Page 1 of 1

NATty Dread

Posted: Wed May 16, 2018 6:01 am
by scooby
Hi all,

I've run into a networking issue with Nagios, and it's got me tearing my hair out. I've spent a couple of days on this - reading posts on the forum, trying different things - but to no avail :-( I feel like I'm missing something obvious but I'm running out of ideas; any help would really be appreciated!

I've set up a Nagios server on a VM, behind a gateway/router that uses iptables to provide NAT, port fwding. The Nagios server can monitor other servers that are also behind the gateway, but it can't monitor servers outside the gateway: it can ping them, but any check_nrpe commands return "CHECK_NRPE STATE CRITICAL: Socket timeout after 10 seconds".

Here's what I did:

1. On the remote client (outside the gateway):

- in nrpe.cfg I changed the port number (server_port=12345), and I added the IP of the gateway/router to allowed_hosts
(N.B. under the "COMMAND DEFINITIONS" section I'm using hardcoded commands, as I do for the servers within the gateway)

2. On the gateway/router:

- in before.rules I created a rule to forward port 12345 to port 5666 of the Nagios server

3. On the Nagios server (behind the gateway):

- in commands.cfg I created a new check_nrpe command to use port 12345:

Code: Select all

# 'check_nrpe12345' command definition - outside gateway
define command{
        command_name    check_nrpe12345
        command_line      $USER1$/check_nrpe -H $HOSTADDRESS$ -p 12345 -c $ARG1$
}
- in remoteserver.cfg (the server definition file for the server outside the gateway) I defined the host as normal, and defined services to use the new command e.g.

Code: Select all

define service {
    use                           generic-service
    host_name                remoteserver.wherever.com
    service_description   10 cpu
    check_command        check_nrpe12345!check_load
}
...then I restarted nagios on the Nagios server, and restarted nrpe on the remote server.

/usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg reports no issues, and the web interface loads OK. FWIW port forwarding on the gateway is working fine, in general: I've set up rules for port 22 (so I can SSH in to the Nagios server) and port 80 (so I can access the web interface). And I use the same port fwding method for other VMs without issues. But I can't seem to get Nagios/NRPE to talk to remote servers :-(

(I'm running Nagios Core 4.3.4 and NRPE v3.2.0 - both installed from source - and all servers are running Linux).

Thank you in advance for any help. Apologies for a long post, and apologies if this has been covered many times before: I've read several forum posts about NAT-related issues, but I still haven't been able to resolve this one.

Re: NATty Dread

Posted: Wed May 16, 2018 9:30 am
by scottwilkerson
scooby wrote:2. On the gateway/router:

- in before.rules I created a rule to forward port 12345 to port 5666 of the Nagios server
This is wrong, you should not need any rules, nor would you need a special command to change the port (you are connecting to 5666 on the REMOTE machine).

The one (and probably only) thing you would need to do is specify your routers IP address in the allowed hosts in the NRPE configuration instead of it's actual IP.

Re: NATty Dread

Posted: Thu May 17, 2018 10:43 am
by scooby
Aha...!

Hi scottwilkerson, and thank you for your response.

Now it works perfectly :)

Thanks again for your help - much appreciated!

Re: NATty Dread

Posted: Thu May 17, 2018 10:51 am
by scottwilkerson
Glad to hear this resolved the issue.

Locking thread