Cacti and internet host

lacostewin · Post by **lacostewin** » Sat Mar 19, 2016 7:09 am

Hello everybody!

Have a problem with cacti and internet host, eg. 8.8.8.8.
The hosts in internet always down. My cacti server is behind a linux router (Zentyal).
The Zentyan is using Squid, DHCP for internal LAN, some rules in the iptables (see attached file "iptab")
All outbound connctions are allowed.

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
preinput all -- anywhere anywhere
idrop all -- anywhere anywhere state INVALID
iaccept all -- anywhere anywhere state RELATED,ESTABLISHED
inospoof all -- anywhere anywhere
iexternalmodules all -- anywhere anywhere
iexternal all -- anywhere anywhere
inoexternal all -- anywhere anywhere
imodules all -- anywhere anywhere
iglobal all -- anywhere anywhere
iaccept icmp !f anywhere anywhere icmp echo-request state NEW
iaccept icmp !f anywhere anywhere icmp echo-reply state NEW
iaccept icmp !f anywhere anywhere icmp destination-unreachable state NEW
iaccept icmp !f anywhere anywhere icmp source-quench state NEW
iaccept icmp !f anywhere anywhere icmp time-exceeded state NEW
iaccept icmp !f anywhere anywhere icmp parameter-problem state NEW
idrop all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
preforward all -- anywhere anywhere
fdrop all -- anywhere anywhere state INVALID
faccept all -- anywhere anywhere state RELATED,ESTABLISHED
fnospoof all -- anywhere anywhere
fredirects all -- anywhere anywhere
fmodules all -- anywhere anywhere
ffwdrules all -- anywhere anywhere
fnoexternal all -- anywhere anywhere
fdns all -- anywhere anywhere
fglobal all -- anywhere anywhere
faccept icmp !f anywhere anywhere icmp echo-request state NEW
faccept icmp !f anywhere anywhere icmp echo-reply state NEW
faccept icmp !f anywhere anywhere icmp destination-unreachable state NEW
faccept icmp !f anywhere anywhere icmp source-quench state NEW
faccept icmp !f anywhere anywhere icmp time-exceeded state NEW
faccept icmp !f anywhere anywhere icmp parameter-problem state NEW
fdrop all -- anywhere anywhere

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
preoutput all -- anywhere anywhere
odrop all -- anywhere anywhere state INVALID
oaccept all -- anywhere anywhere state RELATED,ESTABLISHED
ointernal all -- anywhere anywhere
omodules all -- anywhere anywhere
oglobal all -- anywhere anywhere
oaccept icmp !f anywhere anywhere icmp echo-request state NEW
oaccept icmp !f anywhere anywhere icmp echo-reply state NEW
oaccept icmp !f anywhere anywhere icmp destination-unreachable state NEW
oaccept icmp !f anywhere anywhere icmp source-quench state NEW
oaccept icmp !f anywhere anywhere icmp time-exceeded state NEW
oaccept icmp !f anywhere anywhere icmp parameter-problem state NEW
odrop all -- anywhere anywhere

Chain drop (980 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 50/min burst 10 LOG level debug prefix "zentyal-firewall drop "
DROP all -- anywhere anywhere

Chain faccept (12 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain fdns (1 references)
target prot opt source destination

Chain fdrop (9 references)
target prot opt source destination
drop all -- anywhere anywhere

Chain ffwdrules (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
RETURN all -- anywhere anywhere
RETURN all -- anywhere anywhere
RETURN all -- anywhere anywhere

Chain fglobal (1 references)
target prot opt source destination
drop all -- 192.168.51.0/24 192.168.40.0/24
drop all -- 192.168.52.0/24 192.168.40.0/24
drop all -- 192.168.51.0/24 192.168.50.0/24
drop all -- 192.168.52.0/24 192.168.50.0/24
faccept all -- 192.168.160.0/24 anywhere
faccept all -- anywhere anywhere

Chain fmodules (1 references)
target prot opt source destination

Chain fnoexternal (1 references)
target prot opt source destination
fdrop all -- anywhere anywhere state NEW

