[CentOS] can't disable tcp6 on centos 7

Sun May 3 23:23:19 UTC 2015
Tim Dunphy <bluethundr at gmail.com>

>
> is it working on localhost or not???!!! it could be selinux problem also,
> if context is not correct.


It's working on localhost:

[root at puppet:~] #telnet localhost 5666
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.

I notice if I stop the firewall on the puppet host (for no more than 2
seconds) and hit NRPE from the monitoring host it works:

[root at monitor1:~] #/usr/local/nagios/libexec/check_nrpe -H
puppet.mydomain.com
NRPE v2.15

But as soon as the firewall has been enabled on the puppet host (a
microsecond later) I get this result:

[root at monitor1:~] #/usr/local/nagios/libexec/check_nrpe -H
puppet.mydomain.com
connect to address 216.120.xxx.xxx port 5666: No route to host
connect to host puppet.mydomain.com port 5666: No route to host

And nmap from the monitoring host tells me that the port is closed:

[root at monitor1:~] #nmap -p 5666 puppet.mydomain.com

Starting Nmap 6.40 ( http://nmap.org ) at 2015-05-03 23:20 UTC
Nmap scan report for puppet.jokefire.com (216.120.250.140)
Host is up (0.011s latency).
PORT     STATE    SERVICE
5666/tcp filtered nrpe

Back on the puppet host I verify that the port is open for UDP:

[root at puppet:~] #firewall-cmd --list-ports
5666/udp

That should be right AFAIK.

 Can anybody tell me what I'm doing wrong ?

Thanks
Tim







On Sun, May 3, 2015 at 6:59 PM, Eero Volotinen <eero.volotinen at iki.fi>
wrote:

> is it working on localhost or not???!!! it could be selinux problem also,
> if context is not correct.
>
> --
> Eero
>
> 2015-05-04 1:55 GMT+03:00 Tim Dunphy <bluethundr at gmail.com>:
>
> > >
> > > It's listening on both IPv6 and IPv4.  Specifically, why is that a
> > problem?
> >
> >
> > The central problem seems to be that the monitoring host can't hit nrpe
> on
> > port 5666 UDP.
> >
> > [root at monitor1:~] #/usr/local/nagios/libexec/check_nrpe -H
> > puppet.mydomain.com
> > CHECK_NRPE: Socket timeout after 10 seconds.
> >
> > It is listening on the puppet host on port 5666
> >
> > [root at puppet:~] #lsof -i :5666
> > COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
> > xinetd  2915 root    5u  IPv6  24493      0t0  TCP *:nrpe (LISTEN)
> >
> > And the firewall is allowing that port:
> >
> > [root at puppet:~] #firewall-cmd --list-ports
> > 5666/udp
> >
> > But if I check the port using nmap
> >
> > [root at monitor1:~] #nmap -p 5666 puppet.mydomain.com
> >
> > Starting Nmap 6.40 ( http://nmap.org ) at 2015-05-03 22:51 UTC
> > Nmap scan report for puppet.jokefire.com (216.120.250.140)
> > Host is up (0.012s latency).
> > PORT     STATE    SERVICE
> > 5666/tcp filtered nrpe
> >
> > That port is closed despite the port being allowed on the firewall.
> >
> > So I thought that the problem was that xinetd was listening to port 5666
> > only on tcp v6. And when the monitoring host hits the puppet host using
> tcp
> > v4 it can't because only tcp v6 is active on that port.
> >
> > You mention that it's listening on both tcp v4 and v6. But I only see v6
> in
> > that output. How are you determining that
> >
> > It's a problem because the port does not appear to be open from the
> > monitoring host:
> >
> > [root at monitor1:~] #nmap -p 5666 puppet.mydomain.com
> >
> > Starting Nmap 6.40 ( http://nmap.org ) at 2015-05-03 22:33 UTC
> > Nmap scan report for puppet.jokefire.com (216.120.250.140)
> > Host is up (0.011s latency).
> > PORT     STATE    SERVICE
> > 5666/tcp filtered nrpe
> >
> > >
> > >
> > > You could add "ipv6.disable=1" to your kernel args.
> >
> > What am I doing wrong? I need to be able to disable tcpv6 completely!
> > >
> >
> > Worth a shot!
> >
> > On Sun, May 3, 2015 at 5:44 PM, Gordon Messmer <gordon.messmer at gmail.com
> >
> > wrote:
> >
> > > On 05/03/2015 02:18 PM, Tim Dunphy wrote:
> > >
> > >> Yet, xinetd/nrpe still seems to be listeing on TCP v6!!
> > >>
> > >
> > > It's listening on both IPv6 and IPv4.  Specifically, why is that a
> > problem?
> > >
> > >  What am I doing wrong? I need to be able to disable tcpv6 completely!
> > >>
> > >
> > > You could add "ipv6.disable=1" to your kernel args.
> > > _______________________________________________
> > > CentOS mailing list
> > > CentOS at centos.org
> > > http://lists.centos.org/mailman/listinfo/centos
> > >
> >
> >
> >
> > --
> > GPG me!!
> >
> > gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
> > _______________________________________________
> > CentOS mailing list
> > CentOS at centos.org
> > http://lists.centos.org/mailman/listinfo/centos
> >
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>



-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B