Hello,
I am trying to connect an Icinga agent as client to the master. The client has the IP 192.168.1.70 and is a VM at the host neckar wit IP 192.168.1.1. On the host a shorewall firewall is running with following rules between host (fw) and VMs (loc):
Chain loc-fw (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED
0 0 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
3 252 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22,52066,52070,52075,52076,52084 /* SSH */
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 /* Ping */
0 0 ACCEPT tcp -- * * 192.168.1.70 192.168.1.66 tcp dpt:5665 /* ICINGA */
0 0 ACCEPT tcp -- * * 192.168.1.75 192.168.1.66 tcp dpt:5665 /* ICINGA */
0 0 ACCEPT tcp -- * * 192.168.1.84 192.168.1.66 tcp dpt:5665 /* ICINGA */
0 0 ACCEPT tcp -- * * 192.168.1.85 192.168.1.66 tcp dpt:5665 /* ICINGA */
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "loc-fw ACCEPT "
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw-loc (1 references)
pkts bytes target prot opt in out source destination
24 2016 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22,52066,52070,52075,52076,52084 /* SSH */
5 420 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 192.168.1.66 192.168.1.70 tcp dpt:5665 /* ICINGA */
0 0 ACCEPT tcp -- * * 192.168.1.66 192.168.1.75 tcp dpt:5665 /* ICINGA */
0 0 ACCEPT tcp -- * * 192.168.1.66 192.168.1.84 tcp dpt:5665 /* ICINGA */
0 0 ACCEPT tcp -- * * 192.168.1.66 192.168.1.85 tcp dpt:5665 /* ICINGA */
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "fw-loc ACCEPT "
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
My host with Icinga master is running like
# systemctl status icinga2
● icinga2.service - Icinga host/service/network monitoring system
Loaded: loaded (/lib/systemd/system/icinga2.service; enabled; vendor preset: enabled)
Drop-In: /etc/systemd/system/icinga2.service.d
└─limits.conf
Active: active (running) since Thu 2019-10-17 14:13:49 CEST; 8min ago
Process: 109208 ExecStartPre=/usr/lib/icinga2/prepare-dirs /etc/default/icinga2 (code=exited, status=0/SUCCESS)
Main PID: 109215 (icinga2)
Tasks: 397
and listen like
# netstat -tlpn | grep icinga2
tcp 0 0 0.0.0.0:5665 0.0.0.0:* LISTEN 109608/icinga2
When I try to save the certificates for communication about API from the host on the client
icinga2 pki save-cert --host 192.168.1.66 --trustedcert trusted-master.crt
I get this error messages on the client:
information/cli: Retrieving X.509 certificate for '192.168.1.66:5665'.
critical/TcpSocket: Invalid socket: Connection refused
critical/pki: Cannot connect to host '192.168.1.66' on port '5665'
critical/cli: Failed to fetch certificate from host.
and in the firewall log I see:
Oct 17 14:26:26 Shorewall:loc-fw:REJECT:IN=vmbr1 OUT= SRC=192.168.1.70 DST=192.168.1.66 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=43451 DF PROTO=TCP SPT=48274 DPT=5665 WINDOW=29200 RES=0x00 SYN URGP=0
The maintainer of shorewall told me at his mailing list the firewall is right configured.
Any ideas for that problem?
Best regards
BrotherA