables". Default is "iptables".
  # binary = "ip6tables"
  ## defines the table to monitor:
  table = "filter"
  ## defines the chains to monitor.
  ## NOTE: iptables rules without a comment will not be monitored.
  ## Read the plugin documentation for more information.
  chains = [ "INPUT" ]
```

## Measurements & Fields

* iptables
  * pkts (integer, count)
  * bytes (integer, bytes)

## Tags

* All measurements have the following tags:
  * table
  * chain
  * ruleid

The `ruleid` is the comment associated to the rule.

## Example Output

```text
$ iptables -nvL INPUT
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
100   1024   ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0            tcp dpt:22 /* ssh */
 42   2048   ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0            tcp dpt:80 /* httpd */
```

```shell
$ ./telegraf --config telegraf.conf --input-filter iptables --test
iptables,table=filter,chain=INPUT,ruleid=ssh pkts=100i,bytes=1024i 1453831884664956455
iptables,table=filter,chain=INPUT,ruleid=httpd pkts=42i,bytes=2048i 1453831884664956455
```
fix(readmes): standarize first line of readmes (#7973) 2020-08-12 04:10:41 +08:00			`# Iptables Input Plugin`
Add new iptables plugin The iptables plugin aims at monitoring bytes and packet counters matching a given set of iptables rules. Typically the user would set a dedicated monitoring chain into a given iptables table, and add the rules to monitor to this chain. The plugin will allow to focus on the counters for this particular table/chain. closes #1471 2016-07-06 05:15:54 +08:00
			`The iptables plugin gathers packets and bytes counters for rules within a set of table and chain from the Linux's iptables firewall.`

Iptables input: document better the ignored rules behavior (#2482) During issue #2215 it was highlighted that the current behavior where rules without a comment are ignored is confusing for several users. This commit improves the documentation and adds a NOTE to the sample config to clarify the behavior for new users. 2017-03-02 17:58:26 +08:00			`Rules are identified through associated comment. Rules without comment are ignored.`
			`Indeed we need a unique ID for the rule and the rule number is not a constant: it may vary when rules are inserted/deleted at start-up or by automatic tools (interactive firewalls, fail2ban, ...).`
			`Also when the rule set is becoming big (hundreds of lines) most people are interested in monitoring only a small part of the rule set.`

			Before using this plugin you must ensure that the rules you want to monitor are named with a unique comment. Comments are added using the `-m comment --comment "my comment"` iptables options.
Add new iptables plugin The iptables plugin aims at monitoring bytes and packet counters matching a given set of iptables rules. Typically the user would set a dedicated monitoring chain into a given iptables table, and add the rules to monitor to this chain. The plugin will allow to focus on the counters for this particular table/chain. closes #1471 2016-07-06 05:15:54 +08:00
			`The iptables command requires CAP_NET_ADMIN and CAP_NET_RAW capabilities. You have several options to grant telegraf to run iptables:`

			`* Run telegraf as root. This is strongly discouraged.`
			`* Configure systemd to run telegraf with CAP_NET_ADMIN and CAP_NET_RAW. This is the simplest and recommended option.`
			`* Configure sudo to grant telegraf to run iptables. This is the most restrictive option, but require sudo setup.`

chore: clean up all markdown lint errors for input plugins i through m (#10173) 2021-11-25 03:18:53 +08:00			`## Using systemd capabilities`
Add new iptables plugin The iptables plugin aims at monitoring bytes and packet counters matching a given set of iptables rules. Typically the user would set a dedicated monitoring chain into a given iptables table, and add the rules to monitor to this chain. The plugin will allow to focus on the counters for this particular table/chain. closes #1471 2016-07-06 05:15:54 +08:00
			You may run `systemctl edit telegraf.service` and add the following:

chore: clean up all markdown lint errors for input plugins i through m (#10173) 2021-11-25 03:18:53 +08:00			```shell
Add new iptables plugin The iptables plugin aims at monitoring bytes and packet counters matching a given set of iptables rules. Typically the user would set a dedicated monitoring chain into a given iptables table, and add the rules to monitor to this chain. The plugin will allow to focus on the counters for this particular table/chain. closes #1471 2016-07-06 05:15:54 +08:00			`[Service]`
			`CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN`
			`AmbientCapabilities=CAP_NET_RAW CAP_NET_ADMIN`
			```

			Since telegraf will fork a process to run iptables, `AmbientCapabilities` is required to transmit the capabilities bounding set to the forked process.

