Nagios Support Forum

Hi,

I've configured properly nrpe client on a Debian server, and it works fine. After rebooting this server, it stops to connect to the nagios server. this is the error from the Nagios console: "(No output on stdout) stderr: connect to address ...".
I did some tests and finally find that the problem can be solved running again the following commands (from this article: https://support.nagios.com/kb/article.php?id=515#Debian)

iptables -I INPUT -p tcp --destination-port 5666 -j ACCEPT
apt-get install -y iptables-persistent
Answer yes to saving existing rules

Can you help to understand how this rule works and how I can make the rule persistent, it seems it's not

Thanks!

I'm going to modify that doc, but you can run the following any time you make a change to the firewall rules to make them stick

I tried the command you suggested, but no result. Same issue as before, after reboot the connection is refused.
This is the error from Nagios console: (No output on stdout) stderr: connect to address xxx.xx.xxx.xxx port 5666: Connection refused

Lets see what's in here Also, is the service running?

Yes, the nrpe service runs correctly after reboot:
debian-ftp:~# systemctl status nrpe
● nrpe.service - Nagios Remote Plugin Executor
Loaded: loaded (/lib/systemd/system/nrpe.service; enabled)
Active: active (running) since mar 2019-05-07 08:50:46 CEST; 3min 1s ago
Docs: http://www.nagios.org/documentation
Main PID: 490 (nrpe)
CGroup: /system.slice/nrpe.service
└─490 /usr/local/nagios/bin/nrpe -c /usr/local/nagios/etc/nrpe.cfg...

mag 07 08:50:46 debian-ftp systemd[1]: Started Nagios Remote Plugin Executor.
mag 07 08:50:46 debian-ftp nrpe[490]: Starting up daemon
mag 07 08:50:46 debian-ftp nrpe[490]: Server listening on 0.0.0.0 port 5666.
mag 07 08:50:46 debian-ftp nrpe[490]: Server listening on :: port 5666.
mag 07 08:50:46 debian-ftp nrpe[490]: Warning: Daemon is configured to acce...s!
mag 07 08:50:46 debian-ftp nrpe[490]: Listening for connections on port 5666
mag 07 08:50:46 debian-ftp nrpe[490]: Allowing connections from: 127.0.0.1,...54
Hint: Some lines were ellipsized, use -l to show in full.
debian-ftp:~# iptables -I INPUT -p tcp --destination-port 5666 -j ACCEPT

Here the rules.v4 file:
debian-ftp:~# cat /etc/iptables/rules.v4
# Generated by iptables-save v1.4.21 on Tue Apr 30 17:21:28 2019
*filter
:INPUT ACCEPT [2:120]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [163:40002]
:fail2ban-ssh - [0:0]
-A INPUT -p tcp -m tcp --dport 5666 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 127.0.0.1/32 -j ACCEPT
-A INPUT -s 192.168.10.12/32 -j ACCEPT
-A INPUT -s 192.168.10.0/24 -p tcp -m state --state NEW -m tcp --dport 25 -j ACC EPT
-A INPUT -s 192.168.10.0/24 -p tcp -m state --state NEW -m tcp --dport 21 -j ACC EPT
-A INPUT -s 192.168.10.0/24 -p tcp -m state --state NEW -m tcp --dport 4000 -j A CCEPT
-A INPUT -s 192.168.10.0/24 -m state --state NEW -j REJECT --reject-with icmp-po rt-unreachable
-A fail2ban-ssh -j RETURN
COMMIT
# Completed on Tue Apr 30 17:21:28 2019
debian-ftp:~#

I believe you may need to enable the service

systemctl enable iptables-persistent
Failed to start iptables-persistent.service: Unit iptables-persistent.service failed to load: No such file or directory.

I see in newer version the service name has changed
Lets try

Nothing changed, same result.

I need to run again this command:
iptables -I INPUT -p tcp --destination-port 5666 -j ACCEPT

Any idea?

Thanks,
Ivan

Are you running the following after adding the iptables rules?