Page 1 of 1
IP Tables & NCPA
Posted: Mon Oct 01, 2018 1:23 pm
by rkane
I inadvertently edited my IP Tables and cannot SSH into my NagiosNA VM any longer. The chain of events:
- Installed NCPA
- XI could not complete the NCPA checks
- Disabled the firewall on the NA machine
- XI successfully completed the NCPA checks
- Attempted to edit my IP Table on the NA machine
Current issue: Cannot SSH or access NA via the web GUI
Two questions:
1) Can someone please send me an OOTB IP Table configuration for NA so I can replace mine? Still able to FTP in as well as access through vsphere console
2) What type of traffic is NCPA? Need to open up the port on the firewall of the VM
Thanks!
Re: IP Tables & NCPA
Posted: Mon Oct 01, 2018 5:01 pm
by npolovenko
Hello,
@rkane. Let me confirm: you have a NCPA agent installed on the Network analyzer and you're monitoring it from the XI server?
I don't think Nagios NA comes with any iptable rules out of the box.
Are you able to access the NA machine from the VSPhere and disable the iptables?
NCPA uses TCP traffic.
Re: IP Tables & NCPA
Posted: Mon Oct 01, 2018 5:31 pm
by rkane
Correct. I installed the NCPA client on my NagiosNA box so I could monitor it from NagiosXI. When executing the NCPA checks from NagiosXI they fail. Turning off the firewall service on the NagiosNA machine allows the service checks to successfully complete.
With this info I went to create an iptable entry to allow the communication through to the NagiosNA NCPA client. I put in the wrong traffic type and attempted to delete the entry. In doing so I deleted something that cut off ssh / web GUI access. Turning the firewall service back off (via vsphere) restores these.
npolovenko wrote:Hello,
@rkane. Let me confirm: you have a NCPA agent installed on the Network analyzer and you're monitoring it from the XI server?
I don't think Nagios NA comes with any iptable rules out of the box.
Are you able to access the NA machine from the VSPhere and disable the iptables?
NCPA uses TCP traffic.
Re: IP Tables & NCPA
Posted: Tue Oct 02, 2018 8:55 am
by rkane
Pulled up the specific command I ran, how do I reverse this?
Re: IP Tables & NCPA
Posted: Tue Oct 02, 2018 12:36 pm
by lmiltchev
Stop the iptables on the NNA machine:
Open the iptables config file in a text editor:
Make sure you have these two lines:
Code: Select all
IPTABLES_SAVE_ON_STOP="yes"
IPTABLES_SAVE_ON_RESTART="yes"
Save and exit:
Add some rules by modifying the /etc/sysconfig/iptable file.
Example:
Code: Select all
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5693 -j ACCEPT
-A INPUT -p udp -m udp --dport <source1 port> -j ACCEPT
-A INPUT -p udp -m udp --dport <source2 port> -j ACCEPT
where <source1 port>, <source2 port>, etc. are the NNA sources UDP ports.
Save and exit. Start iptables:
You can run nmap on the Nagios XI server against the NNA machine to see which ports are open or you could test a specific port, e.g.
Code: Select all
nmap <NNA server's IP address> -p 5693
Hope this helps.
Re: IP Tables & NCPA
Posted: Wed Oct 03, 2018 3:03 pm
by rkane
Appreciate it. These two lines are set to "NO" in my iptables-config...do I need to edit them?
lmiltchev wrote:
Make sure you have these two lines:
Code: Select all
IPTABLES_SAVE_ON_STOP="yes"
IPTABLES_SAVE_ON_RESTART="yes"
As well, service iptables stop results in the following error:
Code: Select all
Failed to stop iptables.service: unit iptables.service not loaded
Re: IP Tables & NCPA
Posted: Wed Oct 03, 2018 3:42 pm
by lmiltchev
Failed to stop iptables.service: unit iptables.service not loaded
If you see the messages above, than you most probably are using
firewalld, NOT
iptables, so ignore my previous message.
To see if firewalld is running, run:
Code: Select all
systemctl status firewalld.service
To see what ports are opened, run:
Code: Select all
firewall-cmd --zone=public --list-ports
To open ports, run:
Code: Select all
firewall-cmd --zone=public --permanent --add-port=22/tcp
firewall-cmd --zone=public --permanent --add-port=80/tcp
firewall-cmd --zone=public --permanent --add-port=5693/tcp
firewall-cmd --zone=public --permanent --add-port=<source port>/udp
To reload the firewall, run:
After you are done, check the rules again:
Code: Select all
firewall-cmd --zone=public --list-ports
Re: IP Tables & NCPA
Posted: Wed Oct 03, 2018 4:01 pm
by rkane
Done and done, thank you sir.
Case closed
lmiltchev wrote:Failed to stop iptables.service: unit iptables.service not loaded
If you see the messages above, than you most probably are using
firewalld, NOT
iptables, so ignore my previous message.
To see if firewalld is running, run:
Code: Select all
systemctl status firewalld.service
To see what ports are opened, run:
Code: Select all
firewall-cmd --zone=public --list-ports
To open ports, run:
Code: Select all
firewall-cmd --zone=public --permanent --add-port=22/tcp
firewall-cmd --zone=public --permanent --add-port=80/tcp
firewall-cmd --zone=public --permanent --add-port=5693/tcp
firewall-cmd --zone=public --permanent --add-port=<source port>/udp
To reload the firewall, run:
After you are done, check the rules again:
Code: Select all
firewall-cmd --zone=public --list-ports
Re: IP Tables & NCPA
Posted: Wed Oct 03, 2018 4:09 pm
by lmiltchev
I am glad I could help!
I am closing this topic.