MASARYK UNIVERSITY FACULTY OF INFORMATICS
Local service monitoring status of Linux operating systems
BACHELORTHESIS
Jakub Svoboda
Brno, Spring 2012 Declaration
Hereby I declare, that this paper is my original authorial work, which I have worked out by my own. All sources, references and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source.
Jakub Svoboda
Advisor: Mgr. Pavel Tuˇcek
ii Acknowledgement
I’d like to thank to my advisor Mgr. Pavel Tuˇcekfor patiency, guidance, invaluable assistance and encouragement. I’d also like to thank to Jan Koneˇcnýfor programming advices in the course of designing the application.
iii Abstract
Theoretical part of the thesis analyzes methods of monitoring Linux operating system and monitoring requirements of the Institute of Computer Science. In the practical part of the thesis, Linux monitoring application is designed and implemented. The application is developed as a part of ICS’ Large Enterprise Monitoring (Lemon) project.
iv Keywords
Linux, monitoring, Mono, Lemon, LinMon
v Contents
1 Introduction ...... 1 2 Operating system monitoring in general ...... 2 2.1 Operating system purpose ...... 2 2.2 Reliability of operating system ...... 2 2.3 Reasons for monitoring ...... 3 2.4 Existing GNU/Linux-compatible solutions ...... 3 2.4.1 SYSSTAT ...... 4 2.4.2 Dstat ...... 4 2.4.3 vmstat ...... 4 2.4.4 Collectd ...... 4 2.4.5 Munin ...... 5 2.4.6 Nagios, Shinken and Icinga ...... 5 2.4.7 PCP ...... 5 2.4.8 Xymon ...... 5 3 System monitoring at the Institute of Computer Science ...... 7 3.1 Lemon project ...... 7 3.1.1 Lemon architecture ...... 7 Event generators ...... 7 Transport system ...... 8 Processing system ...... 8 Web service and presentation application ...... 9 3.2 Monitoring of operating systems ...... 9 3.3 Requirements for monitoring of GNU/Linux machines ...... 9 3.3.1 Report format ...... 9 3.3.2 Scope of monitoring ...... 10 3.3.3 Runtime requirements ...... 11 3.3.4 Packaging requirements ...... 11 3.4 Suitability of existing applications ...... 11 4 Implementation of GNU/Linux monitoring application ...... 12 4.1 Chosen goals ...... 12 4.1.1 Operating system and programming language ...... 12 4.1.2 Configuration ...... 12 4.1.3 Types of reports ...... 13 4.1.4 Monitored areas ...... 13 Disk usage ...... 13 Iptables ...... 13 Network interfaces ...... 17 Users ...... 17 Groups ...... 18 Recent logins (both physical and remote) ...... 18
vi Recent physical logins ...... 18 Recent login attempts over ssh (both successful and unsuccess- ful) ...... 18 Installed packages ...... 19 Available package updates ...... 19 Recent reboots ...... 19 Time of last reboot ...... 20 Processes using CPU above a set limit ...... 20 Information about operating system ...... 20 System installation date ...... 20 4.2 Application architecture ...... 21 4.2.1 Classes and interfaces ...... 21 4.2.2 Error handling ...... 22 4.2.3 File access and permissions ...... 23 4.2.4 Settings file and alternative settings ...... 23 4.2.5 Report production ...... 24 4.2.6 Report comparison ...... 24 Comparison without a primary key ...... 25 Comparison with a primary key ...... 25 5 Testing of LinMon ...... 26 5.1 Testing environment ...... 26 5.1.1 Personal computers ...... 26 GNU/Linux ...... 26 Other than GNU/Linux ...... 27 5.1.2 ICS server ...... 27 Problems that occurred during testing ...... 27 5.2 LinMon in production environment ...... 28 6 Conclusion ...... 29 Bibliography ...... 29
vii 1 Introduction
Masaryk University operates a large computer network. The need to manage the network effectively resulted in a computer monitoring project called Lemon. Lemon is a system that collects data about computers using agents installed on the computers and processes them on centralized servers. It allows Masaryk University to check computer health, localize problems and to prevent misuse. Lemon is modular and consists of several components. Lemon is capable of monitoring only Windows systems at this time, with planned Linux support. This thesis deals with the Linux monitoring agent. The second chapter of the thesis describes monitoring of operating systems in general and Linux-compatible monitoring applications. The third chapter presents system moni- toring at the Institute of Computer Science, requirements for the monitoring application and suitability of existing applications. The fourth chapter presents chosen goals and describes architecture of the developed application. The fifth chapter talks about testing and its results. The last chapter evaluates the developed application and its impact on system monitoring at the Masaryk University. The thesis is accompanied by three Appendices. Appendix A lists all source code, Appendix B contains class diagrams and Appendix C is an Administrator’s Guide which helps administrators with using LinMon.
