I have a particular problem and I confess that I am short of ideas to find the origin of the problem.
On a Debian10 server (4.19.183-1), I have a nagios-nrpe-server that listen on the port 5666. It's used to run locally some commands from an external Centreon poller.
On the nrpe.cfg, 'allowed_hosts' is correctly configured.
The service running without any problem but I can't connect from the poller (or any server in the same lan) to the TCP port 5666.
I run the last version of NRPE:
Code: Select all
/usr/sbin/nrpe -V
NRPE - Nagios Remote Plugin Executor
Version: 4.1.0
Code: Select all
systemctl status nagios-nrpe-server
● nagios-nrpe-server.service - Nagios Remote Plugin Executor
Loaded: loaded (/lib/systemd/system/nagios-nrpe-server.service; enabled; vendor preset: enabled)
Drop-In: /etc/systemd/system/nagios-nrpe-server.service.d
└─user-override.conf
Active: active (running) since Fri 2022-08-05 15:33:05 CEST; 2h 6min ago
Docs: http://www.nagios.org/documentation
Main PID: 873 (nrpe)
Tasks: 1 (limit: 4915)
Memory: 1.4M
CGroup: /system.slice/nagios-nrpe-server.service
└─873 /usr/sbin/nrpe -c /etc/nagios/nrpe.cfg -f
Aug 05 15:33:05 myserver systemd[1]: Started Nagios Remote Plugin Executor.
Code: Select all
# ps -aux | grep nrpe
monitor+ 873 0.0 0.0 6412 4968 ? Ss 15:33 0:00 /usr/sbin/nrpe -c /etc/nagios/nrpe.cfg -f
Code: Select all
# netstat -ltpna | awk 'NR==2 || /:5666/'
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:5666 0.0.0.0:* LISTEN 873/nrpe
tcp6 0 0 :::5666 :::* LISTEN 873/nrpe
Code: Select all
$ nmap 10.25.34.89 -p 5666
Starting Nmap 7.80 ( https://nmap.org ) at 2022-08-05 15:33 UTC
Nmap scan report for (10.25.34.89)
Host is up (0.00088s latency).
PORT STATE SERVICE
5666/tcp filtered nrpe
Code: Select all
# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 5666 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5666 -j LOG --log-prefix "** NRPE **"
-A FORWARD -p tcp -m tcp --dport 5666 -j LOG --log-prefix "** NRPE **"
-A OUTPUT -p tcp -m tcp --dport 5666 -j LOG --log-prefix "** NRPE **"
Code: Select all
# telnet 127.0.0.1 5666
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
Connection closed by foreign host.
From a server in the same LAN or my poller, I can't run 'telnet 10.25.34.89 5666' (you have guessed that 10.25.34.89 is my debian10 server).
With a TCMPDUMP, I correctly see packages from external server:
Code: Select all
# tcpdump -i eth0 port 5666 -vvvvv
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
17:36:10.192023 IP (tos 0x10, ttl 63, id 30978, offset 0, flags [DF], proto TCP (6), length 60)
10.25.29.33.37728 > 10.25.34.89.nrpe: Flags [S], cksum 0x2058 (correct), seq 937319388, win 64240, options [mss 1460,sackOK,TS val 3613508716 ecr 0,nop,wscale 7], length 0
17:36:11.196915 IP (tos 0x10, ttl 63, id 30979, offset 0, flags [DF], proto TCP (6), length 60)
10.25.29.33.37728 > 10.25.34.89.nrpe: Flags [S], cksum 0x1c6b (correct), seq 937319388, win 64240, options [mss 1460,sackOK,TS val 3613509721 ecr 0,nop,wscale 7], length 0
Code: Select all
Aug 5 17:37:41 myserver kernel: IN=eth0 OUT= MAC=00:50:56:b1:cd:74:00:c4:c4:c4:c4:04:08:00 SRC=10.25.29.33 DST=10.25.34.89 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=13334 DF PROTO=TCP SPT=50168 DPT=5666 WINDOW=64240 RES=0x00 SYN URGP=0
Aug 5 17:37:42 myserver kernel: IN=eth0 OUT= MAC=00:50:56:b1:cd:74:00:c4:c4:c4:c4:04:08:00 SRC=10.25.29.33 DST=10.25.34.89 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=13335 DF PROTO=TCP SPT=50168 DPT=5666 WINDOW=64240 RES=0x00 SYN URGP=0
I run a strace on the PID himself and I see nothing from the external telnet test:
Code: Select all
strace -f -e trace=network -s 10000 -p 873
Code: Select all
readlink /proc/873/fd/3
socket:[17763]
cat /proc/net/tcp | grep 17763
2: 00000000:1622 00000000:0000 0A 00000000:00000000 00:00000000 00000000 998 0 17763 1 0000000000000000 100 0 0 10 0
head -1 /proc/873/net/tcp; grep 17763 /proc/873/net/tcp
sl local_address rem_address st tx_queue rx_queue tr tm->when retrnsmt uid timeout inode
2: 00000000:1622 00000000:0000 0A 00000000:00000000 00:00000000 00000000 998 0 17763 1 0000000000000000 100 0 0 10 0
I am out of ideas.
Something seems to block the sending between the network stack and the process, because I see nothin with the strace but I don't know why.
Is it possible to analyze what is happening on the network stack side?
Can I open the socket file from its inode to see its content?
Thanks in advance for your help.