Hello,
I`m trying to monitor few servers on a different subnet, but the agent is not responding.
Below is the firewall configuration:
I`m a noob at iptables.
The server is on 192.168.2.x network and has the following IP: 192.168.2.2
I can monitor servers from 192.168.2.x network.
On the 192.168.1.x network the agent dont respond on telnet.
From zabbix server i can ping 192.168.1.x servers.
The zabbix server has access to 192.168.1.x network:
What rules i need to add in iptables that the agent can send data to zabbix server.
Thanks for the support.
I`m trying to monitor few servers on a different subnet, but the agent is not responding.
Below is the firewall configuration:
I`m a noob at iptables.
Code:
#!/bin/bash
ipt=`which iptables`
###############################################################################
# Filter Table
###############################################################################
# Clear any existing rules and setting default policy to DROP
$ipt -F
$ipt -X
$ipt -P INPUT DROP
$ipt -t nat -F
$ipt -t nat -X
# Reset all iptables counters
$ipt -Z
# CHAIN: SYN-Flood checking
$ipt -N SYNFLOODCHECK
$ipt -A SYNFLOODCHECK -p tcp --syn -m limit --limit 300/s -j RETURN
$ipt -A SYNFLOODCHECK -p tcp --syn -j DROP
$ipt -A SYNFLOODCHECK -j RETURN
# Stop Syn-Flood
$ipt -A INPUT -j SYNFLOODCHECK
# lopback
$ipt -A INPUT -i lo -j ACCEPT
#########################################################################################################################################
#########################################################################################################################################
# SNAT & DNAT
$ipt -t nat -A PREROUTING -d xx.xx.xx.28 -j DNAT --to-destination 192.168.1.185
$ipt -t nat -A PREROUTING -d xx.xx.xx.27 -j DNAT --to-destination 192.168.2.203
$ipt -t nat -A PREROUTING -d xx.xx.xx.26 -j DNAT --to-destination 192.168.2.4
$ipt -t nat -A PREROUTING -d xx.xx.xx.25 -j DNAT --to-destination 192.168.2.21
$ipt -t nat -A PREROUTING -d xx.xx.xx.31 -j DNAT --to-destination 192.168.2.7
$ipt -t nat -A POSTROUTING -s 192.168.1.185 -j SNAT --to-source xx.xx.xx.28
$ipt -t nat -A POSTROUTING -s 192.168.2.203 -j SNAT --to-source xx.xx.xx.27
$ipt -t nat -A POSTROUTING -s 192.168.2.21 -j SNAT --to-source xx.xx.xx.25
$ipt -t nat -A POSTROUTING -s 192.168.2.0/24 -d ! 10.0.0.0/8 -j MASQUERADE
$ipt -t nat -A POSTROUTING -s 192.168.1.0/24 -j SNAT --to-source xx.xx.xx.192
$ipt -t nat -A POSTROUTING -s 192.168.2.7 -j SNAT --to-source xx.xx.xx.31
# VPN
$ipt -A INPUT -s xx.xx.xx.83 -j ACCEPT #
$ipt -A INPUT -s xx.xx.xx.190 -j ACCEPT
$ipt -A INPUT -s 10.0.0.0/12 -j ACCEPT #
$ipt -A INPUT -s 10.100.0.0/19 -j ACCEPT
# Filter between local nets
$ipt -A FORWARD -s 10.0.0.0/8 -d 0.0.0.0/0 -j ACCEPT
$ipt -A FORWARD -s 0.0.0.0/0 -d 10.0.0.0/8 -j ACCEPT
#
$ipt -A FORWARD -s 192.168.1.0/24 -d 192.168.2.22 -j ACCEPT
$ipt -A FORWARD -s 192.168.2.22 -d 192.168.1.0/24 -j ACCEPT
$ipt -A FORWARD -s 192.168.1.0/24 -d 192.168.2.25 -j ACCEPT
$ipt -A FORWARD -s 192.168.2.25 -d 192.168.1.0/24 -j ACCEPT
$ipt -A FORWARD -s 192.168.1.0/24 -d 192.168.2.35 -j ACCEPT
$ipt -A FORWARD -s 192.168.2.35 -d 192.168.1.0/24 -j ACCEPT
# Zabbix server
$ipt -A FORWARD -s 192.168.1.0/24 -d 192.168.2.2 -j ACCEPT
$ipt -A FORWARD -s 192.168.2.2 -d 192.168.1.0/24 -j ACCEPT
$ipt -A FORWARD -s 192.168.1.0/24 -d 192.168.2.0/24 -j DROP
$ipt -A FORWARD -s 192.168.2.0/24 -d 192.168.1.0/24 -j DROP
# Allow all FORWARD
$ipt -A FORWARD -j ACCEPT
######################################################################################################
# Allow INPUT established connections
$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
######################################################################################################
# ALLOW TOTAL ACCES FROM:
$ipt -A INPUT -s xx.xx.xx.0/24 -j ACCEPT # Alc
$ipt -A INPUT -s xx.xx.xx.0/24 -j ACCEPT # Alc
$ipt -A INPUT -s xx.xx.xx.0/24 -j ACCEPT # Alc
$ipt -A INPUT -s xx.xx.xx.122 -j ACCEPT # Alc
$ipt -A INPUT -s 192.168.1.0/24 -j ACCEPT # LAN Clients
$ipt -A INPUT -s 192.168.2.0/24 -j ACCEPT # LAN Servers
$ipt -A INPUT -s xx.xx.xx.35 -j ACCEPT # serv
$ipt -A INPUT -s xx.xx.xx.130 -j ACCEPT #
$ipt -A INPUT -s xx.xx.xx.131/32 -j ACCEPT
$ipt -A INPUT -s 10.18.13.0/24 -j ACCEPT
# Allow ports ()
$ipt -A INPUT -p tcp --dport 80 -d xx.xx.xx.29 -j ACCEPT
$ipt -A INPUT -p tcp --dport 21 -d xx.xx.xx.29 -j ACCEPT
$ipt -A INPUT -p tcp --dport 20 -d xx.xx.xx.29 -j ACCEPT
$ipt -A INPUT -p tcp --dport 3389 -j ACCEPT
$ipt -A INPUT -p tcp --dport 5010 -j ACCEPT
# Restrict SSH
# $ipt -A INPUT -s xx.xx.xx.248 -p tcp --dport 22 -j ACCEPT #
$ipt -A INPUT -p tcp --dport 22 -j DROP # all rest
$ipt -A INPUT -p tcp --dport 1433 -j DROP
# Restrict ICMP
$ipt -A INPUT -p icmp -s 192.168.1.0/24 -j ACCEPT # LAN Clients
$ipt -A INPUT -p icmp -s 192.168.2.0/24 -j ACCEPT # LAN Servers
$ipt -A INPUT -p icmp -s xx.xx.xx.0/24 -j ACCEPT
# $ipt -A INPUT -p icmp -j DROP # all rest
# ALLOW ACCES FROM:
I can monitor servers from 192.168.2.x network.
On the 192.168.1.x network the agent dont respond on telnet.
From zabbix server i can ping 192.168.1.x servers.
The zabbix server has access to 192.168.1.x network:
Code:
# Zabbix server
$ipt -A FORWARD -s 192.168.1.0/24 -d 192.168.2.2 -j ACCEPT
$ipt -A FORWARD -s 192.168.2.2 -d 192.168.1.0/24 -j ACCEPT
Thanks for the support.
Comment