Skip to content

softer/iptables_exporter

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
.gitignore
.gitignore
 
 
.golangci.yml
.golangci.yml
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
iptables_exporter.service
iptables_exporter.service
 
 
main.go
main.go
 
 

Repository files navigation

iptables_exporter

Prometheus exporter for iptables and ip6tables rule counts.

It provides insights into how many rules are active in each chain and table, helping you monitor firewall configurations and detect unexpected changes or massive rule additions.

Features

  • Scrapes both IPv4 (iptables) and IPv6 (ip6tables).
  • Collects metrics from multiple tables (filter, nat, mangle, etc.).
  • Reports rule counts per chain and total counts per table.
  • Includes scrape success and duration metrics.
  • Built-in Go and process metrics.

Metrics

Metric Name Type Labels Description
iptables_rules Gauge family, table, chain Number of iptables rules in a specific chain.
iptables_rules_action Gauge family, table, chain, action Number of rules by action (target) in a specific chain.
iptables_rules_table Gauge family, table Total number of iptables rules in a table.
iptables_scrape_success Gauge family 1 if the last scrape was successful, 0 otherwise.
iptables_scrape_duration_seconds Gauge family Duration of the last scrape in seconds.

Requirements

  • Permissions: The exporter must run as root (or with CAP_NET_ADMIN / CAP_NET_RAW capabilities) to execute iptables-save.
  • System: Linux with iptables-save and/or ip6tables-save binaries installed in the PATH.
  • Build: Go 1.23+ (if building from source).
  • License: MIT.

Installation

Build from source

Use the provided Makefile:

make build

The binary will be placed in ./bin/iptables_exporter.

If you don't have Go installed locally, the Makefile will attempt to build using Docker automatically.

Manual build

CGO_ENABLED=0 go build -trimpath -ldflags="-s -w" -o iptables_exporter .

Systemd service installation

You can install the exporter using the provided Makefile:

  1. Build and install the binary: 
    sudo make install
  2. Install the systemd service: 
    sudo make install-service
  3. Reload systemd and start the service: 
    sudo systemctl daemon-reload
sudo systemctl enable --now iptables_exporter

To uninstall:

sudo make uninstall
sudo systemctl daemon-reload

Manual installation (alternative)

  1. Build the binary.
  2. Copy the binary to /usr/local/bin/: 
    sudo cp bin/iptables_exporter /usr/local/bin/
  3. Copy the unit file to /etc/systemd/system/: 
    sudo cp iptables_exporter.service /etc/systemd/system/
  4. Reload systemd and start the service: 
    sudo systemctl daemon-reload
sudo systemctl enable --now iptables_exporter
  5. Check status: 
    sudo systemctl status iptables_exporter

Usage

sudo ./bin/iptables_exporter [flags]

Configuration Flags

The exporter can be configured via command-line flags or environment variables. Flags take precedence over environment variables.

Flag Environment Variable Default Description
-listen LISTEN_ADDRESS :9105 Address to listen on for web interface and telemetry.
-metrics-path METRICS_PATH /metrics Path under which to expose metrics.
-ipv6 ENABLE_IPV6 true Collect ip6tables metrics too.
-tables TABLES filter,nat,mangle,raw,security Comma-separated list of tables to scrape.
-timeout TIMEOUT 2s Timeout per iptables command execution.

Example

Running the exporter with custom tables:

sudo ./iptables_exporter -tables "filter,nat" -listen ":9105"

Then check the metrics:

curl http://localhost:9105/metrics

Health check

A simple health check is available at /healthz.

About

Exporter for iptables rule count

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages