telegraf/plugins/inputs/iptables/README.md

# Iptables Input Plugin

The iptables plugin gathers packets and bytes counters for rules within a set
of table and chain from the Linux's iptables firewall.

Rules are identified through associated comment. **Rules without comment are
ignored**.  Indeed we need a unique ID for the rule and the rule number is not
a constant: it may vary when rules are inserted/deleted at start-up or by
automatic tools (interactive firewalls, fail2ban, ...).  Also when the rule set
is becoming big (hundreds of lines) most people are interested in monitoring
only a small part of the rule set.

Before using this plugin **you must ensure that the rules you want to monitor
are named with a unique comment**. Comments are added using the `-m comment
--comment "my comment"` iptables options.

The iptables command requires CAP_NET_ADMIN and CAP_NET_RAW capabilities. You
have several options to grant telegraf to run iptables:

* Run telegraf as root. This is strongly discouraged.
* Configure systemd to run telegraf with CAP_NET_ADMIN and CAP_NET_RAW. This is
  the simplest and recommended option.
* Configure sudo to grant telegraf to run iptables. This is the most
  restrictive option, but require sudo setup.

## Using systemd capabilities

You may run `systemctl edit telegraf.service` and add the following:

```shell
[Service]
CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN
AmbientCapabilities=CAP_NET_RAW CAP_NET_ADMIN
```

Since telegraf will fork a process to run iptables, `AmbientCapabilities` is
required to transmit the capabilities bounding set to the forked process.

## Using sudo

You will need the following in your telegraf config:

```toml
[[inputs.iptables]]
  use_sudo = true
```

You will also need to update your sudoers file:

```bash
$ visudo
# Add the following line:
Cmnd_Alias IPTABLESSHOW = /usr/bin/iptables -nvL *
telegraf  ALL=(root) NOPASSWD: IPTABLESSHOW
Defaults!IPTABLESSHOW !logfile, !syslog, !pam_session
```

## Using IPtables lock feature

Defining multiple instances of this plugin in telegraf.conf can lead to
concurrent IPtables access resulting in "ERROR in input [inputs.iptables]: exit
status 4" messages in telegraf.log and missing metrics. Setting 'use_lock =
true' in the plugin configuration will run IPtables with the '-w' switch,
allowing a lock usage to prevent this error.

## Global configuration options <!-- @/docs/includes/plugin_config.md -->

In addition to the plugin-specific configuration settings, plugins support
additional global and plugin configuration settings. These settings are used to
modify metrics, tags, and field or create aliases and configure ordering, etc.
See the [CONFIGURATION.md][CONFIGURATION.md] for more details.

[CONFIGURATION.md]: ../../../docs/CONFIGURATION.md#plugins

## Configuration

```toml @sample.conf
# Gather packets and bytes throughput from iptables
# This plugin ONLY supports Linux
[[inputs.iptables]]
  ## iptables require root access on most systems.
  ## Setting 'use_sudo' to true will make use of sudo to run iptables.
  ## Users must configure sudo to allow telegraf user to run iptables with
  ## no password.
  ## iptables can be restricted to only list command "iptables -nvL".
  use_sudo = false
  ## Setting 'use_lock' to true runs iptables with the "-w" option.
  ## Adjust your sudo settings appropriately if using this option
  ## ("iptables -w 5 -nvl")
  use_lock = false
  ## Define an alternate executable, such as "ip6tables". Default is "iptables".
  # binary = "ip6tables"
  ## defines the table to monitor:
  table = "filter"
  ## defines the chains to monitor.
  ## NOTE: iptables rules without a comment will not be monitored.
  ## Read the plugin documentation for more information.
  chains = [ "INPUT" ]
```

## Metrics

### Measurements & Fields

* iptables
  * pkts (integer, count)
  * bytes (integer, bytes)

### Tags

* All measurements have the following tags:
  * table
  * chain
  * ruleid

The `ruleid` is the comment associated to the rule.

