hi guys i was installed zabbix server finally it is showing error like this as h. even i disabled the selinux also still it is showing lyk ths..

The output would look a lot better in code tags. This line:

 4036  756K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0

allows local loopback (127.0.0.1) and this line:

 320K   35M ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0

looks like your local LAN and all traffic is allowed in from your local LAN. The DROP rules above are for your two WAN's or for specific items and not for general LAN traffic.

You've also opened a number of ports to the internet - UDP:5050 and TCP:1875,20,81,555,554,10050 and 10051 - which look odd to me. 10050 and 10051 you've said are the zabbix ports, but why open them to the internet? Also did you want to open the webconfig to the internet?

[root@firewall ~]# iptables -L INPUT -n -v
Chain INPUT (policy DROP 993 packets, 129K bytes)
pkts bytes target prot opt in out source destination
73 4744 fail2ban-ssh tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 DROP all -- * * 200.79.7.222 0.0.0.0/0
654 56455 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x12/0x12 state NEW reject-with tcp-reset
637 92239 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
0 0 DROP all -- eth1 * 127.0.0.0/8 0.0.0.0/0
0 0 DROP all -- eth1 * 169.254.0.0/16 0.0.0.0/0
0 0 DROP all -- eth2 * 127.0.0.0/8 0.0.0.0/0
0 0 DROP all -- eth2 * 169.254.0.0/16 0.0.0.0/0
4036 756K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- pptp+ * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
320K 35M ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0
107 3103 ACCEPT icmp -- eth1 * 0.0.0.0/0 0.0.0.0/0 icmp type 0
0 0 ACCEPT icmp -- eth1 * 0.0.0.0/0 0.0.0.0/0 icmp type 3
0 0 ACCEPT icmp -- eth1 * 0.0.0.0/0 0.0.0.0/0 icmp type 8
0 0 ACCEPT icmp -- eth1 * 0.0.0.0/0 0.0.0.0/0 icmp type 11
0 0 ACCEPT udp -- eth1 * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp spt:67 dpt:68
0 0 ACCEPT icmp -- eth2 * 0.0.0.0/0 0.0.0.0/0 icmp type 0
0 0 ACCEPT icmp -- eth2 * 0.0.0.0/0 0.0.0.0/0 icmp type 3
0 0 ACCEPT icmp -- eth2 * 0.0.0.0/0 0.0.0.0/0 icmp type 8
0 0 ACCEPT icmp -- eth2 * 0.0.0.0/0 0.0.0.0/0 icmp type 11
0 0 ACCEPT udp -- eth2 * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
0 0 ACCEPT tcp -- eth2 * 0.0.0.0/0 0.0.0.0/0 tcp spt:67 dpt:68
0 0 ACCEPT udp -- * * 0.0.0.0/0 our external ip udp dpt:5050
0 0 ACCEPT tcp -- * * 0.0.0.0/0 our external ip tcp dpt:1875
0 0 ACCEPT tcp -- * * 0.0.0.0/0 our external ip tcp dpt:20
0 0 ACCEPT tcp -- * * 0.0.0.0/0 our external ip tcp dpt:81
0 0 ACCEPT tcp -- * * 0.0.0.0/0 our external ip tcp dpt:555
0 0 ACCEPT tcp -- * * 0.0.0.0/0 our external ip tcp dpt:554
0 0 ACCEPT tcp -- * * 0.0.0.0/0 our external ip tcp dpt:10050
0 0 ACCEPT tcp -- * * 0.0.0.0/0 our external ip tcp dpt:10051
11980 2149K ACCEPT udp -- eth1 * 0.0.0.0/0 0.0.0.0/0 udp dpts:1024:65535 state RELATED,ESTABLISHED
327K 410M ACCEPT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 state RELATED,ESTABLISHED
0 0 ACCEPT udp -- eth2 * 0.0.0.0/0 0.0.0.0/0 udp dpts:1024:65535 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- eth2 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 sta

As before, on its LAN side all ClearOS ports are normally open for input. What is the output of:

iptables -L INPUT -n -v

Hi, I have trippled checked my zabbix config on the clearos machine and it is fine. There is most defintely something wrong with the port as I can't seem to open it.....someone please help me

Thank you Nick. was thinking the same thing. really odd as I have installed zabbix on a couple of servers and only the firewall gives issues. I really appreciate your help, will have to look further into this.

