diff --git a/conf/default_ports.conf b/conf/default_ports.conf index a6ee932..e72b6be 100644 --- a/conf/default_ports.conf +++ b/conf/default_ports.conf @@ -30,6 +30,7 @@ standard_cups_port=$standard_ipp_port standard_print_raw_port=515 standard_print_port=9100 standard_remote_console_port=5900 +standard_checkmk_port=6556 # - IPsec - Internet Security Association and # - Key Management Protocol diff --git a/conf/main_ipv4.conf.sample b/conf/main_ipv4.conf.sample index 46caf3b..761fcad 100644 --- a/conf/main_ipv4.conf.sample +++ b/conf/main_ipv4.conf.sample @@ -852,6 +852,25 @@ declare -A munin_local_client_ip_arr munin_local_port=4949 +# ====== +# - Checkmk Monitoring Service (local network) +# ====== + +# - Checkmk Service Gateway (usually TCP port 6556) +# - +checkmk_service_gateway=false + +# - Checkmk Server local Networks (usually TCP port 6556) +# - +# - Blank separated list +# - +checkmk_local_server_ips="" + +# - checkmk Port +# - +checkmk_local_port="$standard_checkmk_port" + + # ====== # - PowerChut Network Shutdown (PCNS) # ====== diff --git a/conf/main_ipv6.conf.sample b/conf/main_ipv6.conf.sample index 47f5096..642e49d 100644 --- a/conf/main_ipv6.conf.sample +++ b/conf/main_ipv6.conf.sample @@ -818,6 +818,25 @@ declare -A munin_local_client_ip_arr munin_local_port=4949 +# ====== +# - Checkmk Monitoring Service (local network) +# ====== + +# - Checkmk Service Gateway (usually TCP port 6556) +# - +checkmk_service_gateway=false + +# - Checkmk Server local Networks (usually TCP port 6556) +# - +# - Blank separated list +# - +checkmk_local_server_ips="" + +# - checkmk Port +# - +checkmk_local_port="$standard_checkmk_port" + + # ====== # - PowerChut Network Shutdown (PCNS) # ====== diff --git a/conf/post_decalrations.conf b/conf/post_decalrations.conf index f92b650..d6ddb34 100644 --- a/conf/post_decalrations.conf +++ b/conf/post_decalrations.conf @@ -335,6 +335,14 @@ for _ip in $munin_local_server_ips ; do munin_local_server_ip_arr+=("$_ip") done +# --- +# - IP Adresses Checkmk Monitoring Service +# --- +declare -a checkmk_local_server_ip_arr +for _ip in $checkmk_local_server_ips ; do + checkmk_local_server_ip_arr+=("$_ip") +done + # --- # - IP Adresses XyMon # --- diff --git a/ip6t-firewall-gateway b/ip6t-firewall-gateway index f745bdf..0bd59a8 100755 --- a/ip6t-firewall-gateway +++ b/ip6t-firewall-gateway @@ -3665,6 +3665,56 @@ else fi +# --- +# - Checkmk Monitoring Service Gateway +# --- + +echononl "\t\tCheckmk Monitoring Service Gateway (only local network)" + +if $checkmk_service_gateway ; then + + for _dev in ${local_if_arr[@]} ; do + $ip6t -A OUTPUT -o $_dev -p tcp --dport $checkmk_local_port -m conntrack --ctstate NEW -j ACCEPT + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Checkmk Service local Networks +# --- + +echononl "\t\tCheckmk Monitoring Service local Networks" +if [[ ${#checkmk_local_server_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${checkmk_local_server_ip_arr[@]} ; do + $ip6t -A INPUT -s $_ip -p tcp --dport $checkmk_local_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_forward_between_interfaces && ! $permit_between_local_networks ; then + for _dev in ${local_if_arr[@]} ; do + if ! $permit_between_local_networks ; then + $ip6t -A FORWARD -i $_dev -s $_ip -p tcp --dport $checkmk_local_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + fi + + # - Rule is needed if (local) interface aliases in use (like eth0:1) + # - + if $kernel_forward_between_interfaces && $local_alias_interfaces ; then + $ip6t -A FORWARD -p tcp -d $_ip --sport $checkmk_local_port --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -p tcp -s $_ip --dport $checkmk_local_port --tcp-flag ACK ACK -j ACCEPT + fi + + done + + echo_done +else + echo_skipped +fi + + # --- # - XyMon local service # --- diff --git a/ipt-firewall-gateway b/ipt-firewall-gateway index 3e138ef..638889b 100755 --- a/ipt-firewall-gateway +++ b/ipt-firewall-gateway @@ -4380,6 +4380,56 @@ else fi +# --- +# - Checkmk Monitoring Service Gateway +# --- + +echononl "\t\tCheckmk Monitoring Service Gateway (only local network)" + +if $checkmk_service_gateway ; then + + for _dev in ${local_if_arr[@]} ; do + $ipt -A OUTPUT -o $_dev -p tcp --dport $checkmk_local_port -m conntrack --ctstate NEW -j ACCEPT + done + + echo_done +else + echo_skipped +fi + + +# --- +# - Checkmk Service local Networks +# --- + +echononl "\t\tCheckmk Monitoring Service local Networks" +if [[ ${#checkmk_local_server_ip_arr[@]} -gt 0 ]] ; then + for _ip in ${checkmk_local_server_ip_arr[@]} ; do + $ipt -A INPUT -s $_ip -p tcp --dport $checkmk_local_port -m conntrack --ctstate NEW -j ACCEPT + + if $kernel_activate_forwarding && ! $permit_between_local_networks ; then + for _dev in ${local_if_arr[@]} ; do + if ! $permit_between_local_networks ; then + $ipt -A FORWARD -i $_dev -s $_ip -p tcp --dport $checkmk_local_port -m conntrack --ctstate NEW -j ACCEPT + fi + done + fi + + # - Rule is needed if (local) interface aliases in use (like eth0:1) + # - + if $kernel_activate_forwarding && $local_alias_interfaces ; then + $ipt -A FORWARD -p tcp -d $_ip --sport $checkmk_local_port --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -p tcp -s $_ip --dport $checkmk_local_port --tcp-flag ACK ACK -j ACCEPT + fi + + done + + echo_done +else + echo_skipped +fi + + # --- # - XyMon local service # ---