Chain fnospoof (1 references)
target prot opt source destination
fnospoofmodules all -- anywhere anywhere
fdrop all -- 192.168.50.0/24 anywhere
fdrop all -- 192.168.40.0/24 anywhere
fdrop all -- 192.168.51.0/24 anywhere
fdrop all -- 192.168.52.0/24 anywhere
fdrop all -- 109.111.190.224/27 anywhere

Chain fnospoofmodules (1 references)
target prot opt source destination

Chain fredirects (1 references)
target prot opt source destination
LOG tcp -- pc-mail.ru 192.168.50.232 state NEW tcp dpt:5650 limit: avg 50/min burst 10 LOG level debug prefix "zentyal-firewall redirect "
faccept tcp -- pc-mail.ru 192.168.50.232 state NEW tcp dpt:5650
LOG tcp -- anywhere 192.168.50.21 state NEW tcp dpt:http limit: avg 50/min burst 10 LOG level debug prefix "zentyal-firewall redirect "
faccept tcp -- anywhere 192.168.50.21 state NEW tcp dpt:http

Chain ftoexternalonly (0 references)
target prot opt source destination
faccept all -- anywhere anywhere
fdrop all -- anywhere anywhere

Chain iaccept (73 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain idrop (8 references)
target prot opt source destination
drop all -- anywhere anywhere

Chain iexternal (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
RETURN all -- anywhere anywhere
RETURN all -- anywhere anywhere
RETURN all -- anywhere anywhere
RETURN all -- anywhere anywhere
drop tcp -- 116.108.0.0/14 anywhere tcp dpt:smtp state NEW
drop tcp -- 116.108.0.0/14 anywhere tcp dpt:urd state NEW
drop tcp -- 212.13.192.0/19 anywhere tcp dpt:smtp state NEW
drop tcp -- 212.13.192.0/19 anywhere tcp dpt:urd state NEW
drop tcp -- 123.1.192.0/24 anywhere tcp dpt:smtp state NEW
drop tcp -- 123.1.192.0/24 anywhere tcp dpt:urd state NEW

Chain iexternalmodules (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
RETURN all -- anywhere anywhere
RETURN all -- anywhere anywhere
RETURN all -- anywhere anywhere
RETURN all -- anywhere anywhere
iaccept udp -- anywhere anywhere udp dpt:route
iaccept udp -- anywhere anywhere udp dpt:openvpn

