From 802da30b9b500aa7b4549373871eb922ad0a2d52 Mon Sep 17 00:00:00 2001
From: Richard Allen <ra@ra.is>
Date: Wed, 21 Dec 2016 10:17:12 +0000
Subject: [PATCH] Initial commit of check_firewall_active

---
 .../check_firewall_active.sh                  | 23 +++++++++++++++++++
 .../nrpe.d/check_firewall_active.cfg          |  3 +++
 .../sudoers.d/check_firewall_active           |  2 ++
 3 files changed, 28 insertions(+)
 create mode 100755 check_firewall_active/check_firewall_active.sh
 create mode 100644 check_firewall_active/nrpe.d/check_firewall_active.cfg
 create mode 100644 check_firewall_active/sudoers.d/check_firewall_active

diff --git a/check_firewall_active/check_firewall_active.sh b/check_firewall_active/check_firewall_active.sh
new file mode 100755
index 0000000..4b6fd50
--- /dev/null
+++ b/check_firewall_active/check_firewall_active.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+EXIT_OK=0
+EXIT_WARN=1
+EXIT_CRIT=2
+
+PATH=/sbin:/usr/sbin:$PATH
+
+if [ "$(id -u)" != "0" ]; then
+	echo "This script must be run as root" 1>&2
+	exit $EXIT_CRIT
+fi
+
+blocks=$(iptables -L -v -n | egrep 'REJECT|DROP' | wc -l)
+
+if [ $blocks -eq 0 ]; then
+	echo "CRITICAL: No firewall detected"
+	exit $EXIT_CRIT
+fi
+
+echo "OK: Firewall is active"
+exit $EXIT_OK
+
diff --git a/check_firewall_active/nrpe.d/check_firewall_active.cfg b/check_firewall_active/nrpe.d/check_firewall_active.cfg
new file mode 100644
index 0000000..44a13bc
--- /dev/null
+++ b/check_firewall_active/nrpe.d/check_firewall_active.cfg
@@ -0,0 +1,3 @@
+
+
+command[check_firewall_active]=sudo /usr/lib/nagios/plugins/check_firewall_active.sh
diff --git a/check_firewall_active/sudoers.d/check_firewall_active b/check_firewall_active/sudoers.d/check_firewall_active
new file mode 100644
index 0000000..6e5008a
--- /dev/null
+++ b/check_firewall_active/sudoers.d/check_firewall_active
@@ -0,0 +1,2 @@
+Defaults:nrpe	!requiretty
+nrpe		ALL = (root) NOPASSWD: /usr/lib/nagios/plugins/check_firewall_active.sh