1 2 Operating system monitoring in general
2.1 Operating system purpose
Computers and the software they run are complex mechanisms with an inherent risk of failure1. Most computers today are run with an operating system so that multiple applications can run at once, use the operating system routines instead of accessing the bare hardware and use safe mechanisms of inter-process communication.2
2.2 Reliability of operating system
The apparent advantage of running an operating system comes with a cost. A failure in the operating system can result in all the applications being unable to run properly or to run at all. (Not that an application running on the bare metal cannot fail, but OS adds additional possible point of failure apart from the application itself.) Microkernel and nanokernel operating systems try to solve this problem by minimizing the amount of code comprising the very core of the operating system with independent modules that can be restarted without affecting the rest of the system in a case of failure3. There are even operating systems capable of taking snapshots—containing state of all running programs, memory and necessary data—and then recovering to the latest snapshot in case of failure, with no need to restart programs or check filesystems, effectively restarting quickly and losing only last few minutes of data. This property is called orthogonal persistence4. However, general-purpose operating systems are not made in such a safe and uninterruptible way. They are made of interdependent components and failure can propagate throughout the system. The majority of workstations and a large share of servers run general-purpose operat- ing systems nowadays5. When a failure occurs, a manual intervention may be required. The system administrator6 must collect all the information they need to find and resolve the problem. This might include: • Errors logged in a system log.
1. Proving the correctness of software is a very hard to nearly impossible task. Bruce Schneier has an informative post with a discussion on his blog [1]. 2. Solutions going against this approach do exist—such as running a single application on bare hardware or using exokernel (such as MIT Exokernel Operating System [2]) merely for multiplexing bare hardware, isolating the applications from each other—but they are limited to microcontrollers and embedded systems, as in the case of a single application, or simply very rare, as in the case of using exokernel. 3. Such an operating system is QNX Neutrino [3]. 4. Such operating systems are KeyKOS [4] and EROS [5], for instance. 5. According to W3Techs statistics from March 25th 2012, “Unix” and Windows web servers together have 100% market share. http://w3techs.com/technologies/overview/operating_system/all 6. I will call anyone who is experienced in maintaining and repairing an operating system a “system administrator” for the purpose of this thesis.
2 2. OPERATINGSYSTEMMONITORINGINGENERAL
• Disk usage information. (Is there a disk that is full that consequently caused the system to fail?)
• Installed software and changes in installed software. (Has a new software or software update caused the failure?)
• Users, groups and changes in users and groups. (Is there a new user who may have run something that caused the failure?)
• Logins to the system. (The system administrator can look who was logged in at the time of the failure and limit the scope of the investigation.)
• Network interfaces. (Was there a change in the network configuration that caused the system to fail?)
• Firewall rules. (Was there a change of the firewall rules or does a rule collide with something?)
• Reboots. (If and when the machine was rebooted.)
• What is the exact version of the operating system (there might be a bug specific to this OS version).
2.3 Reasons for monitoring
The need for frequent and repetitive collection of information makes automation rele- vant. And not only that. There are cases where it is useful to monitor operating system state. A history of the states can be inspected later. This can be very useful for system administrators, saving time when analyzing system state and providing evidence. Therefore, operating system monitoring—the act of collecting information about system state through the time and storing such information—may be useful for viable system administration. Moreover, storing all the information in a central location can further increase admin- istration efficiency.
2.4 Existing GNU/Linux-compatible solutions
The thesis deals with monitoring of GNU/Linux operating system. Hence only GNU/Linux- compatible monitoring software is mentioned in this section. There are numerous applications ranging from monitoring just the load on the local machine to monitoring various properties across a whole network.
3 2. OPERATINGSYSTEMMONITORINGINGENERAL
2.4.1 SYSSTAT
SYSSTAT is a performance analysis toolkit, monitoring state of the operating system it runs on. It contains several monitoring tools: Sar, sadc, sadf, iostat, nfsiostat, cifsiostat, mpstat, pidstat. Some of the monitored properties are: I/O operations, CPU utilization, interrupt statistics, process statistics, network statistics, NFS activity, system load, TTY device activity. [6] SYSSTAT is implemented in the C language. Homepage of SYSSTAT is http://sebastien.godard.pagesperso-orange. fr/index.html.
2.4.2 Dstat
Dstat is a performance analysis tool, monitoring state of the operating system it runs on. Some of the monitored properties are: Disk read and write operations, CPU utilization, interrupt statistics, process statistics, network statistics, system load. [7] Dstat is implemented in Python. Homepage of Dstat is http://dag.wieers.com/home-made/dstat/.
2.4.3 vmstat
Vmstat is a performance analysis tool, monitoring state of the operating system it runs on. Some of the monitored properties are: Process statistics, memory statistics, swap usage, I/O statistics, interrupt statistics, CPU utilization. [8] Vmstat is implemented in C7. Vmstat doesn’t have its own homepage. Linux manual page can be found at [8].
2.4.4 Collectd
Collectd is a performance analysis tool, monitoring state of the operating system it runs on and optionally monitoring state of networked systems. Collectd collects information using plugins and is extensible that way. Some of the available plugins monitor the following: Apache status, battery charge status, CPU state, DNS traffic statistics, iptables, memory utilization, NFS usage, nginx statistics, OpenVPN statistics, sensors status, swap usage, syslog messages, thermal information, uptime, logged users, UUID. It also supports monitoring via SNMP using a plugin [9]. Networking support allows more “client” collectd instances to send data to a “server” collectd instance using a unicast address as well as sending data to multiple “server” instances using multicast [10]. Collectd is implemented in C. Collectd homepage is http://collectd.org/.
7. Source code is available at http://lxr.linux.no/linux+v3.3.4/mm/vmstat.c, for instance.
4 2. OPERATINGSYSTEMMONITORINGINGENERAL
2.4.5 Munin Munin is a performance analysis tool, monitoring state of networked computers or state of the operating system it runs on. Munin supports collecting information using plugins and is extensible that way [11]. Some of the available plugins are: Apache, apt, asterisk, disk, logins, mysql, network, nfs, nginx, ntp, processes, sensors, system. All the plugins are placed in a github directory with little to no documentation [12, 13]. It also supports monitoring via SNMP using a plugin [14]. Munin is implemented in Perl. Munin homepage is http://munin-monitoring.org/.
2.4.6 Nagios, Shinken and Icinga Nagios is a performance analysis tool, monitoring state of network and state of networked computers running an agent8. Some of the monitored properties are: “Network services (SMTP, POP3, HTTP, NNTP, PING, etc.)” and “host resources (processor load, disk usage, etc.)” [15, 16, 17]. Nagios collects information using plugins and is extensible that way. It can monitor whatever property a plugin supports [18]. Nagios is implemented in C. Nagios homepage is http://www.nagios.org/. Shinken is a tool similar to Nagios and compatible with Nagios plugins [19, 20]. Shinken homepage is http://www.shinken-monitoring.org/. Icinga is a tool similar to Nagios and compatible with Nagios plugins [21]. Icinga homepage is https://www.icinga.org/.
2.4.7 PCP PCP (Performance Co-Pilot) is a performance analysis toolkit, monitoring state of net- work and networked computers. Some of the monitored properties are: Hardware status, kernel status, applications status, CPU utilization, disk usage, memory statistics, swap us- age, network statistics, data about databases, apache, sendmail and more. PCP supports collecting information using plugins and agents [22]. PCP is implemented in C++. PCP homepage is http://oss.sgi.com/projects/pcp/.
