IPtables is a utility that allows users to configure the IP packet filter rules of the Linux kernel firewall, implemented as different Netfilter modules. The filters are organized in different tables, which contain chains of rules for how to treat network traffic packets.
Why use the IPtables Telegraf Plugin?
Linux kernels come with a packet-filtering framework called Netfilter which enables you to allow, drop, and modify traffic coming in and going out of a system. If you augment it with the iptables utility you can control traffic coming in and out of your system. The IPtables Telegraf Plugin allows you to do bandwidth monitoring by collecting the number of packets and the amount of data that passes through the rules. The flexibility and power of iptables allows for more complex monitoring scenarios. You can create rules to not only track different subnets but also to track specific ports and protocols, which lets you track exactly how much of each customer’s traffic is Web, email, file sharing, etc.
How to monitor IPtables using the Telegraf plugin
The IPtables Telegraf Plugin gathers packets and bytes counters for rules within a set of table and chain from the Linux's iptables firewall.
Rules are identified through associated comment. Rules without comment are ignored. Indeed we need a unique ID for the rule, and the rule number is not a constant: it may vary when rules are inserted/deleted at start-up or by automatic tools (interactive firewalls, fail2ban, ...). Also when the rule set is becoming big (hundreds of lines), most people are interested in monitoring only a small part of the rule set.
Before using this plugin, you must ensure that the rules you want to monitor are named with a unique comment. Comments are added using the
-m comment --comment "my comment" iptables options.
The iptables command requires
CAP_NET_RAW capabilities. You have several options to grant telegraf to run iptables:
- Run telegraf as root. This is strongly discouraged.
- Configure systemd to run telegraf with
CAP_NET_RAW. This is the simplest and recommended option.
- Configure sudo to grant telegraf to run iptables. This is the most restrictive option, but requires sudo setup.
Key IPtables metrics to use for monitoring
Some of the important IPtables metrics that you should proactively monitor by table, chain, or ruleid include: