[Shorewall-users] Shorewall 5.2.3.2 - Icinga client doesn't get a connection to Icinga master

Sat, 12 Oct 2019 08:36:07 -0700 

I would need help with the rules for Icinga at a KVM host (internal IP 
192.168.1.66) with multiple VM guests. The Icinga Master runs on 192.168.1.66 
and one Icinga client runs on 192.168.1.70.

Here you will find the shorewall (5.2.3.2) config files,

zones:
fw              firewall 
net             ipv4 
loc             ipv4

interfaces
net             vmbr0           detect          dhcp,routefilter,tcpflags 
loc             vmbr1           detect          routeback,bridge

# ip a show vmbr1 
7: vmbr1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP 
group default qlen 1000 
   link/ether 86:a4:93:f6:78:b2 brd ff:ff:ff:ff:ff:ff 
   inet 192.168.1.66/24 brd 192.168.1.255 scope global vmbr1

vmbr0 is the external IP.

# grep ICINGA rules  
ICINGA(ACCEPT)          loc:192.168.1.70        $FW 
ICINGA(ACCEPT)          $FW                     loc:192.168.1.70 
ICINGA(ACCEPT)          loc:192.168.1.75        $FW         
ICINGA(ACCEPT)          $FW                     loc:192.168.1.75         
ICINGA(ACCEPT)          loc:192.168.1.84        $FW         
ICINGA(ACCEPT)          $FW                     loc:192.168.1.84         
ICINGA(ACCEPT)          loc:192.168.1.85        $FW         
ICINGA(ACCEPT)          $FW                     loc:192.168.1.85 

# shorewall show | grep ICINGA 
   0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            
192.168.1.70         tcp dpt:5665 /* ICINGA */ 
   0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            
192.168.1.75         tcp dpt:5665 /* ICINGA */ 
   0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            
192.168.1.84         tcp dpt:5665 /* ICINGA */ 
   0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            
192.168.1.85         tcp dpt:5665 /* ICINGA */ 
   0     0 ACCEPT     tcp  --  *      *       192.168.1.70         0.0.0.0/0    
        
tcp dpt:5665 /* ICINGA */ 
   0     0 ACCEPT     tcp  --  *      *       192.168.1.75         0.0.0.0/0    
        
tcp dpt:5665 /* ICINGA */ 
   0     0 ACCEPT     tcp  --  *      *       192.168.1.84         0.0.0.0/0    
        
tcp dpt:5665 /* ICINGA */ 
   0     0 ACCEPT     tcp  --  *      *       192.168.1.85         0.0.0.0/0    
        
tcp dpt:5665 /* ICINGA */

With this configuration on 192.168.1.66 the Icinca client on 192.168.1.70
 can't connect to the master:

# telnet 192.168.1.66 5665   
Trying 192.168.1.66... 
telnet: Unable to connect to remote host: Connection refused
The same on 192.168.1.1 shows:
# telnet 192.168.1.66 5665                                     
Trying 192.168.1.66... 
Connected to 192.168.1.66. 
Escape character is '^]'.

What I do wrong in my firewall rules?

Best regards

Andreas




_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to