Home » Categories » Multiple Categories

NSCA Server - Firewall Rules

Firewall Rules

These steps explain how to check if the Operating System (OS) of the Nagios server has firewall rules enabled to allow inbound NSCA TCP port 5667 traffic. The different supported OS's have different firewall commands which are explained as follows.

You will need to establish an SSH session to the Nagios server that is receiving NSCA traffic.

 

RHEL 6 | CentOS 6 | Oracle Linux 6

There are separate firewall daemons for for IPv4 and IPv6 and hence there are separate commands which are provided below.

First check the status of the firewall:

IPv4

service iptables status

IPv6

service ip6tables status

 

IF the firewall is running, it should produce output like:

Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5667
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
8 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:162
9 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

 

Specifically, this line tells us that the firewall rule exists and in allowing inbound TCP traffic on port 5667:

1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:5667 

 

If this firewall rule DOES NOT exist, then it can be added by executing the following commands:

IPv4

iptables -I INPUT -p tcp --dport 5667 -j ACCEPT
service iptables save

IPv6

ip6tables -I INPUT -p tcp --dport 5667 -j ACCEPT
service ip6tables save

 

IF the firewall is NOT running, it will produce this output:

iptables: Firewall is not running.

 

If the firewall is NOT running, this means that inbound traffic is allowed.

To ENABLE the firewall on boot and to start it, execute the following commands:

IPv4

chkconfig iptables on
service iptables start

IPv6

chkconfig ip6tables on
service ip6tables start

 

 

RHEL 7 | CentOS 7 | Oracle Linux 7

First check the status of the firewall:

systemctl status firewalld.service

 

IF the firewall is running, it should product output like:

● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2018-11-20 10:05:15 AEDT; 1 weeks 0 days ago
Docs: man:firewalld(1)
Main PID: 647 (firewalld)
CGroup: /system.slice/firewalld.service
└─647 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

 

IF the firewall is NOT running, it will produce this output:

● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: inactive (dead) since Tue 2018-11-27 14:11:34 AEDT; 965ms ago
Docs: man:firewalld(1)
Main PID: 647 (code=exited, status=0/SUCCESS)

 

If the firewall is NOT running, this means that inbound traffic is allowed.

To ENABLE the firewall on boot and to start it, execute the following commands:

systemctl enable firewalld.service
systemctl start firewalld.service

 

To list the firewall rules execute this command:

firewall-cmd --list-all

 

Which should produce output like:

public (active)
target: default
icmp-block-inversion: no
interfaces: ens32
sources:
services: dhcpv6-client ssh
ports: 443/tcp 80/tcp 7878/tcp 162/udp 22/tcp 5667/tcp
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:

 

Specifically, the ports line tells us that the firewall rule exists and in allowing inbound TCP traffic on port 5667:

ports: 443/tcp 80/tcp 7878/tcp 162/udp 22/tcp 5667/tcp

 

If this firewall rule DOES NOT exist, then it can be added by executing the following commands:

firewall-cmd --zone=public --add-port=5667/tcp
firewall-cmd --zone=public --add-port=5667/tcp --permanent

 

 

Debian

Debian has the iptables firewall installed but not enabled by default. The firewall rules are maintained by the netfilter-persistent service, this is not installed by default. You can determine if it is installed with the following command:

systemctl status netfilter-persistent.service

 

If you receive this output then there is no firewall service active on your Debian machine:

Unit netfilter-persistent.service could not be found.

This means all inbound traffic is allowed, you will receive NSCA traffic.

 

If you receive this output then the firewall service is active on your Debian machine:

● netfilter-persistent.service - netfilter persistent configuration
Loaded: loaded (/lib/systemd/system/netfilter-persistent.service; enabled)
Active: active (exited) since Tue 2018-11-27 14:24:11 AEDT; 1min 26s ago
Main PID: 17749 (code=exited, status=0/SUCCESS)

 

If the netfilter-persistent service is enabled you can now check the status of the firewall:

iptables --list

 

An open firewall config would produce output like:

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

You can see no rules exist.

If a rule did exist allowing inbound TCP traffic on port 5667 then it would look like this:

target     prot opt source               destination         
ACCEPT tcp -- anywhere anywhere tcp dpt:nsca

 

If this firewall rule DOES NOT exist, then it can be added by executing the following command:

iptables -I INPUT -p tcp --destination-port 5667 -j ACCEPT

 

 

Ubuntu

Ubuntu uses the Uncomplicated Firewall (ufw) to manage firewall rules however it is not enabled on a default install. You can check if it is enabled with the following command:

ufw status

 

IF the firewall is NOT running, it will produce this output:

Status: inactive

 

IF the firewall is running, it should product output like:

Status: active

 

If the firewall is NOT running, this means that inbound traffic is allowed (you will receive NSCA traffic).

 

To ENABLE the firewall on boot and to start it, execute the following command:

ufw enable

Be careful executing this command, you will not be able to access the server when it next reboots as the default configuration is to deny all incoming connections. You will need to add rules for all the different ports connect to this server.

 

To list the firewall rules execute this command:

ufw status verbose

 

Which should produce output like:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To Action From
-- ------ ----
5667/tcp ALLOW IN Anywhere
5667/tcp (v6) ALLOW IN Anywhere (v6)

 

You can see from the output that firewall rules exists allowing inbound TCP traffic on port 5667.

 

If this firewall rule DOES NOT exist, then it can be added by executing the following commands:

ufw allow nsca
ufw reload

 

 

Conclusion

With these steps you will be able to confirm that the Nagios server has the correctly firewall rules enable to allow it to receive NSCA TCP traffic on port 5667.

Your next troubleshooting step would be to enable debug logging.

 

 

Final Thoughts

For any support related questions please visit the Nagios Support Forums at:

http://support.nagios.com/forum/

0 (0)
Article Rating (No Votes)
Rate this article
  • Icon PDFExport to PDF
  • Icon MS-WordExport to MS Word
Attachments Attachments
There are no attachments for this article.
Related Articles RSS Feed
NSCA Server - Inbound TCP Traffic
Viewed 1466 times since Tue, Mar 24, 2015
NSCA Server - Debug Logging
Viewed 2521 times since Mon, Mar 23, 2015
Disabling Port 113 IDENT Requests
Viewed 1385 times since Tue, Mar 12, 2019