We run a webapp via an unprivileged user, on unprivileged ports. A startup script is executed as root solely to set iptables REDIRECT rules, then drop privileges and start up the app.
I'm trying to monitor this webapp with NAGIOS, but the default "check_http" plugin shipped in nagios-plugins is failing to connect to the web server on port 80. NAGIOS runs on the same host as the webapp.
I want to monitor on port 80, because that's how users will be connecting, so I want to ensure it's being forwarded adequately, etc.
The NAGIOS configuration specifies the host's address as it's eth0 private IP address. Running the check_http script against that IP address yields:
# libexec/check_http -H 192.168.20.15
Connection refused
HTTP CRITICAL - Unable to open TCP socket
However, if I specify the loopback address locally, it works.
# libexec/check_http -H localhost
HTTP OK: HTTP/1.1 200 OK - 8007 bytes in 0.035 second response time|time=0.034517s;;;0.000000 size=8007B;;;0
Connections from other hosts to port 80 on this webapp server work ok. But I want to understand why I can't locally monitor it on port 80 via eth0 as opposed to lo.
Our iptables rules are empty except for the nat table:
*nat
:PREROUTING ACCEPT [2036:252802]
:POSTROUTING ACCEPT [478669:34376409]
:OUTPUT ACCEPT [475605:34192517]
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 7999
-A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 7998
-A OUTPUT -d 127.0.0.1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 7999
-A OUTPUT -d 127.0.0.1 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 7998
COMMIT
Oh, wait. No kidding it works on lo, because of the
-A OUTPUTlines sending the traffic away to the destination ports. I guess that means the solution here is to add two additional OUTPUT lines for theeth0interface into-d.Meaning, duplicate the lines containing 127.0.0.1, and replace that address with
192.168.20.15.No kidding...