chore: clean up all markdown lint errors for input plugins i through m (#10173) 2021-11-25 03:18:53 +08:00			`## Using sudo`
Add new iptables plugin The iptables plugin aims at monitoring bytes and packet counters matching a given set of iptables rules. Typically the user would set a dedicated monitoring chain into a given iptables table, and add the rules to monitor to this chain. The plugin will allow to focus on the counters for this particular table/chain. closes #1471 2016-07-06 05:15:54 +08:00
Update sudo config recommendation (#5337) 2019-01-25 02:54:25 +08:00			`You will need the following in your telegraf config:`
chore: clean up all markdown lint errors for input plugins i through m (#10173) 2021-11-25 03:18:53 +08:00
Update sudo config recommendation (#5337) 2019-01-25 02:54:25 +08:00			```toml
			`[[inputs.iptables]]`
			`use_sudo = true`
			```

			`You will also need to update your sudoers file:`
Add new iptables plugin The iptables plugin aims at monitoring bytes and packet counters matching a given set of iptables rules. Typically the user would set a dedicated monitoring chain into a given iptables table, and add the rules to monitor to this chain. The plugin will allow to focus on the counters for this particular table/chain. closes #1471 2016-07-06 05:15:54 +08:00
Update sudo config recommendation (#5337) 2019-01-25 02:54:25 +08:00			```bash
			`$ visudo`
			`# Add the following line:`
			`Cmnd_Alias IPTABLESSHOW = /usr/bin/iptables -nvL *`
			`telegraf ALL=(root) NOPASSWD: IPTABLESSHOW`
			`Defaults!IPTABLESSHOW !logfile, !syslog, !pam_session`
Add new iptables plugin The iptables plugin aims at monitoring bytes and packet counters matching a given set of iptables rules. Typically the user would set a dedicated monitoring chain into a given iptables table, and add the rules to monitor to this chain. The plugin will allow to focus on the counters for this particular table/chain. closes #1471 2016-07-06 05:15:54 +08:00			```

chore: clean up all markdown lint errors for input plugins i through m (#10173) 2021-11-25 03:18:53 +08:00			`## Using IPtables lock feature`
Add lock option to the IPtables input plugin (#2201) * Update README.md * Add lock support to the IPtables input plugin * Update iptables.go Doc cleaning 2017-02-01 22:37:18 +08:00
			`Defining multiple instances of this plugin in telegraf.conf can lead to concurrent IPtables access resulting in "ERROR in input [inputs.iptables]: exit status 4" messages in telegraf.log and missing metrics. Setting 'use_lock = true' in the plugin configuration will run IPtables with the '-w' switch, allowing a lock usage to prevent this error.`

chore: clean up all markdown lint errors for input plugins i through m (#10173) 2021-11-25 03:18:53 +08:00			`## Configuration`
Add new iptables plugin The iptables plugin aims at monitoring bytes and packet counters matching a given set of iptables rules. Typically the user would set a dedicated monitoring chain into a given iptables table, and add the rules to monitor to this chain. The plugin will allow to focus on the counters for this particular table/chain. closes #1471 2016-07-06 05:15:54 +08:00
			```toml
feat: migrate input plugins to new sample config format (A-L) (#10924) 2022-04-08 06:01:21 +08:00			`# Gather packets and bytes throughput from iptables`
			`[[inputs.iptables]]`
			`## iptables require root access on most systems.`
			`## Setting 'use_sudo' to true will make use of sudo to run iptables.`
			`## Users must configure sudo to allow telegraf user to run iptables with no password.`
			`## iptables can be restricted to only list command "iptables -nvL".`
Add new iptables plugin The iptables plugin aims at monitoring bytes and packet counters matching a given set of iptables rules. Typically the user would set a dedicated monitoring chain into a given iptables table, and add the rules to monitor to this chain. The plugin will allow to focus on the counters for this particular table/chain. closes #1471 2016-07-06 05:15:54 +08:00			`use_sudo = false`
feat: migrate input plugins to new sample config format (A-L) (#10924) 2022-04-08 06:01:21 +08:00			`## Setting 'use_lock' to true runs iptables with the "-w" option.`
			`## Adjust your sudo settings appropriately if using this option ("iptables -w 5 -nvl")`
Add lock option to the IPtables input plugin (#2201) * Update README.md * Add lock support to the IPtables input plugin * Update iptables.go Doc cleaning 2017-02-01 22:37:18 +08:00			`use_lock = false`
feat: migrate input plugins to new sample config format (A-L) (#10924) 2022-04-08 06:01:21 +08:00			`## Define an alternate executable, such as "ip6tables". Default is "iptables".`
Allow alternate binaries for iptables input plugin. (#4682) 2018-09-13 02:47:45 +08:00			`# binary = "ip6tables"`
feat: migrate input plugins to new sample config format (A-L) (#10924) 2022-04-08 06:01:21 +08:00			`## defines the table to monitor:`
Add new iptables plugin The iptables plugin aims at monitoring bytes and packet counters matching a given set of iptables rules. Typically the user would set a dedicated monitoring chain into a given iptables table, and add the rules to monitor to this chain. The plugin will allow to focus on the counters for this particular table/chain. closes #1471 2016-07-06 05:15:54 +08:00			`table = "filter"`