Chain iglobal (1 references)
target prot opt source destination
iaccept udp -- anywhere anywhere source IP range 192.168.50.2-192.168.50.29 udp dpt:tacacs state NEW
iaccept tcp -- anywhere anywhere source IP range 192.168.50.2-192.168.50.29 tcp dpt:tacacs state NEW
iaccept all -- 192.168.160.0/24 anywhere state NEW
iaccept all -- 192.168.50.21 anywhere state NEW
iaccept udp -- 192.168.50.21 anywhere udp dpts:snmp:snmp-trap state NEW
iaccept icmp !f 192.168.50.21 anywhere icmp echo-request state NEW
iaccept icmp !f 192.168.50.21 anywhere icmp echo-reply state NEW
iaccept icmp !f 192.168.50.21 anywhere icmp destination-unreachable state NEW
iaccept icmp !f 192.168.50.21 anywhere icmp source-quench state NEW
iaccept icmp !f 192.168.50.21 anywhere icmp parameter-problem state NEW
iaccept udp -- anywhere anywhere source IP range 192.168.50.2-192.168.50.29 udp dpt:23 state NEW
iaccept tcp -- anywhere anywhere source IP range 192.168.50.2-192.168.50.29 tcp dpt:telnet state NEW
iaccept tcp -- anywhere anywhere tcp dpt:submission state NEW
iaccept tcp -- anywhere anywhere tcp dpt:pop3 state NEW
iaccept tcp -- anywhere anywhere tcp dpt:imap2 state NEW
iaccept tcp -- anywhere anywhere tcp dpt:imaps state NEW
iaccept tcp -- anywhere anywhere tcp dpt:pop3s state NEW
iaccept tcp -- anywhere anywhere tcp dpt:sieve state NEW
iaccept tcp -- anywhere anywhere tcp dpt:smtp state NEW
iaccept tcp -- anywhere anywhere tcp dpt:urd state NEW
iaccept tcp -- anywhere anywhere tcp dpt:http state NEW
iaccept tcp -- anywhere anywhere tcp dpt:https state NEW
iaccept udp -- anywhere anywhere udp dpt:kerberos state NEW
iaccept tcp -- anywhere anywhere tcp dpt:kerberos state NEW
iaccept tcp -- anywhere anywhere tcp dpt:loc-srv state NEW
iaccept udp -- anywhere anywhere udp dpt:netbios-ns state NEW
iaccept udp -- anywhere anywhere udp dpt:netbios-dgm state NEW
iaccept tcp -- anywhere anywhere tcp dpt:netbios-ssn state NEW
iaccept udp -- anywhere anywhere udp dpt:ldap state NEW
iaccept tcp -- anywhere anywhere tcp dpt:ldap state NEW
iaccept tcp -- anywhere anywhere tcp dpt:microsoft-ds state NEW
iaccept udp -- anywhere anywhere udp dpt:kpasswd state NEW
iaccept tcp -- anywhere anywhere tcp dpt:kpasswd state NEW
iaccept tcp -- anywhere anywhere tcp dpt:ldaps state NEW
iaccept tcp -- anywhere anywhere tcp dpt:1024 state NEW
iaccept tcp -- anywhere anywhere tcp dpt:3268 state NEW
iaccept tcp -- anywhere anywhere tcp dpt:3269 state NEW
iaccept udp -- anywhere anywhere udp dpt:ntp state NEW
iaccept udp -- anywhere anywhere udp spts:bootps:bootpc dpts:bootps:bootpc state NEW
iaccept udp -- anywhere anywhere udp dpt:tftp state NEW
iaccept udp -- anywhere anywhere udp dpt:domain state NEW
iaccept tcp -- anywhere anywhere tcp dpt:domain state NEW
iaccept tcp -- anywhere anywhere tcp dpt:ssh state NEW
iaccept tcp -- 192.168.50.0/24 anywhere tcp dpt:8443 state NEW

Chain imodules (1 references)
target prot opt source destination
iaccept udp -- anywhere anywhere udp dpt:route
iaccept tcp -- anywhere anywhere state NEW tcp dpt:3128
iaccept tcp -- anywhere anywhere state NEW tcp dpt:3128
iaccept tcp -- anywhere anywhere state NEW tcp dpt:3128
iaccept tcp -- anywhere anywhere state NEW tcp dpt:3128
DROP tcp -- anywhere anywhere state NEW tcp dpt:3129
DROP tcp -- anywhere anywhere state NEW tcp dpt:icpv2

Chain inoexternal (1 references)
target prot opt source destination
idrop all -- anywhere anywhere state NEW

Chain inointernal (0 references)
target prot opt source destination

Chain inospoof (1 references)
target prot opt source destination
inospoofmodules all -- anywhere anywhere
idrop all -- 192.168.50.0/24 anywhere
idrop all -- 192.168.40.0/24 anywhere
idrop all -- 192.168.51.0/24 anywhere
idrop all -- 192.168.52.0/24 anywhere
idrop all -- 109.111.190.224/27 anywhere

Chain inospoofmodules (1 references)
target prot opt source destination

Chain log (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 50/min burst 10 LOG level debug prefix "zentyal-firewall log "
RETURN all -- anywhere anywhere

Chain oaccept (16 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain odrop (2 references)
target prot opt source destination
drop all -- anywhere anywhere

Chain oglobal (1 references)
target prot opt source destination
oaccept all -- anywhere anywhere state NEW

Chain ointernal (1 references)
target prot opt source destination

Chain omodules (1 references)
target prot opt source destination
oaccept tcp -- anywhere anywhere tcp dpt:http
oaccept udp -- anywhere anywhere udp dpt:domain
oaccept tcp -- anywhere anywhere tcp dpt:domain
oaccept tcp -- anywhere anywhere state NEW tcp dpt:smtp
oaccept udp -- anywhere anywhere udp dpt:route
oaccept tcp -- anywhere anywhere tcp dpt:http
oaccept tcp -- anywhere anywhere state NEW tcp dpt:http
oaccept tcp -- anywhere anywhere state NEW tcp dpt:https

Chain preforward (1 references)
target prot opt source destination

Chain preinput (1 references)
target prot opt source destination

Chain preoutput (1 references)
target prot opt source destination

Devices in local network always have UP status and graphs.

