Firewall problem with nrpe connection?
Firewall problem with nrpe connection?
Hi,
I've configured properly nrpe client on a Debian server, and it works fine. After rebooting this server, it stops to connect to the nagios server. this is the error from the Nagios console: "(No output on stdout) stderr: connect to address ...".
I did some tests and finally find that the problem can be solved running again the following commands (from this article: https://support.nagios.com/kb/article.php?id=515#Debian)
iptables -I INPUT -p tcp --destination-port 5666 -j ACCEPT
apt-get install -y iptables-persistent
Answer yes to saving existing rules
Can you help to understand how this rule works and how I can make the rule persistent, it seems it's not
Thanks!
I've configured properly nrpe client on a Debian server, and it works fine. After rebooting this server, it stops to connect to the nagios server. this is the error from the Nagios console: "(No output on stdout) stderr: connect to address ...".
I did some tests and finally find that the problem can be solved running again the following commands (from this article: https://support.nagios.com/kb/article.php?id=515#Debian)
iptables -I INPUT -p tcp --destination-port 5666 -j ACCEPT
apt-get install -y iptables-persistent
Answer yes to saving existing rules
Can you help to understand how this rule works and how I can make the rule persistent, it seems it's not
Thanks!
-
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
- Contact:
Re: Firewall problem with nrpe connection?
I'm going to modify that doc, but you can run the following any time you make a change to the firewall rules to make them stick
Code: Select all
iptables-save > /etc/iptables/rules
Re: Firewall problem with nrpe connection?
I tried the command you suggested, but no result. Same issue as before, after reboot the connection is refused.
This is the error from Nagios console: (No output on stdout) stderr: connect to address xxx.xx.xxx.xxx port 5666: Connection refused
This is the error from Nagios console: (No output on stdout) stderr: connect to address xxx.xx.xxx.xxx port 5666: Connection refused
-
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
- Contact:
Re: Firewall problem with nrpe connection?
Lets see what's in here
Also, is the service running?
Code: Select all
cat /etc/iptables/rules
Code: Select all
systemctl status nrpe
Re: Firewall problem with nrpe connection?
Yes, the nrpe service runs correctly after reboot:
debian-ftp:~# systemctl status nrpe
● nrpe.service - Nagios Remote Plugin Executor
Loaded: loaded (/lib/systemd/system/nrpe.service; enabled)
Active: active (running) since mar 2019-05-07 08:50:46 CEST; 3min 1s ago
Docs: http://www.nagios.org/documentation
Main PID: 490 (nrpe)
CGroup: /system.slice/nrpe.service
└─490 /usr/local/nagios/bin/nrpe -c /usr/local/nagios/etc/nrpe.cfg...
mag 07 08:50:46 debian-ftp systemd[1]: Started Nagios Remote Plugin Executor.
mag 07 08:50:46 debian-ftp nrpe[490]: Starting up daemon
mag 07 08:50:46 debian-ftp nrpe[490]: Server listening on 0.0.0.0 port 5666.
mag 07 08:50:46 debian-ftp nrpe[490]: Server listening on :: port 5666.
mag 07 08:50:46 debian-ftp nrpe[490]: Warning: Daemon is configured to acce...s!
mag 07 08:50:46 debian-ftp nrpe[490]: Listening for connections on port 5666
mag 07 08:50:46 debian-ftp nrpe[490]: Allowing connections from: 127.0.0.1,...54
Hint: Some lines were ellipsized, use -l to show in full.