feat: migrate input plugins to new sample config format (A-L) (#10924) 2022-04-08 06:01:21 +08:00			`## defines the chains to monitor.`
			`## NOTE: iptables rules without a comment will not be monitored.`
			`## Read the plugin documentation for more information.`
Add new iptables plugin The iptables plugin aims at monitoring bytes and packet counters matching a given set of iptables rules. Typically the user would set a dedicated monitoring chain into a given iptables table, and add the rules to monitor to this chain. The plugin will allow to focus on the counters for this particular table/chain. closes #1471 2016-07-06 05:15:54 +08:00			`chains = [ "INPUT" ]`
			```

chore: clean up all markdown lint errors for input plugins i through m (#10173) 2021-11-25 03:18:53 +08:00			`## Measurements & Fields`
Add new iptables plugin The iptables plugin aims at monitoring bytes and packet counters matching a given set of iptables rules. Typically the user would set a dedicated monitoring chain into a given iptables table, and add the rules to monitor to this chain. The plugin will allow to focus on the counters for this particular table/chain. closes #1471 2016-07-06 05:15:54 +08:00
chore: clean up all markdown lint errors for input plugins i through m (#10173) 2021-11-25 03:18:53 +08:00			`* iptables`
			`* pkts (integer, count)`
			`* bytes (integer, bytes)`
Add new iptables plugin The iptables plugin aims at monitoring bytes and packet counters matching a given set of iptables rules. Typically the user would set a dedicated monitoring chain into a given iptables table, and add the rules to monitor to this chain. The plugin will allow to focus on the counters for this particular table/chain. closes #1471 2016-07-06 05:15:54 +08:00
chore: clean up all markdown lint errors for input plugins i through m (#10173) 2021-11-25 03:18:53 +08:00			`## Tags`
Add new iptables plugin The iptables plugin aims at monitoring bytes and packet counters matching a given set of iptables rules. Typically the user would set a dedicated monitoring chain into a given iptables table, and add the rules to monitor to this chain. The plugin will allow to focus on the counters for this particular table/chain. closes #1471 2016-07-06 05:15:54 +08:00
chore: clean up all markdown lint errors for input plugins i through m (#10173) 2021-11-25 03:18:53 +08:00			`* All measurements have the following tags:`
			`* table`
			`* chain`
			`* ruleid`
Add new iptables plugin The iptables plugin aims at monitoring bytes and packet counters matching a given set of iptables rules. Typically the user would set a dedicated monitoring chain into a given iptables table, and add the rules to monitor to this chain. The plugin will allow to focus on the counters for this particular table/chain. closes #1471 2016-07-06 05:15:54 +08:00
			The `ruleid` is the comment associated to the rule.

chore: clean up all markdown lint errors for input plugins i through m (#10173) 2021-11-25 03:18:53 +08:00			`## Example Output`
Add new iptables plugin The iptables plugin aims at monitoring bytes and packet counters matching a given set of iptables rules. Typically the user would set a dedicated monitoring chain into a given iptables table, and add the rules to monitor to this chain. The plugin will allow to focus on the counters for this particular table/chain. closes #1471 2016-07-06 05:15:54 +08:00
chore: clean up all markdown lint errors for input plugins i through m (#10173) 2021-11-25 03:18:53 +08:00			```text
Add new iptables plugin The iptables plugin aims at monitoring bytes and packet counters matching a given set of iptables rules. Typically the user would set a dedicated monitoring chain into a given iptables table, and add the rules to monitor to this chain. The plugin will allow to focus on the counters for this particular table/chain. closes #1471 2016-07-06 05:15:54 +08:00			`$ iptables -nvL INPUT`
			`Chain INPUT (policy DROP 0 packets, 0 bytes)`
			`pkts bytes target prot opt in out source destination`
			`100 1024 ACCEPT tcp -- * * 192.168.0.0/24 0.0.0.0/0 tcp dpt:22 /* ssh */`
			`42 2048 ACCEPT tcp -- * * 192.168.0.0/24 0.0.0.0/0 tcp dpt:80 /* httpd */`
			```

chore: clean up all markdown lint errors for input plugins i through m (#10173) 2021-11-25 03:18:53 +08:00			```shell
Fix telegraf example arguments (#2788) Many of the examples provided within documentation are using a single dash for the command line arguments, but the telegraf executable explicitly has two dashes. There are also some inconsistencies with the ordering of the command line argument examples. I've ordered them so that the examples will show: config, config-directory, input-filter, test 2017-05-13 06:22:29 +08:00			`$ ./telegraf --config telegraf.conf --input-filter iptables --test`
Add new iptables plugin The iptables plugin aims at monitoring bytes and packet counters matching a given set of iptables rules. Typically the user would set a dedicated monitoring chain into a given iptables table, and add the rules to monitor to this chain. The plugin will allow to focus on the counters for this particular table/chain. closes #1471 2016-07-06 05:15:54 +08:00			`iptables,table=filter,chain=INPUT,ruleid=ssh pkts=100i,bytes=1024i 1453831884664956455`
			`iptables,table=filter,chain=INPUT,ruleid=httpd pkts=42i,bytes=2048i 1453831884664956455`
			```