![[JiF]Mike](data:image/svg+xml;base64,CgkJCTxzdmcgeG1sbnM9J2h0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnJyB2aWV3Qm94PScwIDAgNTAgNTAnPgoJCQkJPHJlY3Qgd2lkdGg9JzEwMCUnIGhlaWdodD0nMTAwJScgZmlsbD0nIzYyNzRhZScgLz4KCQkJCTx0ZXh0IHg9JzUwJScgeT0nNTAlJyBmaWxsPSd3aGl0ZScgZm9udC13ZWlnaHQ9J2JvbGQnIGZvbnQtZmFtaWx5PSdBcmlhbCcgZm9udC1zaXplPSczMDAlJyBkb21pbmFudC1iYXNlbGluZT0nY2VudHJhbCcgdGV4dC1hbmNob3I9J21pZGRsZSc+WzwvdGV4dD4KCQkJPC9zdmc+CgkJ "[JiF]Mike")
I'm attempting to really lock my system up tight. I'm having trouble with zabbix though, I can't seem to figure out what ports need to be open on the server for it to monitor and receive info from other servers. When I set my default INPUT chain policy to drop, all monitored systems become unreachable. I've opened up TCP ports 10001 and 10500 (I don't use 10000 for agentd), but I must be missing a port or two. I have seen suckerd using UDP port 53, so I opened that up but there was no change. Any suggestions on how to get things working again would be very much apprecaited. I've been searching the forums and docs and I haven't found anything that seemed to deal with this issue. Thanx.
-
-
I guess you should :Originally posted by [JiF]Mike
. on the server part, just need to ACCEPT port of trapperd (10001 in your case).
. on the client part (and so on the server part eventually, or use loopback), just need to ACCEPT port of agentd (10500 in your case).
UDP port 53 has probably been used by suckerd to resolv a IP address/name.--
LEM -
10001 is accepting connections, but still no dice. I didn't even think about suckerd using port 53 for dns, thought it was wierd. The clients are setup without problem. If I set my INPUT policy to 'accept', everything comes back up and runs fine. There is something I am doing wrong, and I'm hoping another set of eyes can find it for me. I am afterall, a novice with iptables. Here's is the output for "iptables -L"
Code:Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:10886 ACCEPT tcp -- anywhere anywhere tcp dpt:10500 ACCEPT tcp -- anywhere anywhere tcp dpts:10050:1005 1 ACCEPT tcp -- anywhere anywhere tcp dpt:10001 ACCEPT tcp -- anywhere anywhere tcp dpt:10000 ACCEPT tcp -- anywhere anywhere tcp dpts:6881:6899 ACCEPT tcp -- anywhere anywhere tcp dpt:pop3 ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT udp -- anywhere anywhere udp spt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:smtp ACCEPT tcp -- anywhere anywhere tcp dpt:ssh Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp spt:10001 ACCEPT tcp -- anywhere anywhere tcp spts:6881:6890 ACCEPT tcp -- anywhere anywhere tcp spt:pop3
Comment
-
If you are using trapperd - in that case client connects to server - and maybe there is need to ACCEPT also icmp packets?Originally posted by [JiF]Mike
iptables -I INPUT -p icmp -s 0/0 --icmp-type 8 -j ACCEPT
iptables -I INPUT -p icmp -s 0/0 --icmp-type 11 -j ACCEPTComment
Comment