2.4.8 Xymon Xymon is a performance analysis toolkit, monitoring state of networked operating systems. Some of the monitored properties are: Network services status, disk utilization, logfiles, processes. Xymon is extensible and operating system status is collected usingan agent [23].
8. Agent is required only for host resources monitoring.
5 2. OPERATINGSYSTEMMONITORINGINGENERAL
Xymon is implemented in C. Xymon homepage is http://xymon.sourceforge.net/.
6 3 System monitoring at the Institute of Computer Science
3.1 Lemon project
Lemon (Large Enterprise MONitoring) is a monitoring system developed at the Masaryk University’s Institute of Computer Science. It consists of event generators, a transport system, a processing system, a database, a web service and a presentation application. Lemon monitors most computers in the property of Masaryk University. The adminis- trators can efficiently see what computers are badly configured, detect intrusions and prevent computer misuse or non-study activities in study rooms, for instance. Each monitored computer is equipped with a software component, called an event generator, that logs events to a local folder and a software component, called a transport system, that collects the logs from the local folder and sends them to a spooler server through network. There are several spooler servers in a tree hierarchy, forwarding the logs to a central spooler server that in turn sends them to an event processing server. Event processing server saves all the logs to a database and creates additional realtime warnings based on the incoming data. A web service reads the database and receives warnings from the event processing server. The web service presents data in a human- readable form using a presentation application. LinMon is one of the event generators.
3.1.1 Lemon architecture
Lemon Shared
WinMon Lemon Lemon Lemon WCF WLET Pool Core Route Zappa Namtar Frank 2
Bacula
planned LinMon DB
The architecture of Lemon
Event generators Lemon event generator is a computer program running as a Windows service or a GNU/Linux daemon on each monitored computer. Currently, there are three event generators —WinMon, Namtar2 and Bacula (with planned LinMon).
7 3. SYSTEM MONITORING AT THE INSTITUTEOF COMPUTER SCIENCE
WinMon is event generator for Microsoft Windows. Among other data sources, it subscribes to Windows Event Log and reads various information from there. WinMon produces full daily reports, containing all monitored information, and periodic differen- tial reports containing only changed information. Namtar2 is another event generator for Microsoft Windows, capable of logging only user log in and log off, system start and shutdown and screen lock. It does not use Windows Event Log. Bacula reports only information about client PC backups made by the Bacula applica- tion. LinMon is event generator for GNU/Linux and produces reports similarly to WinMon. It can be deployed on both servers and workstations. All event generators save the logs to a local folder on the client PC.
Transport system Lemon transport system comprises of client and server parts. The client part is a computer program running as a Windows service or a GNU/Linux daemon alongside the event generator(s) on client PCs—called WLETdispatcher—and the server part is another program running on a server, called WLETspooler[24]. WLETdispatcher collects the logs from the local PC and sends them over network to a WLETspooler running on a server. WLETspooler receives and saves the logs. There is not a sole server fetching all the logs; there are multiple servers in a tree hierarchy. Each of them, except the top one, runs both WLETdispatcher and WLETspooler, receiving logs from subordinate machines using WLETspooler and forwarding them to superordinate ma- chines using WLETdispatcher. In the top of the hierarchy is altariel2.ucn.muni.cz server that hands the logs over for storage and further processing. There is a new NamtarRemoting transport system based on Microsoft .NET Remoting for both Windows and GNU/Linux in the works, eliminating the tree hierarchy.