## Example Output

```shell
iptables -nvL INPUT
```

```text
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
100   1024   ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0            tcp dpt:22 /* ssh */
 42   2048   ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0            tcp dpt:80 /* httpd */
```

```text
iptables,table=filter,chain=INPUT,ruleid=ssh pkts=100i,bytes=1024i 1453831884664956455
iptables,table=filter,chain=INPUT,ruleid=httpd pkts=42i,bytes=2048i 1453831884664956455
```
fix(readmes): standarize first line of readmes (#7973) 2020-08-12 04:10:41 +08:00			`# Iptables Input Plugin`
Add new iptables plugin The iptables plugin aims at monitoring bytes and packet counters matching a given set of iptables rules. Typically the user would set a dedicated monitoring chain into a given iptables table, and add the rules to monitor to this chain. The plugin will allow to focus on the counters for this particular table/chain. closes #1471 2016-07-06 05:15:54 +08:00
chore: Markdown fixes for inputs/[a-m]* (#11606) 2022-08-10 00:57:31 +08:00			`The iptables plugin gathers packets and bytes counters for rules within a set`
			`of table and chain from the Linux's iptables firewall.`
Add new iptables plugin The iptables plugin aims at monitoring bytes and packet counters matching a given set of iptables rules. Typically the user would set a dedicated monitoring chain into a given iptables table, and add the rules to monitor to this chain. The plugin will allow to focus on the counters for this particular table/chain. closes #1471 2016-07-06 05:15:54 +08:00
chore: Fix readme linter errors for input plugins E-L (#11214) 2022-06-08 05:37:08 +08:00			`Rules are identified through associated comment. **Rules without comment are`
chore: Markdown fixes for inputs/[a-m]* (#11606) 2022-08-10 00:57:31 +08:00			`ignored**. Indeed we need a unique ID for the rule and the rule number is not`
			`a constant: it may vary when rules are inserted/deleted at start-up or by`
chore: Fix readme linter errors for input plugins E-L (#11214) 2022-06-08 05:37:08 +08:00			`automatic tools (interactive firewalls, fail2ban, ...). Also when the rule set`
			`is becoming big (hundreds of lines) most people are interested in monitoring`
			`only a small part of the rule set.`
Iptables input: document better the ignored rules behavior (#2482) During issue #2215 it was highlighted that the current behavior where rules without a comment are ignored is confusing for several users. This commit improves the documentation and adds a NOTE to the sample config to clarify the behavior for new users. 2017-03-02 17:58:26 +08:00
chore: Fix readme linter errors for input plugins E-L (#11214) 2022-06-08 05:37:08 +08:00			`Before using this plugin **you must ensure that the rules you want to monitor`
			are named with a unique comment**. Comments are added using the `-m comment
			--comment "my comment"` iptables options.
Add new iptables plugin The iptables plugin aims at monitoring bytes and packet counters matching a given set of iptables rules. Typically the user would set a dedicated monitoring chain into a given iptables table, and add the rules to monitor to this chain. The plugin will allow to focus on the counters for this particular table/chain. closes #1471 2016-07-06 05:15:54 +08:00
chore: Fix readme linter errors for input plugins E-L (#11214) 2022-06-08 05:37:08 +08:00			`The iptables command requires CAP_NET_ADMIN and CAP_NET_RAW capabilities. You`
			`have several options to grant telegraf to run iptables:`
Add new iptables plugin The iptables plugin aims at monitoring bytes and packet counters matching a given set of iptables rules. Typically the user would set a dedicated monitoring chain into a given iptables table, and add the rules to monitor to this chain. The plugin will allow to focus on the counters for this particular table/chain. closes #1471 2016-07-06 05:15:54 +08:00
			`* Run telegraf as root. This is strongly discouraged.`
chore: Fix readme linter errors for input plugins E-L (#11214) 2022-06-08 05:37:08 +08:00			`* Configure systemd to run telegraf with CAP_NET_ADMIN and CAP_NET_RAW. This is`
			`the simplest and recommended option.`
chore: Markdown fixes for inputs/[a-m]* (#11606) 2022-08-10 00:57:31 +08:00			`* Configure sudo to grant telegraf to run iptables. This is the most`
			`restrictive option, but require sudo setup.`
Add new iptables plugin The iptables plugin aims at monitoring bytes and packet counters matching a given set of iptables rules. Typically the user would set a dedicated monitoring chain into a given iptables table, and add the rules to monitor to this chain. The plugin will allow to focus on the counters for this particular table/chain. closes #1471 2016-07-06 05:15:54 +08:00
chore: clean up all markdown lint errors for input plugins i through m (#10173) 2021-11-25 03:18:53 +08:00			`## Using systemd capabilities`
Add new iptables plugin The iptables plugin aims at monitoring bytes and packet counters matching a given set of iptables rules. Typically the user would set a dedicated monitoring chain into a given iptables table, and add the rules to monitor to this chain. The plugin will allow to focus on the counters for this particular table/chain. closes #1471 2016-07-06 05:15:54 +08:00
			You may run `systemctl edit telegraf.service` and add the following:

