iptables slows Parts of Nagios
Posted: Thu Jun 29, 2017 8:44 am
Symptoms
After restrict iptables to
Service "Apply Configuration", show "Service Status Detail" and show "Host Status Detail" take much more time (1 to 3 minutes more) as before.
The other sides perform as far as i test well.
In log (/usr/local/nagiosxi/var/cmdsubsys.log) for Apply Configuration I have see that
will be performed 3 times nagios stuck at the line and wait to the time out.
Question
What can I do that Nagios get the old perfomance?
Must I give free a additional port?
Log
tailf /usr/local/nagiosxi/var/cmdsubsys.log
Setup
Virtual Machine downloaded from https://www.nagios.com/downloads/nagios-xi/vmware/ (5.4.5.)
Upgraded to
Nagios XI Version : 5.4.6
CentOS release 6.9 (Final)
Gnome is not installed
With SSL configuration according https://assets.nagios.com/downloads/nag ... s%20XI.pdf
IPTable Rules
After restrict iptables to
Code: Select all
# make sure nothing comes or goes out of this box
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
The other sides perform as far as i test well.
In log (/usr/local/nagiosxi/var/cmdsubsys.log) for Apply Configuration I have see that
Code: Select all
Connecting to localhost|::1|:443... .......................................failed: Connection timed out.
Connecting to localhost|127.0.0.1|:443... connected.
Question
What can I do that Nagios get the old perfomance?
Must I give free a additional port?
Log
tailf /usr/local/nagiosxi/var/cmdsubsys.log
Code: Select all
PROCESSED 0 COMMANDS
...................................PROCESSING COMMAND ID 202...
PROCESS COMMAND: CMD=17, DATA=
APPLYING NAGIOSCORE CONFIG...
CMDLINE=cd /usr/local/nagiosxi/scripts && ./reconfigure_nagios.sh
URL: https://localhost/nagiosxi/includes/components/ccm/
CMDLINE
--2017-06-29 15:06:37-- https://localhost/nagiosxi/includes/components/ccm/
Resolving localhost... ::1, 127.0.0.1
Connecting to localhost|::1|:443... .......................................failed: Connection timed out.
Connecting to localhost|127.0.0.1|:443... connected.
WARNING: cannot verify localhost’s certificate, issued by “<CERTSTRING>”:
Self-signed certificate encountered.
WARNING: certificate common name “<SERVER>” doesn't match requested host name “localhost”.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: “nagiosql.login”
0K .......... .......... .......... .. ....... 3.81M=0.009s
2017-06-29 15:07:40 (3.81 MB/s) - “nagiosql.login” saved [37137]
/usr/bin/wget --save-cookies nagiosql.cookies --keep-session-cookies https://localhost/nagiosxi/includes/components/ccm/ --no-check-certificate --post-data 'submit=Login&hidelog=true&loginSubmitted=true&backend=1&username=nagiosxi&password=<Password>' -O nagiosql.loginLOGIN SUCCESSFUL!
.IMPORTING CONFIG FILES...URL: https://localhost/nagiosxi/includes/components/ccm/
Array
(
)
RESETTING PERMS
URL: https://localhost/nagiosxi/includes/components/ccm/
CMDLINE
--2017-06-29 15:07:40-- https://localhost/nagiosxi/includes/components/ccm/
Resolving localhost... ::1, 127.0.0.1
Connecting to localhost|::1|:443... ....................
PROCESSED 0 COMMANDS
..........................................failed: Connection timed out.
Connecting to localhost|127.0.0.1|:443... connected.
WARNING: cannot verify localhost’s certificate, issued by “<CERTSTRING>”:
Self-signed certificate encountered.
WARNING: certificate common name “<SERVER>” doesn't match requested host name “localhost”.
HTTP request sent, awaiting response... HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: “nagiosql.login”
0K .......... .......... .......... ...... 3.41M=0.01s
2017-06-29 15:08:44 (3.41 MB/s) - “nagiosql.login” saved [37137]
/usr/bin/wget --save-cookies nagiosql.cookies --keep-session-cookies https://localhost/nagiosxi/includes/components/ccm/ --no-check-certificate --post-data 'submit=Login&hidelog=true&loginSubmitted=true&backend=1&username=nagiosxi&password=<Password>' -O nagiosql.loginLOGIN SUCCESSFUL!
