Tried to add a CentOS 6.5 server from an old server environment to Icinga 2.
However the connecton to NRPE didn't work, although I added an iptables rule to allow tcp/5666 on the CentOS machine:
root@centos ~]# iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 5666 -j ACCEPT
On the Icinga server I tried a quick verification with telnet and it failed:
root@icinga:~# telnet centosip 5666
Trying centosip...
telnet: Unable to connect to remote host: No route to host
First I suspected routing or VPN issues (the mentioned old server environment was added into our enterprise LAN by using a VPN tunnel), but tcpdump on the centos machine showed me an incoming connection:
[root@centos ~]# tcpdump port 5666
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
15:49:01.018023 IP icingaip.58437 > centos.5666: Flags [S], seq 1750895406, win 29200, options [mss 1368,sackOK,TS val 1991589648 ecr 0,nop,wscale 7], length 0
A quick look at the iptables revealed something interesting:
[root@centos ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
21G 4775G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
21667 1820K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
1235K 74M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
3297 198K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
631M 38G ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9200
265K 16M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9300
58 3480 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
18M 1852M REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:5666
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 2131 packets, 593K bytes)
pkts bytes target prot opt in out source destination
The INPUT policy is set to ACCEPT, however a "REJECT all" rule was added. It the machine would have been set up by me, I'd rather use a policy REJECT and define accept rules... but that train has departed and the machine was set up this way years ago. So the problem now is that the newly added rule for port tcp/5666 was added after the general reject line.
Unfortunately a rule cannot be just "moved up" in the list, but it can be recreated with a fixed position.
By using the --line-n parameter, the same rules can be looked at with the rule numbers:
[root@centos ~]# iptables -nvL --line-n
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 21G 4775G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 21678 1821K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
3 1235K 74M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
4 3299 198K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
5 631M 38G ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9200
6 265K 16M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9300
7 58 3480 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
8 18M 1852M REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
9 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:5666
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 124K packets, 32M bytes)
num pkts bytes target prot opt in out source destination
So if I delete the rule and insert it before the reject line, it should be fine.
[root@centos ~]# iptables -D INPUT -p tcp -m state --state NEW -m tcp --dport 5666 -j ACCEPT
[root@centos ~]# iptables -I INPUT 7 -p tcp -m state --state NEW -m tcp --dport 5666 -j ACCEPT
[root@centos ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
21G 4775G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
21693 1822K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
1235K 74M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
3301 198K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
631M 38G ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9200
265K 16M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9300
1 60 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:5666
58 3480 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
18M 1852M REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 3302 packets, 955K bytes)
pkts bytes target prot opt in out source destination
The rule for tcp 5666 was inserted (-I) at line 7, pushing down the previous line 7 (tcp/80) down. It is now definitely above the reject rule, so will it work?
root@icinga:~# telnet centosip 5666
Trying centosip...
Connected to centosip.
Escape character is '^]'.
^]quit
telnet> quit
Yes, it worked!
No comments yet.
AWS Android Ansible Apache Apple Atlassian BSD Backup Bash Bluecoat CMS Chef Cloud Coding Consul Containers CouchDB DB DNS Database Databases Docker ELK Elasticsearch Filebeat FreeBSD Galera Git GlusterFS Grafana Graphics HAProxy HTML Hacks Hardware Icinga Influx Internet Java KVM Kibana Kodi Kubernetes LVM LXC Linux Logstash Mac Macintosh Mail MariaDB Minio MongoDB Monitoring Multimedia MySQL NFS Nagios Network Nginx OSSEC OTRS Office OpenSearch PGSQL PHP Perl Personal PostgreSQL Postgres PowerDNS Proxmox Proxy Python Rancher Rant Redis Roundcube SSL Samba Seafile Security Shell SmartOS Solaris Surveillance Systemd TLS Tomcat Ubuntu Unix VMWare VMware Varnish Virtualization Windows Wireless Wordpress Wyse ZFS Zoneminder