Processing system All the logs are saved to a database and also processed by a system called CEP, or Complex Event Processing. It consists of “Lemon Pool”, “Lemon Core”, “Lemon Shared” and “MQ”, a message queue. Lemon Pool receives logs, saves all the raw (not processed) logs to a database con- nected to Lemon Pool, additionally processes the received logs and optionally sends a message to the Message Queue. Lemon Pool has a modular architecture, which allows for customization of the processing. It can, for instance, issue a warning when certain criteria in the received logs are met (examples: A suspicious person logged in on a computer, new administrator account was created on a computer). Output of such processing is not saved to the database; it is send via the Message Queue to Lemon Core instead. Lemon Core executes scenario logic, which involves complex processing of data and extracting the true meaning. An example: A sole warning about a new user account
8 3. SYSTEM MONITORING AT THE INSTITUTEOF COMPUTER SCIENCE
should raise a high priority alarm as this is probably done by an attacker, while warnings about new user accounts on all computers in a room should raise only a low priority notice, as this is probably a legitimate action done by the IT staff. Lemon Core does not save data, it only processes them in real time. All the Complex Event Processing uses a type library called Lemon Shared. CEP uses strong typing for handling data.
Web service and presentation application A Windows Communication Foundation-based web service, called Zappa, and a pre- sentation application, called Frank2, communicate with CEP through an interface called Lemon Route. Zappa exists so that all the heavy work and data communication is done on server and Frank2 merely displays the results. Zappa can ask CEP for data from database and is able to receive real-time warnings and notifications from Lemon Core. Frank2 is what administrators are supposed to work with from the entire Lemon software. It sports a graphical user interface, presenting data in a human-readable textual and graphical form.
3.2 Monitoring of operating systems
According to the Institute of Computer Science and [24, page 15], it is desired to monitor Windows workstations and servers and about 15 GNU/Linux servers. The Lemon infras- tructure used to be capable of monitoring Windows machines only, Bc. Andrea Cíkovᡠ[24] replaced Windows-only file dispatcher and spooler “WLET” with multiplatform “NamtarRemoting”, and LinMon adds the capability to monitor GNU/Linux machines, thus satisfying the remaining requirements.
3.3 Requirements for monitoring of GNU/Linux machines
3.3.1 Report format Windows machines are already being monitored using the WinMon application. Win- Mon produces reports in a specific format[25]. The Lemon infrastructure consumes and processes these reports. According to [26, page 50, bullet 1], event generator reports must be in an XML format resembling WinMon reports. The exact schema of WinMon reports is unfit for a GNU/Linux monitoring application. For GNU/Linux monitoring application’s reports, a much looser XML schema was proposed by Mgr. Pavel Tuˇcek,describing only the mandatory metadata vital for classi- fying the reports. The rest was advised to be inspired by WinMon report format with platform-specific issues in mind. Appendix A lists the resulting schemas for allthe produced reports.
9 3. SYSTEM MONITORING AT THE INSTITUTEOF COMPUTER SCIENCE
WinMon was developed by Bc. Petr Smˇelý[27].
3.3.2 Scope of monitoring GNU/Linux monitoring application should be on par with WinMon. WinMon monitors the following information[26, page 33]: • antivirus state
• firewall
• network interfaces
• system updates
• users and groups
• operating system logs (EventLog)
• operating system parameters (uptime, installation date, OS version) After debate with Mgr. Pavel Tuˇcek,the following list of monitored areas under GNU/Linux was established: • disk usage
• iptables
• network interfaces
• users
• groups
• recent logins (both physical and remote)
• recent login attempts over ssh (both successful and unsuccessful)
• installed packages
• available package updates
• list of recent reboots and time of last reboot
• list of processes using CPU above a set limit
• information about operating system
• system installation date More on the reports generated by LinMon is in 4.2.5 on page 24.
10 3. SYSTEM MONITORING AT THE INSTITUTEOF COMPUTER SCIENCE
3.3.3 Runtime requirements Institute of Computer Science requires that the GNU/Linux monitoring application (also known as “event generator” in the Lemon infrastructure) is implemented in the C# programming language and runs under Mono runtime [28]. C# is standardized as ISO/IEC 23270:2006 and Common Language Infrastructure is standardized under three additional standards (“ISO/IEC 23270:2006 (CLI), ISO/IEC TR 23272:2006 (CLI, XML Libraries) and ISO ISO/IEC TR 25438:2006 (CLI, Common Generics)”)[29]. Since most of Lemon is programmed in C#, this requirement makes it possible for existing developers of Lemon to embrace and maintain the GNU/Linux event generator with minimum effort and no new developer tools1.
3.3.4 Packaging requirements There were no installation package requirements placed by the Institute of Computer Science. Since the resulting application is one standalone executable, no installation packaging was chosen.
3.4 Suitability of existing applications
None of the known monitoring applications—listed in 2.4 on page 3—is implemented in C# language. This poses a substantial problem in picking an existing monitoring application. Either the requirements would have to be lifted by the Institute of Computer Science, or a complete rewrite into C# would have to be done, in order to pick and re-use an existing monitoring application. If the programming language problem is ignored, there are other aspects to evaluate. Monitoring of the desired areas is only a minor hurdle. The monitored areas can be added by means of writing appropriate plug-ins for several existing monitoring applications, notably Collectd, Munin and Xymon. However, a substantial effort must have been made to adapt output reports to the desired format, had an existing application been used. The very same problem had been analyzed by the creator of WinMon, Petr Smˇelý,in his bachelor thesis. His chosen solution of the problem was to build a new monitoring application from scratch [27, page 6]. Institute of Computer Science placed such—relatively strict—requirements, so that no existing monitoring application could have been used. Developing a new monitoring application in exact accordance with the requirements turned out to be the most effective approach. LinMon is made in such a modular way that it is possible to create a LinMon module reading data from another monitoring application, although there was no need to do this yet. More on the architecture of LinMon is in the following chapter.
1. The standardized Common Language Infrastructure makes it possible for an executable compiled with, say, Microsoft .Net compiler to run under, say, GNU/Linux with Mono runtime.
11 4 Implementation of GNU/Linux monitoring application
As described in the last chapter 3.3 on page 9, there was a vision how the monitoring application should be made and what it should do. The next logical step was to establish goals—these are described in the following section of this chapter, “Chosen goals”. In the rest of this chapter is described how the goals were met, while designing and developing the application.
4.1 Chosen goals1
There are multiple goals in several categories. Where the application runs, what kind of programming is used, how the application is configured, which areas are monitored and what types of reports are produced.
4.1.1 Operating system and programming language As described in 3.3.3 on the previous page, ICS wanted a C# application running under GNU/Linux using the Mono framework, built from scratch. Considering the reasons mentioned in 3.4 on the preceding page, this hasn’t changed and was set as a goal. It was also set as a goal that the application is modular. It is possible to easily add a new class for monitoring of a new area, without changing anything outside the new class except one line to register the new class. More about this is in 4.2.1 on page 21.
4.1.2 Configuration WinMon can be configured using a Windows group policy or a local settings file. Local settings file is used only if group policy is not set. If neither of them is available, default settings are used. WinMon checks for changes in settings and reflects them. Configuration of WinMon is discussed in [27, page 19]. Since there is no way to use group policies on GNU/Linux machines the way it is used on Windows machines, the GNU/Linux monitoring application is able to use an “alternative” settings file instead of the group policies. If no “alternative” settings fileis found, values from the local one, located in /etc/linmon/, are used. If no local settings file in /etc/linmon/ is found, a new one is created, containing default values. Location of the “alternative” settings file is specified in the local settings2 file . Unless configured
1. In order to refrain from excessive use of “should” word, present simple tense is used in this chapter. Because all the goals were eventually met, the use of present simple tense is not in conflict with reality. 2. This way, an alternative settings file location can be specified once when deploying LinMon—pointing to a network share, for instance. It is then possible to change settings for multiple clients anytime by editing the settings file on the network share. Setting the alternative settings file location permanently in the source code would result in the need to recompile LinMon for different kinds of uses, so the location is configurable in the standard settings file.
12 4. IMPLEMENTATION OF GNU/LINUXMONITORINGAPPLICATION
differently in the “alternative” settings file, everything the monitoring application saves and all settings and state information it reads are located in /etc/linmon/.
4.1.3 Types of reports The GNU/Linux event generator produces two kinds of reports—differential reports and daily full reports. The daily full reports are produced once a day and contain all information from all monitored areas. The differential reports are produced only when a change occurs and generally contain only the changed information.
4.1.4 Monitored areas It has been specified what is monitored and how exactly each area is monitored. The list of monitored areas was first mentioned in 3.3.2 on page 10. The way how exactly iseach area monitored is described in the following subsubsections.
