Hi,
I would like to open port 10050/10051 for zabbix. I know how to open ports on a linux system via iptables. been through the usual /sbin/iptables -A INPUT -s 127.0.0.1 -m state --state NEW -p tcp --dport 10051 -j ACCEPT and /sbin/iptables-save with no luck. I tried looking for /etc/sysconfig/iptables to edit it in there but the iptables file does not exist. Through webconfig added port in Incoming rule and restarted firewall service. This does not work either.
Can somebody please help me to open a port.
I would like to open port 10050/10051 for zabbix. I know how to open ports on a linux system via iptables. been through the usual /sbin/iptables -A INPUT -s 127.0.0.1 -m state --state NEW -p tcp --dport 10051 -j ACCEPT and /sbin/iptables-save with no luck. I tried looking for /etc/sysconfig/iptables to edit it in there but the iptables file does not exist. Through webconfig added port in Incoming rule and restarted firewall service. This does not work either.
Can somebody please help me to open a port.
In Firewall
Share this post:
Responses (15)
-
Accepted Answer
-
Accepted Answer
The output would look a lot better in code tags. This line:
allows local loopback (127.0.0.1) and this line:4036 756K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
looks like your local LAN and all traffic is allowed in from your local LAN. The DROP rules above are for your two WAN's or for specific items and not for general LAN traffic.320K 35M ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0
You've also opened a number of ports to the internet - UDP:5050 and TCP:1875,20,81,555,554,10050 and 10051 - which look odd to me. 10050 and 10051 you've said are the zabbix ports, but why open them to the internet? Also did you want to open the webconfig to the internet? -
Accepted Answer
[root@firewall ~]# iptables -L INPUT -n -v
Chain INPUT (policy DROP 993 packets, 129K bytes)
pkts bytes target prot opt in out source destination
73 4744 fail2ban-ssh tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 DROP all -- * * 200.79.7.222 0.0.0.0/0
654 56455 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x12/0x12 state NEW reject-with tcp-reset
637 92239 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
0 0 DROP all -- eth1 * 127.0.0.0/8 0.0.0.0/0
0 0 DROP all -- eth1 * 169.254.0.0/16 0.0.0.0/0
0 0 DROP all -- eth2 * 127.0.0.0/8 0.0.0.0/0
0 0 DROP all -- eth2 * 169.254.0.0/16 0.0.0.0/0
4036 756K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- pptp+ * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
320K 35M ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0
107 3103 ACCEPT icmp -- eth1 * 0.0.0.0/0 0.0.0.0/0 icmp type 0
0 0 ACCEPT icmp -- eth1 * 0.0.0.0/0 0.0.0.0/0 icmp type 3
0 0 ACCEPT icmp -- eth1 * 0.0.0.0/0 0.0.0.0/0 icmp type 8
0 0 ACCEPT icmp -- eth1 * 0.0.0.0/0 0.0.0.0/0 icmp type 11
0 0 ACCEPT udp -- eth1 * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp spt:67 dpt:68
0 0 ACCEPT icmp -- eth2 * 0.0.0.0/0 0.0.0.0/0 icmp type 0
0 0 ACCEPT icmp -- eth2 * 0.0.0.0/0 0.0.0.0/0 icmp type 3
0 0 ACCEPT icmp -- eth2 * 0.0.0.0/0 0.0.0.0/0 icmp type 8
0 0 ACCEPT icmp -- eth2 * 0.0.0.0/0 0.0.0.0/0 icmp type 11
0 0 ACCEPT udp -- eth2 * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
0 0 ACCEPT tcp -- eth2 * 0.0.0.0/0 0.0.0.0/0 tcp spt:67 dpt:68
0 0 ACCEPT udp -- * * 0.0.0.0/0 our external ip udp dpt:5050
0 0 ACCEPT tcp -- * * 0.0.0.0/0 our external ip tcp dpt:1875
0 0 ACCEPT tcp -- * * 0.0.0.0/0 our external ip tcp dpt:20
0 0 ACCEPT tcp -- * * 0.0.0.0/0 our external ip tcp dpt:81
0 0 ACCEPT tcp -- * * 0.0.0.0/0 our external ip tcp dpt:555
0 0 ACCEPT tcp -- * * 0.0.0.0/0 our external ip tcp dpt:554
0 0 ACCEPT tcp -- * * 0.0.0.0/0 our external ip tcp dpt:10050
0 0 ACCEPT tcp -- * * 0.0.0.0/0 our external ip tcp dpt:10051
11980 2149K ACCEPT udp -- eth1 * 0.0.0.0/0 0.0.0.0/0 udp dpts:1024:65535 state RELATED,ESTABLISHED