If need more informations, I am ready)

And sorry for my English)

micke2k · Post by **micke2k** » Sat Mar 19, 2016 8:55 am

if you ping it from CLI of cacti does it respond? Does any device outside your internal lan respond to icmp?

lacostewin · Post by **lacostewin** » Sat Mar 19, 2016 9:37 am

micke2k wrote:if you ping it from CLI of cacti does it respond? Does any device outside your internal lan respond to icmp?

From cacti server:

root@cacti:~# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.

56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=49 time=54.0 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=49 time=54.9 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=49 time=54.7 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=49 time=60.7 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=49 time=54.8 ms
^C
--- 8.8.8.8 ping statistics ---

From cacti To Cisco 2960 (internal lan)
root@cacti:~# ping 192.168.50.29
PING 192.168.50.28 (192.168.50.28) 56(84) bytes of data.
64 bytes from 192.168.50.28: icmp_seq=1 ttl=30 time=1.83 ms
64 bytes from 192.168.50.28: icmp_seq=2 ttl=30 time=1.41 ms
64 bytes from 192.168.50.28: icmp_seq=3 ttl=30 time=6.98 ms
^C
--- 192.168.50.29 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2004ms

From 2960 to cacti
SW1#ping 192.168.50.21
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.50.21, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
SW1#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 50/57/59 ms

SW1#ping 212.58.246.79
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 212.58.246.79, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 93/99/101 ms

root@cacti:~# ping 212.58.246.79
PING 212.58.246.79 (212.58.246.79) 56(84) bytes of data.
64 bytes from 212.58.246.79: icmp_seq=1 ttl=44 time=97.8 ms
64 bytes from 212.58.246.79: icmp_seq=2 ttl=44 time=98.0 ms
^C
--- 212.58.246.79 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms

lacostewin · Post by **lacostewin** » Sun Mar 20, 2016 4:49 am

On the same server, SmokePing graphs are created. Where could be the problem? Apache2, cacti config?

micke2k · Post by **micke2k** » Sun Mar 20, 2016 7:29 am

Change host detection to none and see if it starts graphing.

If your are running centos disable SElinux for testing.

There is a difference between the type of ping host detection(apache) and what smokeping uses(cmd.php/spine).

If it works with host detection none, its permission issues for the webserver to /usr/bin/ping usually.

lacostewin · Post by **lacostewin** » Sun Mar 20, 2016 11:43 am

Change host desc. doesn't work. Server on the Ubuntu 14 and for the test - 15.10. But I remember that cacti used with the finished image. I'll try to install manually Ubuntu, LAMP and cacti for test.

lacostewin · Post by **lacostewin** » Mon Mar 21, 2016 5:13 am

In a clear installation of components, external host have a status UP. But after installation plugin http://docs.cacti.net/usertemplate:grap ... d_ping_alt, all external hosts are down.

lacostewin · Post by **lacostewin** » Thu Apr 21, 2016 11:20 pm

If anyone interesting, the problem is solved by a change rights of file spine. chmod a+s spine.

Smurfberry32 · Post by **Smurfberry32** » Fri Oct 14, 2016 3:58 pm

lacostewin wrote:If anyone interesting, the problem is solved by a change rights of file spine. chmod a+s spine.

Would you be so kind as to specify what spine file you have to change rights to?
Inside of my cacti folder I have a folder called spine, and inside of that folder I have the following spine files:
spine
spine.c
spine.conf.dist
spine.h
spine.o

The graph will be created if I change the "Downed Device Detection" to "None", but as soon as I change it back to "Ping" the device goes back down.

Cacti

Cacti and internet host

Cacti and internet host

Re: Cacti and internet host

Re: Cacti and internet host

Re: Cacti and internet host

Re: Cacti and internet host

Re: Cacti and internet host

Re: Cacti and internet host

Re: Cacti and internet host

Re: Cacti and internet host

Who is online