Another NRPE remote connectivity issues

ghuey · Post by **ghuey** » Wed Sep 03, 2014 1:17 pm

Have Ubuntu Nagios server attempting to monitor remote CentOS host which exist in two different subnets.

Attempting check_nrpe I receive the timeout error message.

Verified that our hardware firewall has 5666 opened as other (ssh) services are functioning correctly between the two

Pretty sure that 5666 is allowed in iptables on the remote host:

Code: Select all

[root@sls-cfm nagios]# iptables -L -n | grep 5666
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:5666

See the process listening on remote host:

Code: Select all

[root@sls-cfm nagios]# netstat -ant|grep 5666
tcp        0      0 0.0.0.0:5666                0.0.0.0:*                   LISTEN
tcp        0      0 :::5666                     :::*                        LISTEN

Confirmed monitoring server ip is listed in nrpe.cfg allow_hosts section

Running the check_npre command locally on the remote host seems to work:

Code: Select all

[root@sls-cfm plugins]# ./check_nrpe -H 127.0.0.1
NRPE v2.15

I am not 100% sure if the nrpe plugin are the same versions on nagios server and remote host. Also I am not sure if the user permissions are setup correctly on the remote host as everything seem to be owned by root.

Anyone have any other ideas?

Post by **eloyd** » Wed Sep 03, 2014 1:23 pm

Try this command instead:

Code: Select all

iptables -L -n -v | grep 5666

Note the "-v" in there. This shows how many times that rule has been hit. If it's not being hit, then your iptables are not correct or some other firewall is in the way.

ghuey · Post by **ghuey** » Wed Sep 03, 2014 2:14 pm

eloyd wrote:Try this command instead:
Code: Select all
iptables -L -n -v | grep 5666
Note the "-v" in there. This shows how many times that rule has been hit. If it's not being hit, then your iptables are not correct or some other firewall is in the way.

I assume this means that nothing it hitting against that rule:

[root@sls-cfm plugins]# iptables -L -n -v | grep 5666
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5666

Geez...digging through multiple firewalls gets old. Thanks I will keep looking.

ghuey · Post by **ghuey** » Wed Sep 03, 2014 4:43 pm

I realize that this means I am probably drifting outside the scope of "nagios" here but I am hoping someone feels charitable. It definitely appears to be an issue with iptables.

If I kill iptables I am able to remotely run a check_nrpe against the remote host so either I have the rule screwed up or another admin may have some other firewall type service protecting this server which is also possible.

Here is output of iptables:

Code: Select all

[root@sls-cfm plugins]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:commplex-main
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:commplex-link
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:rfe
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:5666

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

If anyone has any further advice on how to narrow this down I would appreciate it.

Post by **eloyd** » Thu Sep 04, 2014 7:47 am

REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
ACCEPT tcp -- anywhere anywhere tcp dpt:5666

Your REJECT is coming before your port 5666 ACCEPT. So all traffic is being rejected prior to being checked to see if it's for port 5666. You need to rearrange your iptables rules.

ghuey · Post by **ghuey** » Thu Sep 04, 2014 8:37 am

eloyd wrote:
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
ACCEPT tcp -- anywhere anywhere tcp dpt:5666
Your REJECT is coming before your port 5666 ACCEPT. So all traffic is being rejected prior to being checked to see if it's for port 5666. You need to rearrange your iptables rules.

Bah...my linux ignorance nails me again. That was 100% the issue. Thanks for fixing this for me even though it had nothing to do with Nagios.

Post by **eloyd** » Thu Sep 04, 2014 8:40 am

Small victories such as this are what make my days enjoyable.

tmcdonald · Post by **tmcdonald** » Thu Sep 04, 2014 9:29 am

ghuey wrote:Thanks for fixing this for me even though it had nothing to do with Nagios.

eloyd's cool like that

Nagios Support Forum

Another NRPE remote connectivity issues

Another NRPE remote connectivity issues

Re: Another NRPE remote connectivity issues

Re: Another NRPE remote connectivity issues

Re: Another NRPE remote connectivity issues

Re: Another NRPE remote connectivity issues

Re: Another NRPE remote connectivity issues

Re: Another NRPE remote connectivity issues

Re: Another NRPE remote connectivity issues