URL: https://localhost/nagiosxi/includes/components/ccm/
CMDLINE:
/usr/bin/wget --load-cookies=nagiosql.cookies https://localhost/nagiosxi/includes/components/ccm/ --no-check-certificate --post-data 'backend=1&cmd=apply&type=writeConfig' -O nagiosql.export.monitoring
--2017-06-29 15:08:44-- https://localhost/nagiosxi/includes/components/ccm/
Resolving localhost... ::1, 127.0.0.1
Connecting to localhost|::1|:443... ...................
PROCESSED 0 COMMANDS
.............................................failed: Connection timed out.
Connecting to localhost|127.0.0.1|:443... connected.
WARNING: cannot verify localhost’s certificate, issued by “<CERTSTRING>”:
Self-signed certificate encountered.
WARNING: certificate common name “<SERVER>” doesn't match requested host name “localhost”.
HTTP request sent, awaiting response... .200 OK
Length: unspecified [text/html]
Saving to: “nagiosql.export.monitoring”
0K ............ .......... . 1014K=0.02s
2017-06-29 15:09:47 (1014 KB/s) - “nagiosql.export.monitoring” saved [21935]
WRITE CONFIGS SUCCESSFUL!
OUTPUT:
Nagios Core 4.2.4
Copyright (c) 2009-present Nagios Core Development Team and Community Contributors
Copyright (c) 1999-2009 Ethan Galstad
Last Modified: 12-07-2016
License: GPL
Website: https://www.nagios.org
Reading configuration data...
Read main config file okay...
Read object config files okay...
Running pre-flight check on configuration data...
Checking objects...
Checked 43 services.
Checked 3 hosts.
Checked 1 host groups.
Checked 0 service groups.
Checked 3 contacts.
Checked 2 contact groups.
Checked 126 commands.
Checked 9 time periods.
Checked 0 host escalations.
Checked 0 service escalations.
Checking for circular paths...
Checked 3 hosts
Checked 0 service dependencies
Checked 0 host dependencies
Checked 9 timeperiods
Checking global event handlers...
Checking obsessive compulsive processor commands...
Checking misc settings...
Total Warnings: 0
Total Errors: 0
Things look okay - No serious problems were detected during the pre-flight check
RET: 0
Running configuration check...
Stopping nagios: done.
Starting nagios: done.
OUTPUT=Starting nagios: done.
RETURNCODE=0
Setup
Virtual Machine downloaded from https://www.nagios.com/downloads/nagios-xi/vmware/ (5.4.5.)
Upgraded to
Nagios XI Version : 5.4.6
CentOS release 6.9 (Final)
Gnome is not installed
With SSL configuration according https://assets.nagios.com/downloads/nag ... s%20XI.pdf
IPTable Rules
Code: Select all
# Allow unlimited traffic on loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#TLS/SSL for the webserver
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --sport 443 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
ip6tables -A OUTPUT -p tcp --dport 443 -j ACCEPT
ip6tables -A INPUT -p tcp --sport 443 -j ACCEPT
ip6tables -A OUTPUT -p tcp --sport 443 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 443 -j ACCEPT
#Ping incomming
iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -d 10.0.0.0/24 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 0 -s 10.0.0.0/24 -d 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT
#Ping outfooing
iptables -A OUTPUT -p icmp --icmp-type 8 -s 10.0.0.0/24 -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 0 -s 0/0 -d 10.0.0.24 -m state --state ESTABLISHED,RELATED -j ACCEPT
#NRPE
iptables -A OUTPUT -p tcp --dport 5666 -j ACCEPT
iptables -A INPUT -p tcp --sport 5666 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 5666 -j ACCEPT
iptables -A INPUT -p tcp --dport 5666 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 5667 -j ACCEPT
iptables -A INPUT -p tcp --sport 5667 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 5667 -j ACCEPT
iptables -A INPUT -p tcp --dport 5667 -j ACCEPT
<!-- SOME OTHER OPEN PORTS -->
# make sure nothing comes or goes out of this box
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP