We've configured a new port (10050) in firewall rules by the policy manage interface. This port is used for Zabbix Agent.
We have a gateway cluster and some nodes configure this port in iptables during the restart, while others not.
In the examples below host editedx053 is not configuring the port 10050 in iptables, the editedx054 is OK.
Looking in files, we see that both nodes have the port 10050 configured in gateway files:
##########################################################################
[root@<server name> firewall]# cat rules.d/e45b76553f4cee8322880ff02a7f2b5f-listen_ports
*filter
[0:0] -A INPUT -p tcp -m tcp --dport 8443 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 9443 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 2124 -j ACCEPT
COMMIT
[root@<server name> firewall]#
[root@<server name> firewall]# cat rules.d/c4c5a4dd2ab8e516499bd5755aaa59c5-firewall_rules
*filter
[0:0] -A INPUT --protocol tcp --destination-port 8777 -j ACCEPT
[0:0] -A INPUT --protocol tcp --destination-port 10050 -j ACCEPT
COMMIT
[root@<server name> firewall]#
[root@<server name> firewall]# cat iptables-extras
*filter
[0:0] -A INPUT --protocol tcp --destination-port 8777 -j ACCEPT
[0:0] -A INPUT --protocol tcp --destination-port 10050 -j ACCEPT
COMMIT
*filter
[0:0] -A INPUT -p tcp -m tcp --dport 8443 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 9443 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 2124 -j ACCEPT
COMMIT
[root@<server name> firewall]#
###########################################################################
[root@<server name> firewall]# cat rules.d/e45b76553f4cee8322880ff02a7f2b5f-listen_ports
*filter
[0:0] -A INPUT -p tcp -m tcp --dport 8443 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 9443 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 2124 -j ACCEPT
COMMIT
[root@<server name> firewall]#
[root@<server name> firewall]# cat rules.d/c4c5a4dd2ab8e516499bd5755aaa59c5-firewall_rules
*filter
[0:0] -A INPUT --protocol tcp --destination-port 8777 -j ACCEPT
[0:0] -A INPUT --protocol tcp --destination-port 10050 -j ACCEPT
COMMIT
[root@<server name> firewall]#
[root@<server name> firewall]# cat iptables-extras
*filter
[0:0] -A INPUT --protocol tcp --destination-port 8777 -j ACCEPT
[0:0] -A INPUT --protocol tcp --destination-port 10050 -j ACCEPT
COMMIT
*filter
[0:0] -A INPUT -p tcp -m tcp --dport 8443 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 9443 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 2124 -j ACCEPT
COMMIT
[root@<server name> firewall]#
############################################################################
But when start the gateway, the node editex053 doesn't configure the port 10050
And we put manually in iptables to work the zabbix agent.
In the file iptables-combined we can see a difference:
[root@<server name> firewall]# cat iptables-combined
# Generated by iptables-save v1.4.21 on Fri Oct 15 22:09:13 2021
*filter
:INPUT DROP [46:1472]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [179329:17804176]
:badflags - [0:0]
:portdrop - [0:0]
-A INPUT -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
[...]
[root@<server name> firewall]# grep 10050 iptables-combined
[root@<server name> firewall]#
[root@<server name> firewall]# cat iptables-combined
# Layer 7 supplied iptables config for the API Gateway Appliance
# /etc/sysconfig/iptables
# Modification of this file is not recommended
# as our system manipulates these rules live
#
# Design:
# This is a drop all system
#
# If the port and/or interface doesn't explicitly allow the packet
[...]
[root@<server name> firewall]# grep 10050 iptables-combined
[0:0] -A INPUT --protocol tcp --destination-port 10050 -j ACCEPT
[root@<server name> firewall]#
So, it seems that the iptables in the gateway that doesn't open the 10050 port wasn't generated by the gateway and doesn't have the port 10050 rule
I think it could be caused by a manually change in iptables, but is there a way to fix this?
In order to monitoring runs well we needed to add the port manually, but every time the gateway is restarted the port 10050 disappears from Iptables and we need to put manually again.
Release : 10.0
Component :
The "iptables-save" tool seems to remove read permissions from the /etc/sysconfig/iptables file and it became readable only by the root user (and maybe this is why the ssg on restart wasn't able to use it).
1. copy from working env /etc/sysconfig/iptables
2. do a backup of the file on the problematic server.
It also backs up the old iptables to /etc/sysconfig/iptables.save
3. copy and paste the iptables file on that folder. (/etc/sysconfig/iptables) on non working server.
4. add the proper permission to the file :
run "chmod +r /etc/sysconfig/iptables"
5. Do not need to reboot server. However if you want to test the change, reboot gateway server and it will maintain persistence of the iptables configuration after restart.
1) if used :
iptables-save > /etc/iptablesRules.v2
Even after restarting the computer the following example helps to reload the rules from the saved file.
iptables-restore < /etc/iptablesRule.v2
2) iptables Service for RedHat Enterprise Linux (RHEL) and CentOS
RHEL/CentOS also offer simple methods to permanently save iptables rules for IPv4 and IPv6.
There is a service called "iptables". This must be enabled.
# chkconfig --list | grep iptables
iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
# chkconfig iptables on
The rules are saved in the file /etc/sysconfig/iptables for IPv4 and in the file /etc/sysconfig/ip6tables for IPv6.
You may also use the init script in order to save the current rules.
# service iptables save