`iptables_exporter`

An asynchronous Prometheus exporter for iptables

iptables_exporter runes iptables-save --counter and scrapes the output to build Prometheus metrics. Because iptables-save requires root privileges, this tool must be run as root (or via sudo) or with the following capabilities in both the ambient and bounding set:

CAPDACREAD_SEARCH
CAPNETADMIN
CAPNETRAW

Metrics Provided

Total number of bytes per chain/table/policy
Total number of bytes matched per rule/chain/table
Total number of packets per chain/table/policy
Total number of packets matched per rule/chain/table
Total number of rules per chain/table
Total number of chains per table
Scrape duration in milliseconds
Scrape success

Installation

At present, one must either install via cargo or compile from source. However, binary releases are planned in the near future.

Via `cargo`

$ cargo install iptables_exporter

Compile from Source

Ensure you have a Rust toolchain installed.

$ git clone https://github.com/kbknapp/iptables_exporter $ cd iptables_exporter $ cargo build --release $ sudo cp target/release/iptables_exporter /usr/local/bin/

Usage

Command Line Interface

``` USAGE: iptables_exporter [FLAGS] [OPTIONS]

FLAGS: -h, --help Prints help information -q, --quiet Supress output at a level or lower. -q: INFO, -qq: WARN, -qqq: ERROR (i.e. everything) -v, --verbose Show verbose output at a level or higher. -v: DEBUG, -vv: TRACE -V, --version Prints version information

OPTIONS: --collect-interval How often metrics are gathered [default: 5] -l, --listen-address The listen address scraping metrics [default: 0.0.0.0] -p, --listen-port The listen port for scraping metrics [default: 9455] ```

To run with the default options, and the binary is installed somewhere in your $PATH:

$ sudo iptables_exporter

Prometheus Configuration

You can add the following scrape configs to Prometheus:

```yaml scrapeconfigs: - jobname: 'iptables' staticconfigs: - targets: - 'localhost:9455' - 'otherhost:9455'

relabel_configs:
- source_labels: [ '__address__' ]
  regex: '(.*):\d+'
  target_label: instance

```

Example Metrics

```

HELP iptableschainbytes_total Total bytes flowing through a given chain

TYPE iptableschainbytes_total counter

iptableschainbytestotal{chain="DOCKER",policy="ACCEPT",table="filter"} 0 iptableschainbytestotal{chain="DOCKER",policy="ACCEPT",table="nat"} 0 iptableschainbytestotal{chain="DOCKER-ISOLATION-STAGE-1",policy="ACCEPT",table="filter"} 0 iptableschainbytestotal{chain="DOCKER-ISOLATION-STAGE-2",policy="ACCEPT",table="filter"} 0 iptableschainbytestotal{chain="FORWARD",policy="ACCEPT",table="filter"} 0 iptableschainbytestotal{chain="FORWARD",policy="ACCEPT",table="mangle"} 0 iptableschainbytestotal{chain="FORWARD",policy="ACCEPT",table="security"} 0 iptableschainbytestotal{chain="INPUT",policy="ACCEPT",table="filter"} 1243840979 iptableschainbytestotal{chain="INPUT",policy="ACCEPT",table="mangle"} 1291467136 iptableschainbytestotal{chain="INPUT",policy="ACCEPT",table="nat"} 16724 iptableschainbytestotal{chain="INPUT",policy="ACCEPT",table="security"} 1291121184 iptableschainbytestotal{chain="LIBVIRTFWI",policy="ACCEPT",table="filter"} 0 iptableschainbytestotal{chain="LIBVIRTFWO",policy="ACCEPT",table="filter"} 0 iptableschainbytestotal{chain="LIBVIRTFWX",policy="ACCEPT",table="filter"} 0 iptableschainbytestotal{chain="LIBVIRTINP",policy="ACCEPT",table="filter"} 0 iptableschainbytestotal{chain="LIBVIRTOUT",policy="ACCEPT",table="filter"} 0 iptableschainbytestotal{chain="LIBVIRTPRT",policy="ACCEPT",table="mangle"} 0 iptableschainbytestotal{chain="LIBVIRTPRT",policy="ACCEPT",table="nat"} 0 iptableschainbytestotal{chain="OUTPUT",policy="ACCEPT",table="filter"} 639197815 iptableschainbytestotal{chain="OUTPUT",policy="ACCEPT",table="mangle"} 652390274 iptableschainbytestotal{chain="OUTPUT",policy="ACCEPT",table="nat"} 49151 iptableschainbytestotal{chain="OUTPUT",policy="ACCEPT",table="raw"} 652399242 iptableschainbytestotal{chain="OUTPUT",policy="ACCEPT",table="security"} 652399242 iptableschainbytestotal{chain="POSTROUTING",policy="ACCEPT",table="mangle"} 652416550 iptableschainbytestotal{chain="POSTROUTING",policy="ACCEPT",table="nat"} 220031 iptableschainbytestotal{chain="PREROUTING",policy="ACCEPT",table="mangle"} 1291467136 iptableschainbytestotal{chain="PREROUTING",policy="ACCEPT",table="nat"} 343629 iptableschainbytestotal{chain="PREROUTING",policy="ACCEPT",table="raw"} 1291476956 iptableschainbytestotal{chain="sshuttle-12300",policy="ACCEPT",table="nat"} 0

HELP iptableschainpackets_total Total packets flowing through a given chain

TYPE iptableschainpackets_total counter

iptableschainpacketstotal{chain="DOCKER",policy="ACCEPT",table="filter"} 0 iptableschainpacketstotal{chain="DOCKER",policy="ACCEPT",table="nat"} 0 iptableschainpacketstotal{chain="DOCKER-ISOLATION-STAGE-1",policy="ACCEPT",table="filter"} 0 iptableschainpacketstotal{chain="DOCKER-ISOLATION-STAGE-2",policy="ACCEPT",table="filter"} 0 iptableschainpacketstotal{chain="FORWARD",policy="ACCEPT",table="filter"} 0 iptableschainpacketstotal{chain="FORWARD",policy="ACCEPT",table="mangle"} 0 iptableschainpacketstotal{chain="FORWARD",policy="ACCEPT",table="security"} 0 iptableschainpacketstotal{chain="INPUT",policy="ACCEPT",table="filter"} 1243840979 iptableschainpacketstotal{chain="INPUT",policy="ACCEPT",table="mangle"} 1291467136 iptableschainpacketstotal{chain="INPUT",policy="ACCEPT",table="nat"} 16724 iptableschainpacketstotal{chain="INPUT",policy="ACCEPT",table="security"} 1291121184 iptableschainpacketstotal{chain="LIBVIRTFWI",policy="ACCEPT",table="filter"} 0 iptableschainpacketstotal{chain="LIBVIRTFWO",policy="ACCEPT",table="filter"} 0 iptableschainpacketstotal{chain="LIBVIRTFWX",policy="ACCEPT",table="filter"} 0 iptableschainpacketstotal{chain="LIBVIRTINP",policy="ACCEPT",table="filter"} 0 iptableschainpacketstotal{chain="LIBVIRTOUT",policy="ACCEPT",table="filter"} 0 iptableschainpacketstotal{chain="LIBVIRTPRT",policy="ACCEPT",table="mangle"} 0 iptableschainpacketstotal{chain="LIBVIRTPRT",policy="ACCEPT",table="nat"} 0 iptableschainpacketstotal{chain="OUTPUT",policy="ACCEPT",table="filter"} 639197815 iptableschainpacketstotal{chain="OUTPUT",policy="ACCEPT",table="mangle"} 652390274 iptableschainpacketstotal{chain="OUTPUT",policy="ACCEPT",table="nat"} 49151 iptableschainpacketstotal{chain="OUTPUT",policy="ACCEPT",table="raw"} 652399242 iptableschainpacketstotal{chain="OUTPUT",policy="ACCEPT",table="security"} 652399242 iptableschainpacketstotal{chain="POSTROUTING",policy="ACCEPT",table="mangle"} 652416550 iptableschainpacketstotal{chain="POSTROUTING",policy="ACCEPT",table="nat"} 220031 iptableschainpacketstotal{chain="PREROUTING",policy="ACCEPT",table="mangle"} 1291467136 iptableschainpacketstotal{chain="PREROUTING",policy="ACCEPT",table="nat"} 343629 iptableschainpacketstotal{chain="PREROUTING",policy="ACCEPT",table="raw"} 1291476956 iptableschainpacketstotal{chain="sshuttle-12300",policy="ACCEPT",table="nat"} 0

HELP iptableschainstotal Total number of chains in a table

TYPE iptableschainstotal gauge

iptableschainstotal{table="filter"} 11 iptableschainstotal{table="mangle"} 6 iptableschainstotal{table="nat"} 7 iptableschainstotal{table="raw"} 2 iptableschainstotal{table="security"} 3

HELP iptablesrulebytes_total Total bytes matching a given rule

TYPE iptablesrulebytes_total counter

iptablesrulebytestotal{chain="DOCKER",rule="-i docker0 -j RETURN",table="nat"} 0 iptablesrulebytestotal{chain="DOCKER-ISOLATION-STAGE-1",rule="-j RETURN",table="filter"} 0 iptablesrulebytestotal{chain="DOCKER-ISOLATION-STAGE-2",rule="-j RETURN",table="filter"} 0 iptablesrulebytestotal{chain="FORWARD",rule="-i docker0 ! -o docker0 -j ACCEPT",table="filter"} 0 iptablesrulebytestotal{chain="FORWARD",rule="-i docker0 -o docker0 -j ACCEPT",table="filter"} 0 iptablesrulebytestotal{chain="FORWARD",rule="-j LIBVIRTFWI",table="filter"} 0 iptablesrulebytestotal{chain="FORWARD",rule="-j LIBVIRTFWO",table="filter"} 0 iptablesrulebytestotal{chain="FORWARD",rule="-j LIBVIRTFWX",table="filter"} 0 iptablesrulebytestotal{chain="INPUT",rule="-j LIBVIRTINP",table="filter"} 1291467196 iptablesrulebytestotal{chain="LIBVIRTFWI",rule="-d 192.168.84.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT",table="filter"} 0 iptablesrulebytestotal{chain="LIBVIRTFWI",rule="-o virbr0 -j REJECT --reject-with icmp-port-unreachable",table="filter"} 0 iptablesrulebytestotal{chain="LIBVIRTFWO",rule="-i virbr0 -j REJECT --reject-with icmp-port-unreachable",table="filter"} 0 iptablesrulebytestotal{chain="LIBVIRTFWO",rule="-s 192.168.84.0/24 -i virbr0 -j ACCEPT",table="filter"} 0 iptablesrulebytestotal{chain="LIBVIRTFWX",rule="-i virbr0 -o virbr0 -j ACCEPT",table="filter"} 0 iptablesrulebytestotal{chain="LIBVIRTINP",rule="-i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT",table="filter"} 0 iptablesrulebytestotal{chain="LIBVIRTINP",rule="-i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT",table="filter"} 0 iptablesrulebytestotal{chain="LIBVIRTINP",rule="-i virbr0 -p udp -m udp --dport 53 -j ACCEPT",table="filter"} 0 iptablesrulebytestotal{chain="LIBVIRTINP",rule="-i virbr0 -p udp -m udp --dport 67 -j ACCEPT",table="filter"} 0 iptablesrulebytestotal{chain="LIBVIRTOUT",rule="-o virbr0 -p tcp -m tcp --dport 53 -j ACCEPT",table="filter"} 0 iptablesrulebytestotal{chain="LIBVIRTOUT",rule="-o virbr0 -p tcp -m tcp --dport 68 -j ACCEPT",table="filter"} 0 iptablesrulebytestotal{chain="LIBVIRTOUT",rule="-o virbr0 -p udp -m udp --dport 53 -j ACCEPT",table="filter"} 0 iptablesrulebytestotal{chain="LIBVIRTOUT",rule="-o virbr0 -p udp -m udp --dport 68 -j ACCEPT",table="filter"} 0 iptablesrulebytestotal{chain="LIBVIRTPRT",rule="-o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill",table="mangle"} 0 iptablesrulebytestotal{chain="LIBVIRTPRT",rule="-s 192.168.84.0/24 ! -d 192.168.122.0/24 -j MASQUERADE",table="nat"} 0 iptablesrulebytestotal{chain="LIBVIRTPRT",rule="-s 192.168.84.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535",table="nat"} 0 iptablesrulebytestotal{chain="LIBVIRTPRT",rule="-s 192.168.84.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535",table="nat"} 0 iptablesrulebytestotal{chain="LIBVIRTPRT",rule="-s 192.168.84.0/24 -d 224.0.0.0/24 -j RETURN",table="nat"} 167 iptablesrulebytestotal{chain="LIBVIRTPRT",rule="-s 192.168.84.0/24 -d 255.255.255.255/32 -j RETURN",table="nat"} 0 iptablesrulebytestotal{chain="OUTPUT",rule="-j LIBVIRTOUT",table="filter"} 652390620 iptablesrulebytestotal{chain="OUTPUT",rule="-j sshuttle-12300",table="nat"} 250545 iptablesrulebytestotal{chain="POSTROUTING",rule="-j LIBVIRTPRT",table="mangle"} 652416896 iptablesrulebytestotal{chain="POSTROUTING",rule="-j LIBVIRTPRT",table="nat"} 274670 iptablesrulebytestotal{chain="POSTROUTING",rule="-s 172.17.0.0/16 ! -o docker0 -j MASQUERADE",table="nat"} 0 iptablesrulebytestotal{chain="PREROUTING",rule="-j sshuttle-12300",table="nat"} 350113 iptablesrulebytestotal{chain="sshuttle-12300",rule="-d 127.0.0.1/32 -p tcp -j RETURN",table="nat"} 0 iptablesrulebytestotal{chain="sshuttle-12300",rule="-m addrtype --dst-type LOCAL -j RETURN",table="nat"} 13654 iptablesrulebytestotal{chain="sshuttle-12300",rule="-m ttl --ttl-eq 63 -j RETURN",table="nat"} 0 iptablesrulebytestotal{chain="sshuttle-12300",rule="-p tcp -j REDIRECT --to-ports 12300",table="nat"} 183900

HELP iptablesrulepackets_total Total packets matching a given rule

TYPE iptablesrulepackets_total counter

iptablesrulepacketstotal{chain="DOCKER",rule="-i docker0 -j RETURN",table="nat"} 0 iptablesrulepacketstotal{chain="DOCKER-ISOLATION-STAGE-1",rule="-j RETURN",table="filter"} 0 iptablesrulepacketstotal{chain="DOCKER-ISOLATION-STAGE-2",rule="-j RETURN",table="filter"} 0 iptablesrulepacketstotal{chain="FORWARD",rule="-i docker0 ! -o docker0 -j ACCEPT",table="filter"} 0 iptablesrulepacketstotal{chain="FORWARD",rule="-i docker0 -o docker0 -j ACCEPT",table="filter"} 0 iptablesrulepacketstotal{chain="FORWARD",rule="-j LIBVIRTFWI",table="filter"} 0 iptablesrulepacketstotal{chain="FORWARD",rule="-j LIBVIRTFWO",table="filter"} 0 iptablesrulepacketstotal{chain="FORWARD",rule="-j LIBVIRTFWX",table="filter"} 0 iptablesrulepacketstotal{chain="INPUT",rule="-j LIBVIRTINP",table="filter"} 1128660 iptablesrulepacketstotal{chain="LIBVIRTFWI",rule="-d 192.168.84.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT",table="filter"} 0 iptablesrulepacketstotal{chain="LIBVIRTFWI",rule="-o virbr0 -j REJECT --reject-with icmp-port-unreachable",table="filter"} 0 iptablesrulepacketstotal{chain="LIBVIRTFWO",rule="-i virbr0 -j REJECT --reject-with icmp-port-unreachable",table="filter"} 0 iptablesrulepacketstotal{chain="LIBVIRTFWO",rule="-s 192.168.84.0/24 -i virbr0 -j ACCEPT",table="filter"} 0 iptablesrulepacketstotal{chain="LIBVIRTFWX",rule="-i virbr0 -o virbr0 -j ACCEPT",table="filter"} 0 iptablesrulepacketstotal{chain="LIBVIRTINP",rule="-i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT",table="filter"} 0 iptablesrulepacketstotal{chain="LIBVIRTINP",rule="-i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT",table="filter"} 0 iptablesrulepacketstotal{chain="LIBVIRTINP",rule="-i virbr0 -p udp -m udp --dport 53 -j ACCEPT",table="filter"} 0 iptablesrulepacketstotal{chain="LIBVIRTINP",rule="-i virbr0 -p udp -m udp --dport 67 -j ACCEPT",table="filter"} 0 iptablesrulepacketstotal{chain="LIBVIRTOUT",rule="-o virbr0 -p tcp -m tcp --dport 53 -j ACCEPT",table="filter"} 0 iptablesrulepacketstotal{chain="LIBVIRTOUT",rule="-o virbr0 -p tcp -m tcp --dport 68 -j ACCEPT",table="filter"} 0 iptablesrulepacketstotal{chain="LIBVIRTOUT",rule="-o virbr0 -p udp -m udp --dport 53 -j ACCEPT",table="filter"} 0 iptablesrulepacketstotal{chain="LIBVIRTOUT",rule="-o virbr0 -p udp -m udp --dport 68 -j ACCEPT",table="filter"} 0 iptablesrulepacketstotal{chain="LIBVIRTPRT",rule="-o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill",table="mangle"} 0 iptablesrulepacketstotal{chain="LIBVIRTPRT",rule="-s 192.168.84.0/24 ! -d 192.168.122.0/24 -j MASQUERADE",table="nat"} 0 iptablesrulepacketstotal{chain="LIBVIRTPRT",rule="-s 192.168.84.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535",table="nat"} 0 iptablesrulepacketstotal{chain="LIBVIRTPRT",rule="-s 192.168.84.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535",table="nat"} 0 iptablesrulepacketstotal{chain="LIBVIRTPRT",rule="-s 192.168.84.0/24 -d 224.0.0.0/24 -j RETURN",table="nat"} 2 iptablesrulepacketstotal{chain="LIBVIRTPRT",rule="-s 192.168.84.0/24 -d 255.255.255.255/32 -j RETURN",table="nat"} 0 iptablesrulepacketstotal{chain="OUTPUT",rule="-j LIBVIRTOUT",table="filter"} 988683 iptablesrulepacketstotal{chain="OUTPUT",rule="-j sshuttle-12300",table="nat"} 3804 iptablesrulepacketstotal{chain="POSTROUTING",rule="-j LIBVIRTPRT",table="mangle"} 988827 iptablesrulepacketstotal{chain="POSTROUTING",rule="-j LIBVIRTPRT",table="nat"} 4020 iptablesrulepacketstotal{chain="POSTROUTING",rule="-s 172.17.0.0/16 ! -o docker0 -j MASQUERADE",table="nat"} 0 iptablesrulepacketstotal{chain="PREROUTING",rule="-j sshuttle-12300",table="nat"} 3190 iptablesrulepacketstotal{chain="sshuttle-12300",rule="-d 127.0.0.1/32 -p tcp -j RETURN",table="nat"} 0 iptablesrulepacketstotal{chain="sshuttle-12300",rule="-m addrtype --dst-type LOCAL -j RETURN",table="nat"} 204 iptablesrulepacketstotal{chain="sshuttle-12300",rule="-m ttl --ttl-eq 63 -j RETURN",table="nat"} 0 iptablesrulepacketstotal{chain="sshuttle-12300",rule="-p tcp -j REDIRECT --to-ports 12300",table="nat"} 3065

HELP iptablesrulestotal Total number of rules in a chain in a table

TYPE iptablesrulestotal gauge

iptablesrulestotal{chain="DOCKER",table="filter"} 0 iptablesrulestotal{chain="DOCKER",table="nat"} 1 iptablesrulestotal{chain="DOCKER-ISOLATION-STAGE-1",table="filter"} 1 iptablesrulestotal{chain="DOCKER-ISOLATION-STAGE-2",table="filter"} 1 iptablesrulestotal{chain="FORWARD",table="filter"} 5 iptablesrulestotal{chain="FORWARD",table="mangle"} 0 iptablesrulestotal{chain="FORWARD",table="security"} 0 iptablesrulestotal{chain="INPUT",table="filter"} 1 iptablesrulestotal{chain="INPUT",table="mangle"} 0 iptablesrulestotal{chain="INPUT",table="nat"} 0 iptablesrulestotal{chain="INPUT",table="security"} 0 iptablesrulestotal{chain="LIBVIRTFWI",table="filter"} 2 iptablesrulestotal{chain="LIBVIRTFWO",table="filter"} 2 iptablesrulestotal{chain="LIBVIRTFWX",table="filter"} 1 iptablesrulestotal{chain="LIBVIRTINP",table="filter"} 4 iptablesrulestotal{chain="LIBVIRTOUT",table="filter"} 4 iptablesrulestotal{chain="LIBVIRTPRT",table="mangle"} 1 iptablesrulestotal{chain="LIBVIRTPRT",table="nat"} 5 iptablesrulestotal{chain="OUTPUT",table="filter"} 1 iptablesrulestotal{chain="OUTPUT",table="mangle"} 0 iptablesrulestotal{chain="OUTPUT",table="nat"} 1 iptablesrulestotal{chain="OUTPUT",table="raw"} 0 iptablesrulestotal{chain="OUTPUT",table="security"} 0 iptablesrulestotal{chain="POSTROUTING",table="mangle"} 1 iptablesrulestotal{chain="POSTROUTING",table="nat"} 2 iptablesrulestotal{chain="PREROUTING",table="mangle"} 0 iptablesrulestotal{chain="PREROUTING",table="nat"} 1 iptablesrulestotal{chain="PREROUTING",table="raw"} 0 iptablesrules_total{chain="sshuttle-12300",table="nat"} 4

HELP iptablesscapeduration_milliseconds Duration in milliseconds of the scrape

TYPE iptablesscapeduration_milliseconds gauge

iptablesscapeduration_milliseconds 2

HELP iptablesscrapesuccess If the scrape was a success

TYPE iptablesscrapesuccess gauge

iptablesscrapesuccess 1 ```

License

This project is dual licensed under the terms of either the MIT or Apache 2.0 at your option.

iptables_exporter