Disk usage df utility is used. The output is structured into items, each describing one mounted filesystem and each containing subitems with information about total size, used space, available space, used space in percents and mountpoint path. Changes in disk usage are reported using only the information that changed, thus not reporting the information that did not change.
Iptables iptables is a GNU/Linux application that facilitates setting up the firewall in Linux kernel. There are three ways to export iptables configuration: 1. iptables -L -n 2. iptables-save, 3. iptables-save|iptables-xml The output generated by each one is quite distinct from the others and suitable for different uses. Sample output of iptables -L -n command:
1 Chain INPUT ( policy DROP) 2 target protoptsource destination 3 ACCEPT tcp −− 194.145.181.170 0.0.0.0/0 tcp flags:!0x17/0x02 4 ACCEPT udp −− 194.145.181.170 0.0.0.0/0 5 ACCEPT tcp −− 194.145.181.158 0.0.0.0/0 tcp flags:!0x17/0x02 6 ACCEPT udp −− 194.145.181.158 0.0.0.0/0 7 ACCEPT a l l −− 0.0.0.0/0 0.0.0.0/0 8 ACCEPT icmp −− 0.0.0.0/0 0.0.0.0/0 limit: avg10/sec burst5 9 DROP a l l −− 0.0.0.0/0 255.255.255.255 10 DROP a l l −− 0.0.0.0/0 10.0.2.255 11 DROP a l l −− 224.0.0.0/8 0.0.0.0/0
13 4. IMPLEMENTATION OF GNU/LINUXMONITORINGAPPLICATION
...
63 Chain OUTBOUND (1 references ) 64 target protoptsource destination 65 ACCEPT icmp −− 0.0.0.0/0 0.0.0.0/0 66 ACCEPT tcp −− 0 . 0 . 0 . 0 / 0 0 . 0 . 0 . 0 / 0 s t a t e RELATED, ESTABLISHED 67 ACCEPT udp −− 0 . 0 . 0 . 0 / 0 0 . 0 . 0 . 0 / 0 s t a t e RELATED, ESTABLISHED 68 ACCEPT a l l −− 0.0.0.0/0 0.0.0.0/0 Sample output of iptables-save command:
1 # Generated by iptables −save v1.4.4 on Thu May 3 15:52:39 2012 2 ∗mangle 3 :PREROUTING ACCEPT [ 0 : 0 ] 4 : INPUT ACCEPT [ 0 : 0 ] 5 :FORWARD ACCEPT [ 0 : 0 ] 6 :OUTPUT ACCEPT [ 0 : 0 ] 7 :POSTROUTING ACCEPT [ 0 : 0 ] 8 COMMIT 9 # Completed on Thu May 3 15:52:39 2012 10 # Generated by iptables −save v1.4.4 on Thu May 3 15:52:39 2012 11 ∗ f i l t e r 12 : INPUT DROP [ 0 : 0 ] 13 :FORWARD DROP [ 0 : 0 ] 14 :OUTPUT DROP [ 0 : 0 ] 15 :INBOUND − [ 0 : 0 ] 16 : LOG_FILTER − [ 0 : 0 ] 17 :LSI − [ 0 : 0 ] 18 : LSO − [ 0 : 0 ] 19 :OUTBOUND − [ 0 : 0 ] 20 −A INPUT −s 194.145.181.170/32 −p tcp −m tcp ! −−tcp−f l a g s FIN , SYN, RST ,ACK SYN −j ACCEPT ...
70 −A OUTBOUND −p udp −m s t a t e −−s t a t e RELATED, ESTABLISHED −j ACCEPT 71 −A OUTBOUND −j ACCEPT 72 COMMIT 73 # Completed on Thu May 3 15:52:39 2012 Sample output of iptables-save|iptables-xml command: (this is the previous command run and piped into iptables-xml application, which formats the data to an XML file)
1 < i p t a b l e s −r u l e s version=" 1 . 0 "> 2 < !−− # Generated by iptables ∗−save v1.4.4 on Thu May 3 15:52:48 2012 −−> 3