I have installed MongoDB on a local machine by following this tutorial and this one as well. I used my local user (using sudo in all commands) and then I do:
sudo service mongod start
It says start: Job is already running: mongod. Then when I run this command
sudo mongo
I get
MongoDB shell version: 2.6.0
connecting to: test
2014-07-08T12:33:40.360+0200 warning: Failed to connect to 127.0.0.1:27017, reason: errno:113 No route to host
2014-07-08T12:33:40.361+0200 Error: couldn't connect to server 127.0.0.1:27017 (127.0.0.1), connection attempt failed at src/mongo/shell/mongo.js:146
exception: connect failed
THis is also the output of netstat -tpln
(No info could be read for "-p": geteuid()=1000 but you should be root.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp
0 0 0.0.0.0:27017 0.0.0.0:* LISTEN -
Also this is the output of sudo /sbin/iptables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:5432
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8080
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3306
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 255
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
ACCEPT tcp -- 127.0.0.1 0.0.0.0/0 tcp dpt:27017 state NEW,ESTABLISHED
ACCEPT tcp -- 127.0.0.1 0.0.0.0/0 tcp dpt:27017 state NEW,ESTABLISHED
ACCEPT tcp -- 127.0.0.1 0.0.0.0/0 tcp dpt:27017 state NEW,ESTABLISHED
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 127.0.0.1 tcp spt:27017 state ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 127.0.0.1 tcp spt:27017 state ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 127.0.0.1 tcp spt:27017 state ESTABLISHED
I have followed several proposed solutions and never worked. Any suggestions?
I have followed several proposed solutions and never worked. Any suggestions?
This is most likely a firewall issue in your distro. Based on the output from iptables the mongod process is there listening to 27017 port but you need to get rid of this firewall rule:
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
This seems to cause of the problem. To find out about it, flush the rules in iptables (-F) and/or disabling ufw in ubuntu may solve the issue.
Related
I have a new k8s install (kube-proxy iptable mode) and trying to learn how iptables is done. I noticed this entry in the FORWARD chain,
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
looking at proxy/iptables/proxier.go, nothing could have added above entry as far as I can tell. How did that entry is added there? The following is the entire FORWARD chain,
Chain FORWARD (policy DROP)
target prot opt source destination
KUBE-FORWARD all -- 0.0.0.0/0 0.0.0.0/0 /* kubernetes forwarding rules /
KUBE-SERVICES all -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW / kubernetes service portals */
DOCKER-ISOLATION all -- 0.0.0.0/0 0.0.0.0/0
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
FORWARD_direct all -- 0.0.0.0/0 0.0.0.0/0
FORWARD_IN_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
FORWARD_IN_ZONES all -- 0.0.0.0/0 0.0.0.0/0
FORWARD_OUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
FORWARD_OUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
ACCEPT all -- 10.244.0.0/16 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 10.244.0.0/16
The k8s is 1.15.2 release.
it turns out this entry was added by firewalld in centos7 by default.
I've got the following problem:
My Router (FritzBox) is set to forward all incomming traffic (via exposed host) to my Server (192.168.0.1)
I have a HAProxy running on a lxc container (192.168.0.100) which is forwarding http traffic to some other lxc containers - this is working fine.
The problem is, when I run the following command (curl to my proxy) I get the right answer back:
curl --verbose --header 'Host: myrealdomain.tld' http://192.168.0.100
* Rebuilt URL to: http://192.168.0.100/
* Trying 192.168.0.100...
* Connected to 192.168.0.100 (192.168.0.100) port 80 (#0)
> GET / HTTP/1.1
> Host: murdr.eu
> User-Agent: curl/7.47.0
> Accept: */*
>
* HTTP 1.0, assume close after body
< HTTP/1.0 503 Service Unavailable
< Cache-Control: no-cache
< Connection: close
< Content-Type: text/html
<
<html><body><h1>503 Service Unavailable</h1>
No server is available to handle this request.
</body></html>
* Closing connection 0
But when running the same command (curl to my server which should forward the traffic to the Proxy) I can't connect, because the connection is refused:
curl --verbose --header 'Host: myrealdomain.tld' http://192.168.0.1
* Rebuilt URL to: http://192.168.0.1/
* Trying 192.168.0.1...
* connect to 192.168.0.1 port 80 failed: Connection refused
* Failed to connect to 192.168.0.1 port 80: Connection refused
* Closing connection 0
curl: (7) Failed to connect to 192.168.0.1 port 80: Connection refused
(myrealdomain.tld is replaced with my real domain, here I changed it for security reasons)
Here are my iptables (I've tested various things and flushed then often, but nothing was working).
I've cleared them now, better start fresh
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
iptables -S (as asked by Luke Mlsna)
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
apache2 was running on my server. but I deleted it after setting up the proxy container and the iptables.
