Linux Monitor - Firewall Script

Problem Overview

Firewalls are crucial for blocking unauthorized access and potential attacks, but they can be deactivated or misconfigured without notice. This script helps IT Professionals and MSPs verify that at least one firewall solution is actively configured, reducing the risk of security gaps going unnoticed.

Description

The script systematically checks the status of three common Linux firewall solutions—UFW, iptables, and nftables—to confirm whether any of them are enabled and have rules in place. If it finds no active configurations, it flags the issue by returning an error code, allowing you to take timely corrective action.

By integrating this script into a script-based monitor in Level, you can immediately detect disabled or missing firewalls. You can also schedule it through an Automation in Level to run at regular intervals, guaranteeing ongoing oversight of your system’s security posture.

Script

1#!/bin/bash
2
3# This resource is provided as a convenience for Level users. We cannot 
4# guarantee it will work in all environments. Please test before deploying 
5# to your production environment. We welcome contributions to our community 
6# library
7
8# Level Library
9# https://level.io/library/script-linux-monitor-firewall
10
11#!/bin/bash
12
13# Initialize a flag to track if any firewall is active or configured
14FIREWALL_ACTIVE=0
15
16# Function to check UFW status
17check_ufw() {
18  if command -v ufw >/dev/null 2>&1; then
19    echo "Checking UFW..."
20    STATUS=$(ufw status)
21    if [[ "$STATUS" == *"Status: active"* ]]; then
22      echo "UFW is ENABLED."
23      FIREWALL_ACTIVE=1
24    else
25      echo "UFW is DISABLED or not configured."
26    fi
27  fi
28}
29
30# Function to check iptables status
31check_iptables() {
32  if command -v iptables >/dev/null 2>&1; then
33    echo "Checking iptables..."
34    RULES=$(iptables -L | wc -l)
35    if [ "$RULES" -gt 8 ]; then # Assuming base rule count is 8 for the default chains
36      echo "iptables has rules set (may be ENABLED)."
37      FIREWALL_ACTIVE=1
38    else
39      echo "iptables does not have many rules set (may be DISABLED or not configured)."
40    fi
41  fi
42}
43
44# Function to check nftables status
45check_nftables() {
46  if command -v nft >/dev/null 2>&1; then
47    echo "Checking nftables..."
48    TABLES=$(nft list tables | wc -l)
49    if [ "$TABLES" -gt 0 ]; then
50      echo "nftables has tables configured (may be ENABLED)."
51      FIREWALL_ACTIVE=1
52    else
53      echo "nftables does not have any tables configured (may be DISABLED or not configured)."
54    fi
55  fi
56}
57
58# Run the firewall checks
59echo "Checking firewall status..."
60check_ufw
61check_iptables
62check_nftables
63
64# If no firewall is active or configured, report an error and exit with 1
65if [ $FIREWALL_ACTIVE -eq 0 ]; then
66  echo "ERROR: No active or configured firewall detected."
67  exit 1
68else
69  echo "SUCCESS: An active or configured firewall is detected."
70  exit 0
71fi
72

Use Cases

• Monitoring firewall status across multiple Linux servers
• Verifying that at least one firewall solution remains active after system updates
• Ensuring consistent security standards in regulated environments
• Proactively checking for accidental or malicious firewall changes

Recommendations

• Test in a controlled environment before deploying broadly
• Use a script-based monitor in Level to trigger alerts for any missing firewall
• Set up a recurring schedule via an Automation in Level for ongoing verification
• Double-check your firewall rules and ensure you have only one primary firewall solution or that they coexist properly
• Review script output frequently to catch “ERROR” messages early

FAQ

• How do I run this script in Level?
  ‍Import it into Level and assign it to a script-based monitor or an Automation schedule. The script runs with System or Root privileges, ensuring accurate checks.

• Will this script enable a disabled firewall?
  ‍No. It only checks the status of UFW, iptables, or nftables. Enabling firewall rules must be handled manually or with a separate remediation script.

• What if my distribution doesn’t use any of these firewalls?
  ‍The script will report no active firewall, prompting you to install or configure a suitable firewall tool.

• Can multiple firewalls run simultaneously?
  ‍Typically, it’s best to stick to one primary firewall solution to avoid rule conflicts, though some configurations may allow multiple solutions if managed carefully.

• Does this script replace the need for manual firewall checks?
  ‍It automates routine checks, but you should still review firewall rules and configurations periodically to maintain best security practices.