chore: clean up all markdown lint errors for input plugins i through m (#10173) 2021-11-25 03:18:53 +08:00			```shell
Add new iptables plugin The iptables plugin aims at monitoring bytes and packet counters matching a given set of iptables rules. Typically the user would set a dedicated monitoring chain into a given iptables table, and add the rules to monitor to this chain. The plugin will allow to focus on the counters for this particular table/chain. closes #1471 2016-07-06 05:15:54 +08:00			`[Service]`
			`CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN`
			`AmbientCapabilities=CAP_NET_RAW CAP_NET_ADMIN`
			```

chore: Markdown fixes for inputs/[a-m]* (#11606) 2022-08-10 00:57:31 +08:00			Since telegraf will fork a process to run iptables, `AmbientCapabilities` is
			`required to transmit the capabilities bounding set to the forked process.`
Add new iptables plugin The iptables plugin aims at monitoring bytes and packet counters matching a given set of iptables rules. Typically the user would set a dedicated monitoring chain into a given iptables table, and add the rules to monitor to this chain. The plugin will allow to focus on the counters for this particular table/chain. closes #1471 2016-07-06 05:15:54 +08:00
chore: clean up all markdown lint errors for input plugins i through m (#10173) 2021-11-25 03:18:53 +08:00			`## Using sudo`
Add new iptables plugin The iptables plugin aims at monitoring bytes and packet counters matching a given set of iptables rules. Typically the user would set a dedicated monitoring chain into a given iptables table, and add the rules to monitor to this chain. The plugin will allow to focus on the counters for this particular table/chain. closes #1471 2016-07-06 05:15:54 +08:00
Update sudo config recommendation (#5337) 2019-01-25 02:54:25 +08:00			`You will need the following in your telegraf config:`
chore: clean up all markdown lint errors for input plugins i through m (#10173) 2021-11-25 03:18:53 +08:00
Update sudo config recommendation (#5337) 2019-01-25 02:54:25 +08:00			```toml
			`[[inputs.iptables]]`
			`use_sudo = true`
			```

			`You will also need to update your sudoers file:`
Add new iptables plugin The iptables plugin aims at monitoring bytes and packet counters matching a given set of iptables rules. Typically the user would set a dedicated monitoring chain into a given iptables table, and add the rules to monitor to this chain. The plugin will allow to focus on the counters for this particular table/chain. closes #1471 2016-07-06 05:15:54 +08:00
Update sudo config recommendation (#5337) 2019-01-25 02:54:25 +08:00			```bash
			`$ visudo`
			`# Add the following line:`
			`Cmnd_Alias IPTABLESSHOW = /usr/bin/iptables -nvL *`
			`telegraf ALL=(root) NOPASSWD: IPTABLESSHOW`
			`Defaults!IPTABLESSHOW !logfile, !syslog, !pam_session`
Add new iptables plugin The iptables plugin aims at monitoring bytes and packet counters matching a given set of iptables rules. Typically the user would set a dedicated monitoring chain into a given iptables table, and add the rules to monitor to this chain. The plugin will allow to focus on the counters for this particular table/chain. closes #1471 2016-07-06 05:15:54 +08:00			```

chore: clean up all markdown lint errors for input plugins i through m (#10173) 2021-11-25 03:18:53 +08:00			`## Using IPtables lock feature`
Add lock option to the IPtables input plugin (#2201) * Update README.md * Add lock support to the IPtables input plugin * Update iptables.go Doc cleaning 2017-02-01 22:37:18 +08:00
chore: Fix readme linter errors for input plugins E-L (#11214) 2022-06-08 05:37:08 +08:00			`Defining multiple instances of this plugin in telegraf.conf can lead to`
			`concurrent IPtables access resulting in "ERROR in input [inputs.iptables]: exit`
			`status 4" messages in telegraf.log and missing metrics. Setting 'use_lock =`
			`true' in the plugin configuration will run IPtables with the '-w' switch,`
			`allowing a lock usage to prevent this error.`
Add lock option to the IPtables input plugin (#2201) * Update README.md * Add lock support to the IPtables input plugin * Update iptables.go Doc cleaning 2017-02-01 22:37:18 +08:00
docs: add global configuration header (#12107) 2022-10-27 03:58:36 +08:00			`## Global configuration options <!-- @/docs/includes/plugin_config.md -->`

