From e7311a39638acee39055b9b47c219b5ad02541bc Mon Sep 17 00:00:00 2001 From: Christoph Date: Tue, 5 Nov 2024 17:21:05 +0100 Subject: [PATCH] Add Prometheus Service --- conf/default_settings.conf | 4 ++++ conf/main_ipv4.conf.sample | 31 ++++++++++++++++++++++++++++++ conf/main_ipv6.conf.sample | 31 ++++++++++++++++++++++++++++++ conf/post_decalrations.conf | 25 ++++++++++++++++++++++-- ip6t-firewall-server | 38 +++++++++++++++++++++++++++++++++++-- ipt-firewall-server | 38 +++++++++++++++++++++++++++++++++++-- 6 files changed, 161 insertions(+), 6 deletions(-) diff --git a/conf/default_settings.conf b/conf/default_settings.conf index bb1039f..4f107f1 100644 --- a/conf/default_settings.conf +++ b/conf/default_settings.conf @@ -46,6 +46,10 @@ standard_wireguard_port=51820 standard_whois_port=43 standard_xymon_port=1984 +# - Prometheus services +# - +standard_prometheus_ports="9100,9256" + # - Mattermost (MM) Service # - stansard_mattermost_udp_ports_in="8443" diff --git a/conf/main_ipv4.conf.sample b/conf/main_ipv4.conf.sample index af124be..27d45d9 100644 --- a/conf/main_ipv4.conf.sample +++ b/conf/main_ipv4.conf.sample @@ -508,6 +508,37 @@ nc_turn_udp_ports="$standard_turn_service_udp_ports" # - tftp_server_ips="" + +# - Prometheus Monitoring - local Server +# - +# - blank separated list of IPv4 addresses +# - +prometheus_local_server_ips="" + +# - (Remote) prometheus ports +# - +# - !! comma separated list of ports +# - +prometheus_remote_client_ports="$standard_prometheus_ports" + + +# - Prometheus Monitoring - local Client +# - +# - blank separated list of IPv4 addresses +# - +prometheus_local_client_ips="" + +# - Local prometheus ports +# - +# - !! comma separated list of ports +# - +prometheus_local_client_ports="$standard_prometheus_ports" + +# - blank separated list of IPv4 addresses +# - +prometheus_remote_server_ips="" + + # - Munin Server # - munin_server_ips="" diff --git a/conf/main_ipv6.conf.sample b/conf/main_ipv6.conf.sample index 759550e..1470ce8 100644 --- a/conf/main_ipv6.conf.sample +++ b/conf/main_ipv6.conf.sample @@ -527,6 +527,37 @@ nc_turn_udp_ports="$standard_turn_service_udp_ports" # - tftp_server_ips="" + +# - Prometheus Monitoring - local Server +# - +# - blank separated list of IPv6 addresses +# - +prometheus_local_server_ips="" + +# - (Remote) prometheus ports +# - +# - !! comma separated list of ports +# - +prometheus_remote_client_ports="$standard_prometheus_ports" + + +# - Prometheus Monitoring - local Client +# - +# - blank separated list of IPv6 addresses +# - +prometheus_local_client_ips="" + +# - Local prometheus ports +# - +# - !! comma separated list of ports +# - +prometheus_local_client_ports="$standard_prometheus_ports" + +# - blank separated list of IPv6 addresses +# - +prometheus_remote_server_ips="" + + # - Munin Server # - munin_server_ips="" diff --git a/conf/post_decalrations.conf b/conf/post_decalrations.conf index 935adbd..7de53af 100644 --- a/conf/post_decalrations.conf +++ b/conf/post_decalrations.conf @@ -366,8 +366,8 @@ done # - (local) Dovecot auth service # --- declare -a dovecot_auth_allowed_network_arr -for _port in $dovecot_auth_allowed_networks ; do - dovecot_auth_allowed_network_arr+=("$_port") +for _ip in $dovecot_auth_allowed_networks ; do + dovecot_auth_allowed_network_arr+=("$_ip") done # --- @@ -440,6 +440,27 @@ for _ip in $tel_sys_ips ; do tel_sys_ip_arr+=("$_ip") done +# --- +# - Prometheus Monitoring - local Server +# --- +declare -a prometheus_local_server_ip_arr +for _ip in $prometheus_local_server_ips ; do + prometheus_local_server_ip_arr+=("$_ip") +done + +# --- +# - Prometheus Monitoring - local Client +# --- +declare -a prometheus_local_client_ip_arr +for _ip in $prometheus_local_client_ips; do + prometheus_local_client_ip_arr+=("$_ip") +done +declare -a prometheus_remote_server_ip_arr +for _ip in $prometheus_remote_server_ips ; do + prometheus_remote_server_ip_arr+=("$_ip") +done + + # --- # - IP Addresses Munin # --- diff --git a/ip6t-firewall-server b/ip6t-firewall-server index 7440f64..c027ee5 100755 --- a/ip6t-firewall-server +++ b/ip6t-firewall-server @@ -1573,6 +1573,40 @@ done echo_done +# --- +# - Prometheus Monitoring - local Server +# --- + +echononl "\t\tLocal Prometheus Service" + +if [[ ${#prometheus_local_server_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${prometheus_local_server_ip_arr[@]} ; do + $ip6t -A OUTPUT -p tcp -s $_ip -m multiport --dports $prometheus_remote_client_ports -m state --state NEW -j ACCEPT + done + echo_done +else + echo_skipped +fi + + +# --- +# - Prometheus Monitoring - local client +# --- + +echononl "\t\tLocal Prometheus Client" + +if [[ ${#prometheus_local_client_ip_arr[@]} -gt 0 ]] && [[ ${#prometheus_remote_server_ip_arr[@]} -gt 0 ]]; then + for _ip in ${prometheus_local_client_ip_arr[@]} ; do + for _ip in ${prometheus_remote_server_ip_arr[@]} ; do + $ip6t -A INPUT -p tcp -d $_ip -m multiport --dports $prometheus_local_client_ports -m state --state NEW -j ACCEPT + done + done + echo_done +else + echo_skipped +fi + + # --- # - Munin remote service # --- @@ -1603,13 +1637,13 @@ if [[ ${#munin_server_ip_arr[@]} -gt 0 ]] || [[ ${#forward_munin_server_ip_arr[@ if [[ ${#munin_server_ip_arr[@]} -gt 0 ]] ; then for _ip in ${munin_server_ip_arr[@]} ; do - $ip6t -A OUTPUT -p tcp --syn -s $_ip --dport $munin_remote_port -m state --state NEW -j ACCEPT + $ip6t -A OUTPUT -p tcp -s $_ip --dport $munin_remote_port -m state --state NEW -j ACCEPT done fi if [[ ${#forward_munin_server_ip_arr[@]} -gt 0 ]] && $kernel_forward_between_interfaces ; then for _ip in ${forward_munin_server_ip_arr[@]} ; do - $ip6t -A FORWARD -p tcp --syn -s $_ip --dport $munin_remote_port -m state --state NEW -j ACCEPT + $ip6t -A FORWARD -p tcp -s $_ip --dport $munin_remote_port -m state --state NEW -j ACCEPT done fi diff --git a/ipt-firewall-server b/ipt-firewall-server index 3544775..3dcc91e 100755 --- a/ipt-firewall-server +++ b/ipt-firewall-server @@ -1745,6 +1745,40 @@ done echo_done +# --- +# - Prometheus Monitoring - local Server +# --- + +echononl "\t\tLocal Prometheus Service" + +if [[ ${#prometheus_local_server_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${prometheus_local_server_ip_arr[@]} ; do + $ipt -A OUTPUT -p tcp -s $_ip -m multiport --dports $prometheus_remote_client_ports -m state --state NEW -j ACCEPT + done + echo_done +else + echo_skipped +fi + + +# --- +# - Prometheus Monitoring - local client +# --- + +echononl "\t\tLocal Prometheus Client" + +if [[ ${#prometheus_local_client_ip_arr[@]} -gt 0 ]] && [[ ${#prometheus_remote_server_ip_arr[@]} -gt 0 ]]; then + for _ip in ${prometheus_local_client_ip_arr[@]} ; do + for _ip in ${prometheus_remote_server_ip_arr[@]} ; do + $ipt -A INPUT -p tcp -d $_ip -m multiport --dports $prometheus_local_client_ports -m state --state NEW -j ACCEPT + done + done + echo_done +else + echo_skipped +fi + + # --- # - Munin remote service # --- @@ -1753,9 +1787,9 @@ echononl "\t\tMunin remote service" if [ "X$munin_remote_ip" != "X" ]; then for _dev in ${ext_if_arr[@]} ; do - $ipt -A INPUT -i $_dev -p tcp --syn -s $munin_remote_ip --dport $munin_local_port -m state --state NEW -j ACCEPT + $ipt -A INPUT -i $_dev -p tcp -s $munin_remote_ip --dport $munin_local_port -m state --state NEW -j ACCEPT if $kernel_activate_forwarding ; then - $ipt -A FORWARD -i $_dev -p tcp --syn -s $munin_remote_ip --dport $munin_local_port -m state --state NEW -j ACCEPT + $ipt -A FORWARD -i $_dev -p tcp-s $munin_remote_ip --dport $munin_local_port -m state --state NEW -j ACCEPT fi done echo_done