ClearOS does not firewall the LAN at all so all communication on your LAN is allowed. This tends to suggest a zabbix error somewhere

Hi, Clearos is in gateway mode. The zabbix server is running on the same network,same ip range, but on a different machine. Zabbix agent is only running on clearos machine. I installed zabbix agents on other servers on the network and it works fine. Only having this issue on clearos server.

Where is ClearOS in this? Is it your gateway? Is zabbix running on ClearOS or some other machine? If it is another machine, where is it? If it is running on ClearOS then you should not need any iptables rules as this one covers it:

[root@server ~]# iptables -L INPUT -n -v | grep -e lo -e Chain -e pkts

Chain INPUT (policy DROP 7130 packets, 837K bytes)

 pkts bytes target     prot opt in     out     source               destination 

 778K  174M ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0   

Hi Nick

After adding the rule to webconfig (please see screenshot attached) I get this output checking my iptables.

[root@firewall sysconfig]# iptables -L INPUT -n -v |grep :10050
0 0 ACCEPT tcp -- * * 0.0.0.0/0 firewall_external_ip tcp dpts:10050:10051

Somehow I still get the same zabbix error .... I think the zabbix trapper listens on port 127.0.0.1:10051 on the agents in order to send checks to the server. That might be the issue. I hope this makes sense

Sorry my post crossed with Tim's so you may now get a mess of replies from both of us!

If you're using the Webconfig, don't use a standard service, use Port or Port Range options.

If /etc/clearos does not exist then I assume you are not running 6.x but 5.x in which case the file is /etc/rc.d/rc.firewall.local.

Netstat does not give open ports, just listening ports. Something can be listening on a closed port (a bit of a waste of effort ...). To look at your input rules do:

iptables -L INPUT -n -v

I have tried to use the webconfig. That does not work either. Is there maybe a standard service that I should select or leave as is? I am not trying to add a source of 127.0.0.1. I dont know why Zabbix is doing that when it starts up.

I know the port is not open only the other zabbix port 10050. That is preventing zabbix agent of communicating with my server.
[root@firewall sysconfig]# netstat -aln |grep 1005
tcp 0 0 0.0.0.0:10050 0.0.0.0:* LISTEN
unix 2 [ ] DGRAM 100599866

Also as mentioned earlier this directory does not exist:
/etc/clearos

Why not just use the incoming firewall in the Webconfig - no need to restart the firewall. That happens automatically when needed. Also why do you want to add a source of 127.0.0.1? That should be allowed by default anyway (by the "in = lo" rule you can see with "iptables -L INPUT -n -v".

If you want to do it manually you can use the Custom Firewall module in the Webconfig (but make sure the rule works first at the command line) or add the rule to /etc/clearos/firewall.d/local, but again, make sure the rule works first at the command line. I also would not worry about the "state" module from your rule.

I am trying to open that port for all IP 0.0.0.0. Everytime I start up zabbix agent on the server this is the error I am getting in the logs.

25593:20130710:150032.889 active check configuration update from [127.0.0.1:10051] started to fail (cannot connect to [[127.0.0.1]:10051]: [111] Connection refused)

My zabbix server is 192.168.0.5 and the agent is on 192.168.0.2 (same network). There is also no /etc/clearos on my system. The incoming page rules does not open the port either.

Why do you have -s 127.0.0.1 (that's for packets matching the local loopback interface)

ClearOS stores it's firewall custom entires in /etc/clearos/firewall.d/custom (or local)

The firewall invoming page is all you need normally? works fine here.... can you give more details on your network setup and where you are trying to access it from?