			`In addition to the plugin-specific configuration settings, plugins support`
			`additional global and plugin configuration settings. These settings are used to`
			`modify metrics, tags, and field or create aliases and configure ordering, etc.`
			`See the [CONFIGURATION.md][CONFIGURATION.md] for more details.`

feat(tools/readme_linter): Check for global configuration section (#12426) 2023-01-12 23:55:21 +08:00			`[CONFIGURATION.md]: ../../../docs/CONFIGURATION.md#plugins`
docs: add global configuration header (#12107) 2022-10-27 03:58:36 +08:00
chore: clean up all markdown lint errors for input plugins i through m (#10173) 2021-11-25 03:18:53 +08:00			`## Configuration`
Add new iptables plugin The iptables plugin aims at monitoring bytes and packet counters matching a given set of iptables rules. Typically the user would set a dedicated monitoring chain into a given iptables table, and add the rules to monitor to this chain. The plugin will allow to focus on the counters for this particular table/chain. closes #1471 2016-07-06 05:15:54 +08:00
chore: Embed sample configurations into README for inputs (#11136) 2022-05-24 21:49:47 +08:00			```toml @sample.conf
feat: migrate input plugins to new sample config format (A-L) (#10924) 2022-04-08 06:01:21 +08:00			`# Gather packets and bytes throughput from iptables`
chore: Document linux only plugins (part 1) (#12764) 2023-03-02 05:21:14 +08:00			`# This plugin ONLY supports Linux`
feat: migrate input plugins to new sample config format (A-L) (#10924) 2022-04-08 06:01:21 +08:00			`[[inputs.iptables]]`
			`## iptables require root access on most systems.`
			`## Setting 'use_sudo' to true will make use of sudo to run iptables.`
chore: Markdown fixes for inputs/[a-m]* (#11606) 2022-08-10 00:57:31 +08:00			`## Users must configure sudo to allow telegraf user to run iptables with`
			`## no password.`
feat: migrate input plugins to new sample config format (A-L) (#10924) 2022-04-08 06:01:21 +08:00			`## iptables can be restricted to only list command "iptables -nvL".`
Add new iptables plugin The iptables plugin aims at monitoring bytes and packet counters matching a given set of iptables rules. Typically the user would set a dedicated monitoring chain into a given iptables table, and add the rules to monitor to this chain. The plugin will allow to focus on the counters for this particular table/chain. closes #1471 2016-07-06 05:15:54 +08:00			`use_sudo = false`
feat: migrate input plugins to new sample config format (A-L) (#10924) 2022-04-08 06:01:21 +08:00			`## Setting 'use_lock' to true runs iptables with the "-w" option.`
chore: Markdown fixes for inputs/[a-m]* (#11606) 2022-08-10 00:57:31 +08:00			`## Adjust your sudo settings appropriately if using this option`
			`## ("iptables -w 5 -nvl")`
Add lock option to the IPtables input plugin (#2201) * Update README.md * Add lock support to the IPtables input plugin * Update iptables.go Doc cleaning 2017-02-01 22:37:18 +08:00			`use_lock = false`
feat: migrate input plugins to new sample config format (A-L) (#10924) 2022-04-08 06:01:21 +08:00			`## Define an alternate executable, such as "ip6tables". Default is "iptables".`
Allow alternate binaries for iptables input plugin. (#4682) 2018-09-13 02:47:45 +08:00			`# binary = "ip6tables"`
feat: migrate input plugins to new sample config format (A-L) (#10924) 2022-04-08 06:01:21 +08:00			`## defines the table to monitor:`
Add new iptables plugin The iptables plugin aims at monitoring bytes and packet counters matching a given set of iptables rules. Typically the user would set a dedicated monitoring chain into a given iptables table, and add the rules to monitor to this chain. The plugin will allow to focus on the counters for this particular table/chain. closes #1471 2016-07-06 05:15:54 +08:00			`table = "filter"`
feat: migrate input plugins to new sample config format (A-L) (#10924) 2022-04-08 06:01:21 +08:00			`## defines the chains to monitor.`
			`## NOTE: iptables rules without a comment will not be monitored.`
			`## Read the plugin documentation for more information.`
Add new iptables plugin The iptables plugin aims at monitoring bytes and packet counters matching a given set of iptables rules. Typically the user would set a dedicated monitoring chain into a given iptables table, and add the rules to monitor to this chain. The plugin will allow to focus on the counters for this particular table/chain. closes #1471 2016-07-06 05:15:54 +08:00			`chains = [ "INPUT" ]`
			```

docs: Update all readme to pass linter (#12615) 2023-02-09 18:04:41 +08:00			`## Metrics`

			`### Measurements & Fields`
Add new iptables plugin The iptables plugin aims at monitoring bytes and packet counters matching a given set of iptables rules. Typically the user would set a dedicated monitoring chain into a given iptables table, and add the rules to monitor to this chain. The plugin will allow to focus on the counters for this particular table/chain. closes #1471 2016-07-06 05:15:54 +08:00
chore: clean up all markdown lint errors for input plugins i through m (#10173) 2021-11-25 03:18:53 +08:00			`* iptables`
			`* pkts (integer, count)`
			`* bytes (integer, bytes)`
Add new iptables plugin The iptables plugin aims at monitoring bytes and packet counters matching a given set of iptables rules. Typically the user would set a dedicated monitoring chain into a given iptables table, and add the rules to monitor to this chain. The plugin will allow to focus on the counters for this particular table/chain. closes #1471 2016-07-06 05:15:54 +08:00
docs: Update all readme to pass linter (#12615) 2023-02-09 18:04:41 +08:00			`### Tags`
Add new iptables plugin The iptables plugin aims at monitoring bytes and packet counters matching a given set of iptables rules. Typically the user would set a dedicated monitoring chain into a given iptables table, and add the rules to monitor to this chain. The plugin will allow to focus on the counters for this particular table/chain. closes #1471 2016-07-06 05:15:54 +08:00
chore: clean up all markdown lint errors for input plugins i through m (#10173) 2021-11-25 03:18:53 +08:00			`* All measurements have the following tags:`
			`* table`
			`* chain`
			`* ruleid`
Add new iptables plugin The iptables plugin aims at monitoring bytes and packet counters matching a given set of iptables rules. Typically the user would set a dedicated monitoring chain into a given iptables table, and add the rules to monitor to this chain. The plugin will allow to focus on the counters for this particular table/chain. closes #1471 2016-07-06 05:15:54 +08:00
			The `ruleid` is the comment associated to the rule.

chore: clean up all markdown lint errors for input plugins i through m (#10173) 2021-11-25 03:18:53 +08:00			`## Example Output`
Add new iptables plugin The iptables plugin aims at monitoring bytes and packet counters matching a given set of iptables rules. Typically the user would set a dedicated monitoring chain into a given iptables table, and add the rules to monitor to this chain. The plugin will allow to focus on the counters for this particular table/chain. closes #1471 2016-07-06 05:15:54 +08:00
chore: Update README.md (#12989) 2023-04-04 19:43:49 +08:00			```shell
			`iptables -nvL INPUT`
			```

chore: clean up all markdown lint errors for input plugins i through m (#10173) 2021-11-25 03:18:53 +08:00			```text
Add new iptables plugin The iptables plugin aims at monitoring bytes and packet counters matching a given set of iptables rules. Typically the user would set a dedicated monitoring chain into a given iptables table, and add the rules to monitor to this chain. The plugin will allow to focus on the counters for this particular table/chain. closes #1471 2016-07-06 05:15:54 +08:00			`Chain INPUT (policy DROP 0 packets, 0 bytes)`
			`pkts bytes target prot opt in out source destination`
			`100 1024 ACCEPT tcp -- * * 192.168.0.0/24 0.0.0.0/0 tcp dpt:22 /* ssh */`
			`42 2048 ACCEPT tcp -- * * 192.168.0.0/24 0.0.0.0/0 tcp dpt:80 /* httpd */`
			```

chore: Update README.md (#12989) 2023-04-04 19:43:49 +08:00			```text
Add new iptables plugin The iptables plugin aims at monitoring bytes and packet counters matching a given set of iptables rules. Typically the user would set a dedicated monitoring chain into a given iptables table, and add the rules to monitor to this chain. The plugin will allow to focus on the counters for this particular table/chain. closes #1471 2016-07-06 05:15:54 +08:00			`iptables,table=filter,chain=INPUT,ruleid=ssh pkts=100i,bytes=1024i 1453831884664956455`
			`iptables,table=filter,chain=INPUT,ruleid=httpd pkts=42i,bytes=2048i 1453831884664956455`
			```