debian-ftp:~# iptables -I INPUT -p tcp --destination-port 5666 -j ACCEPT
Here the rules.v4 file:
debian-ftp:~# cat /etc/iptables/rules.v4
# Generated by iptables-save v1.4.21 on Tue Apr 30 17:21:28 2019
*filter
:INPUT ACCEPT [2:120]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [163:40002]
:fail2ban-ssh - [0:0]
-A INPUT -p tcp -m tcp --dport 5666 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 127.0.0.1/32 -j ACCEPT
-A INPUT -s 192.168.10.12/32 -j ACCEPT
-A INPUT -s 192.168.10.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACC EPT
-A INPUT -s 192.168.10.0/24 -p tcp -m state --state NEW -m tcp --dport 21 -j ACC EPT
-A INPUT -s 192.168.10.0/24 -p tcp -m state --state NEW -m tcp --dport 4000 -j A CCEPT
-A INPUT -s 192.168.10.0/24 -m state --state NEW -j REJECT --reject-with icmp-po rt-unreachable
-A fail2ban-ssh -j RETURN
COMMIT
# Completed on Tue Apr 30 17:21:28 2019
debian-ftp:~#
debian-ftp:~# systemctl status nrpe
● nrpe.service - Nagios Remote Plugin Executor
Loaded: loaded (/lib/systemd/system/nrpe.service; enabled)
Active: active (running) since mar 2019-05-07 08:50:46 CEST; 3min 1s ago
Docs: http://www.nagios.org/documentation
Main PID: 490 (nrpe)
CGroup: /system.slice/nrpe.service
└─490 /usr/local/nagios/bin/nrpe -c /usr/local/nagios/etc/nrpe.cfg...
mag 07 08:50:46 debian-ftp systemd[1]: Started Nagios Remote Plugin Executor.
mag 07 08:50:46 debian-ftp nrpe[490]: Starting up daemon
mag 07 08:50:46 debian-ftp nrpe[490]: Server listening on 0.0.0.0 port 5666.
mag 07 08:50:46 debian-ftp nrpe[490]: Server listening on :: port 5666.
mag 07 08:50:46 debian-ftp nrpe[490]: Warning: Daemon is configured to acce...s!
mag 07 08:50:46 debian-ftp nrpe[490]: Listening for connections on port 5666
mag 07 08:50:46 debian-ftp nrpe[490]: Allowing connections from: 127.0.0.1,...54
Hint: Some lines were ellipsized, use -l to show in full.
debian-ftp:~# iptables -I INPUT -p tcp --destination-port 5666 -j ACCEPT
Here the rules.v4 file:
debian-ftp:~# cat /etc/iptables/rules.v4
# Generated by iptables-save v1.4.21 on Tue Apr 30 17:21:28 2019
*filter
:INPUT ACCEPT [2:120]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [163:40002]
:fail2ban-ssh - [0:0]
-A INPUT -p tcp -m tcp --dport 5666 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 127.0.0.1/32 -j ACCEPT
-A INPUT -s 192.168.10.12/32 -j ACCEPT
-A INPUT -s 192.168.10.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACC EPT
-A INPUT -s 192.168.10.0/24 -p tcp -m state --state NEW -m tcp --dport 21 -j ACC EPT
-A INPUT -s 192.168.10.0/24 -p tcp -m state --state NEW -m tcp --dport 4000 -j A CCEPT
-A INPUT -s 192.168.10.0/24 -m state --state NEW -j REJECT --reject-with icmp-po rt-unreachable
-A fail2ban-ssh -j RETURN
COMMIT
# Completed on Tue Apr 30 17:21:28 2019
debian-ftp:~#
-
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
- Contact:
Re: Firewall problem with nrpe connection?
I believe you may need to enable the service
Code: Select all
sudo systemctl enable iptables-persistent
sudo systemctl start iptables-persistent
Re: Firewall problem with nrpe connection?
systemctl enable iptables-persistent
Failed to start iptables-persistent.service: Unit iptables-persistent.service failed to load: No such file or directory.
Failed to start iptables-persistent.service: Unit iptables-persistent.service failed to load: No such file or directory.
-
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
- Contact:
Re: Firewall problem with nrpe connection?
I see in newer version the service name has changed
Lets try
Lets try
Code: Select all
sudo systemctl enable netfilter-persistent
sudo systemctl start netfilter-persistent
Re: Firewall problem with nrpe connection?
Nothing changed, same result.
I need to run again this command:
iptables -I INPUT -p tcp --destination-port 5666 -j ACCEPT
Any idea?
Thanks,
Ivan
I need to run again this command:
iptables -I INPUT -p tcp --destination-port 5666 -j ACCEPT
Any idea?
Thanks,
Ivan
-
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
- Contact:
Re: Firewall problem with nrpe connection?
Are you running the following after adding the iptables rules?
Code: Select all
iptables-save > /etc/iptables/rules