[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[monit] How is conectivity testing is actually implemented
|
From: |
Ciprian Dorin, Craciun |
|
Subject: |
[monit] How is conectivity testing is actually implemented |
|
Date: |
Wed, 5 May 2010 23:21:59 +0300 |
Hello all!
I have a technical question about how the following test is
actually implemented in monit:
~~~~
check host some-host
address some-ip
if failed port 80 type tcp then alert
~~~~
I'm asking this because I run monit on a router and I'm testing
some local port which is forwarded (through iptables DNAT) to another
host (I do this test in monit because I also want to test if the
forwarding works).
It seems that monit successfully makes the connection, but then
iptables reports me (through LOG) some invalid packets (as in -m state
--state INVALID)...
Now, because if I look with netstat I don't see any actual
connection being made for that check (or any other check of this
type). Moreover I've tried to match those packets that don't have a
socket (as in -m owner ! --socket-exists) and I've found them matching
my test patterns.
So I'm concluding that monit "fabricates" TCP syn packets and just
sends them through a raw IP socket. Is this correct? And if so does
anyone have some tips on how to solve this issue with the invalid
packets in iptables?
Thanks,
Ciprian.
Here are the iptables rules I use (not the entire iptables
contents, but the relevant rules):
~~~~
iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
...
iptables -t filter -A INPUT -m state --state INVALID -j LOG
~~~~
iptables -t filter -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
...
iptables -t filter -A OUTPUT -m state --state INVALID -j LOG
~~~~
iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
...
iptables -t filter -A FORWARD -d host-ip -p tcp --dport 80 -m state
--state NEW -j ACCEPT
iptables -t nat -A PREROUTING -d router-ip -p tcp --dport 80 -s
10.0.0.0/8 -m state --state NEW -j MARK --set-mark 1
iptables -t nat -A PREROUTING -d router-ip -p tcp --dport 80 -m state
--state NEW -j DNAT --to host-ip:80
iptables -t nat -A OUTPUT -d router-ip -p tcp --dport 80 -m state
--state NEW -j MARK --set-mark 1
iptables -t nat -A OUTPUT -d router-ip -p tcp --dport 80 -m state
--state NEW -j DNAT --to host-ip:80
...
iptables -t filter -A FORWARD -m state --state INVALID -j LOG
~~~~
iptables -t nat -I POSTROUTING -m mark --mark 1 -j MASQUERADE
~~~~
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [monit] How is conectivity testing is actually implemented,
Ciprian Dorin, Craciun <=