Linux Training

Linux training for private, public & voluntary sector.

0793 572 8612

City LinUX sample scripts - chkfw


chkfw - check (and correct) running iptables firewall configurations on a remote host.


chkfw [[ -C ] [ -cc <email_address> ] [ -d ] [ -l ] [ -m <#max_wait> ] [ -n ] [ -p <#,#...> ] [ -l ] [ -T ] [ -u | -U ] [ -v ]] | <hostname> | -V


chkfw is a Bourne shell script which should work equally well on all versions of UNIX, Linux and Mac OS X.


chkfw checks running firewalls against a known template on the administration server. If the running firewall's configuration has deviated from the known configuration, chkfw will attempt to restore the firewall to the approved configuration, provided that the local firewall configuration and boot files are identical to those on the administration box and that the plesk configured firewall (if any) has not been activated.

Urgent alerts are sent by email and optionally by SMS text message (see -T option below).

Additionally ports which are expected to be open may be checked if enumerated on the command line.


-C    Check and report on status of firewall and enumerated ports only. Do not change running configuration.

-cc <email_address>
Send copies of warnings and alerts to email_address

-d    Start in debug mode. chkfw. A message will also be emailed to the address set as email_rcpt with copies to email_address if set with the -cc option.

--force-restore This option should only be used with extreme caution. The firewall will be restarted with the configuration on the remote host as found in /etc/sysconfig/iptables and /etc/sysconfig/iptables-config, even if these differ from the canonical files stored on the administration server.

-l    Use the syslog facility to log the check and any alerts generated.

-m # <maxi_wait> Set the maximum time (in minutes) to wait for the ports to become available.

-p # [, # [, # ]....] Enumerated ports to be scanned with nmap.

-T    When raising alerts additionally send text messages to the recipient specified with the variable $txt. The mechanism employed is an email to SMS gateway so $txt is a suitable email address.

-u    Update the firewall tables and firewall configuration file to synchronise the administration server with the target host only. chkfw will compare the output of "iptables -nL" with a template kept on the administration server and if they differ will archive the existing template and update the template with a copy of the output from the target host. The firewall configuration file will similarly be updated. This is to facilitate making changes on the target host and then synchronising the records on the administration server. NB The source file for reconfiguring the target host iptables is not at present changed by using -u    option.

-U    With the -U    option the source firewall boot file will be updated from the remote firewall boot file ( /etc/sysconfig/iptables by default) in addition to the template and configuration file as with the -u    option above. It is an error to combine -u    and -U    on the command line.

-v    Set verbose mode. Ordinarily chkfw operates silently unless problems are detected. In verbose mode chkfw reports on each significant action.

-V    Print version details and exit.


chkfw -m 30 -p 21,22 -v hostname

Check the running iptables firewall on hostname. Use nmap to ensure that the ports 21 and 22 are open. Run in verbose mode.


<hostname>:/etc/sysconfig/iptables, <hostname>:/etc/sysconfig/iptables-config, /usr/local/etc/<hostname>.d/fw.


The script is quite crude having been developed to address problems experienced by City Linux clients running on CentOS servers at 1and1. It does depend on very specific file and remote access permissions. Particularly it expects that where root permission is required sudo will be used. With judicious use of the debug and verbose modes, permission and configuration problems should be relatively easy to resolve.

The check on ftp transfer rates has been recently removed.


chkdf, chkftpd, chkmail, chkup, clean, secscan.


Clifford W Fulford, City Linux. Contact or +44 (0)709 229 5385. $Id:,v 1.60 2016/11/12 09:37:19 fulford Exp fulford $

The layout and associated style sheets for this page are taken from the World Wide Web Consortium and used here under the W3C software licence.