here are the open ports, no port 80
lsof -i -P -n
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd-n 938 systemd-network 19u IPv6 33240 0t0 UDP [fe80::f64d:30ff:fe66:8010]:546
systemd-r 980 systemd-resolve 12u IPv4 22967 0t0 UDP 127.0.0.53:53
systemd-r 980 systemd-resolve 13u IPv4 22968 0t0 TCP 127.0.0.53:53 (LISTEN)
nmbd 1108 root 15u IPv4 22474 0t0 UDP *:137
nmbd 1108 root 16u IPv4 22475 0t0 UDP *:138
nmbd 1108 root 17u IPv4 38559 0t0 UDP 192.168.0.1:137
nmbd 1108 root 18u IPv4 38560 0t0 UDP 192.168.1.255:137
nmbd 1108 root 19u IPv4 38561 0t0 UDP 192.168.0.1:138
nmbd 1108 root 20u IPv4 38562 0t0 UDP 192.168.1.255:138
sshd 1200 root 3u IPv4 25135 0t0 TCP *:22 (LISTEN)
sshd 1200 root 4u IPv6 25137 0t0 TCP *:22 (LISTEN)
lxd 1273 root 13u IPv6 27850 0t0 TCP *:8443 (LISTEN)
mysqld 1501 mysql 39u IPv4 27943 0t0 TCP 127.0.0.1:3306 (LISTEN)
smbd 3606 root 32u IPv6 37803 0t0 TCP *:445 (LISTEN)
smbd 3606 root 33u IPv6 37804 0t0 TCP *:139 (LISTEN)
smbd 3606 root 34u IPv4 37805 0t0 TCP *:445 (LISTEN)
smbd 3606 root 35u IPv4 37806 0t0 TCP *:139 (LISTEN)
sshd 6140 root 3u IPv4 59450 0t0 TCP 192.168.0.1:22->192.168.0.43:62339 (ESTABLISHED)
sshd 6350 unicorn 3u IPv4 59450 0t0 TCP 192.168.0.1:22->192.168.0.43:62339 (ESTABLISHED)
I'm sending my traffic now directly to HAProxy from my router, no server in between.
Working as a charm!
I am running a CentOS 7 machine and when I try to telnet localhost 8080 I get the following message
Trying ::1...
Telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Telnet: conenct to address 127.0.0.1: Connection refused
I have added 8080/tcp to the IP table and have opened the port. Any idea what is stopping it?
That's simple: port 8080 is not opened, just like #Esse told you.
You can check the connection with echo also:
echo OK > /dev/tcp/localhost/8080
echo $?
You can list opened ports using netstat:
netstat -tulpn | grep 8080
Edit:
You can test that the port is not opened by trying to open the port yourself:
# open port 8080 using netcat
nc -l 8080 &
# check connection
netstat -tulpn | grep 8080
telnet localhost 8080
echo OK > /dev/tcp/$(hostname -f)/8080
nc 127.0.0.1 8080
same
$ sudo iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DOCKER all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER all -- anywhere !localhost/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 172.17.0.0/16 anywhere
Chain DOCKER (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Just installed mongodb on centos 6. trying to connect to mongo sh with command "mongo" but got this error message:
2015-09-26T07:07:35.309+0000 W NETWORK Failed to connect to 127.0.0.1:27017 after 5000 milliseconds, giving up.
2015-09-26T07:07:35.316+0000 E QUERY Error: couldn't connect to server 127.0.0.1:27017 (127.0.0.1), connection attempt failed
at connect (src/mongo/shell/mongo.js:179:14)
at (connect):1:6 at src/mongo/shell/mongo.js:179
however, once i stop my firewall (iptables stop) i can access mongo shell
here is my iptables:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:28017
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 192.168.1.0/24 0.0.0.0/0 tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ACCEPT tcp -- 127.0.0.1 0.0.0.0/0 tcp dpt:27017 state NEW,ESTABLISHED
LOGGING all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:51396
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 127.0.0.1 tcp spt:27017 state ESTABLISHED
Chain LOGGING (1 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 2/min burst 5 LOG flags 0 level 4 prefix `IPTables-Dropped: '
DROP all -- 0.0.0.0/0 0.0.0.0/0
Searched and tried different solutions.
remove lock, repair; reset iptables, nothing helps.
These are the iptables's log of dropping packets
Sep 26 06:59:38 xxx kernel: IPTables-Dropped: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=27017 DPT=51396 WINDOW=32768 RES=0x00 ACK SYN URGP=0
Sep 26 07:04:47 xxx kernel: IPTables-Dropped: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=27017 DPT=59830 WINDOW=32768 RES=0x00 ACK SYN URGP=0
can't figure why its still blocking 27017.
Open Port (27017) in Firewall.
I have a VM (Ubuntu 12.04.4 LTS) with mongodb (2.0.4) that I want to restrict with iptables to only accepting SSH (in/out) and nothing else.
This is how my setup script looks like to setup the rules:
#!/bin/sh
# DROP everything
iptables -F
iptables -X
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP
# input
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -s 127.0.0.1 -j ACCEPT # accept all ports for local conns
# output
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT # ssh
But with these rules activated, I can't connect to mongodb locally.
ubuntu ~ $ mongo
MongoDB shell version: 2.0.4
connecting to: test
Fri Mar 28 09:40:40 Error: couldn't connect to server 127.0.0.1 shell/mongo.js:84
exception: connect failed
Without them, it works fine. Is there any special firewall case one needs to consider when deploying mongodb?
I tried installing mysql, and it works perfectly for local connections.
SSH works as exepected (can connect from outside and inside).
The iptables rules looks like this once set:
ubuntu ~ $ sudo iptables -nvL
Chain INPUT (policy DROP 8 packets, 1015 bytes)
pkts bytes target prot opt in out source destination
449 108K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
32 2048 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 27 packets, 6712 bytes)
pkts bytes target prot opt in out source destination
379 175K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Outbound traffic must be accepted for the loopback (127.0.0.1) as well.
Adding this made it work:
iptables -A OUTPUT -o lo -j ACCEPT
You migth want to try, substituting the line
iptables -A INPUT -s 127.0.0.1 -j ACCEPT
With
iptables -A INPUT -i lo -j ACCEPT