327K 410M ACCEPT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 state RELATED,ESTABLISHED
0 0 ACCEPT udp -- eth2 * 0.0.0.0/0 0.0.0.0/0 udp dpts:1024:65535 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- eth2 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 sta -
Accepted Answer
-
Accepted Answer
-
Accepted Answer
-
Accepted Answer
-
Accepted Answer
-
Accepted Answer
Where is ClearOS in this? Is it your gateway? Is zabbix running on ClearOS or some other machine? If it is another machine, where is it? If it is running on ClearOS then you should not need any iptables rules as this one covers it:[root@server ~]# iptables -L INPUT -n -v | grep -e lo -e Chain -e pkts
Chain INPUT (policy DROP 7130 packets, 837K bytes)
pkts bytes target prot opt in out source destination
778K 174M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 -
Accepted Answer
Hi Nick
After adding the rule to webconfig (please see screenshot attached) I get this output checking my iptables.
[root@firewall sysconfig]# iptables -L INPUT -n -v |grep :10050
0 0 ACCEPT tcp -- * * 0.0.0.0/0 firewall_external_ip tcp dpts:10050:10051
Somehow I still get the same zabbix error .... I think the zabbix trapper listens on port 127.0.0.1:10051 on the agents in order to send checks to the server. That might be the issue. I hope this makes sense -
Accepted Answer
Sorry my post crossed with Tim's so you may now get a mess of replies from both of us!
If you're using the Webconfig, don't use a standard service, use Port or Port Range options.
If /etc/clearos does not exist then I assume you are not running 6.x but 5.x in which case the file is /etc/rc.d/rc.firewall.local.
Netstat does not give open ports, just listening ports. Something can be listening on a closed port (a bit of a waste of effort ...). To look at your input rules do:iptables -L INPUT -n -v
-
Accepted Answer
I have tried to use the webconfig. That does not work either. Is there maybe a standard service that I should select or leave as is? I am not trying to add a source of 127.0.0.1. I dont know why Zabbix is doing that when it starts up.
I know the port is not open only the other zabbix port 10050. That is preventing zabbix agent of communicating with my server.
[root@firewall sysconfig]# netstat -aln |grep 1005
tcp 0 0 0.0.0.0:10050 0.0.0.0:* LISTEN
unix 2 [ ] DGRAM 100599866
Also as mentioned earlier this directory does not exist:
/etc/clearos -
Accepted Answer
Why not just use the incoming firewall in the Webconfig - no need to restart the firewall. That happens automatically when needed. Also why do you want to add a source of 127.0.0.1? That should be allowed by default anyway (by the "in = lo" rule you can see with "iptables -L INPUT -n -v".
If you want to do it manually you can use the Custom Firewall module in the Webconfig (but make sure the rule works first at the command line) or add the rule to /etc/clearos/firewall.d/local, but again, make sure the rule works first at the command line. I also would not worry about the "state" module from your rule. -
Accepted Answer
I am trying to open that port for all IP 0.0.0.0. Everytime I start up zabbix agent on the server this is the error I am getting in the logs.
25593:20130710:150032.889 active check configuration update from [127.0.0.1:10051] started to fail (cannot connect to [[127.0.0.1]:10051]: [111] Connection refused)
My zabbix server is 192.168.0.5 and the agent is on 192.168.0.2 (same network). There is also no /etc/clearos on my system. The incoming page rules does not open the port either. -
Accepted Answer
Why do you have -s 127.0.0.1 (that's for packets matching the local loopback interface)
ClearOS stores it's firewall custom entires in /etc/clearos/firewall.d/custom (or local)
The firewall invoming page is all you need normally? works fine here.... can you give more details on your network setup and where you are trying to access it from?
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »