I know for a fact that iptables running is causing my instance of Apache Solr to be inaccessible. How do I know this? Because I ran:
/sbin/service iptables save && /sbin/service iptables stop
Once I did this, everything worked flawlessly.
I would like to continue using my firewall however, adding the necessary rules for it doesn't seem to be working. I have exhausted what I thought would work:
/sbin/service iptables start
/sbin/iptables -A RH-Firewall-1-INPUT -p tcp -s 127.0.0.1 --dport 8983 -j ACCEPT
/sbin/service iptables save
Still not working
/sbin/iptables -D RH-Firewall-1-INPUT -p tcp -s 127.0.0.1 --dport 8983 -j ACCEPT
/sbin/iptables -A RH-Firewall-1-INPUT -p tcp --dport 8983 -j ACCEPT
/sbin/service iptables save
Still not working
I even tried doing a general ACCEPT on the 8983 port:
/sbin/iptables -A INPUT -p tcp --dport 8983 -j ACCEPT
/sbin/service iptables save
Still not working!
Ideas?
**/sbin/iptables -L -n -v**
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
215K 50M RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8983
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 279K packets, 286M bytes)
pkts bytes target prot opt in out source destination
Chain RH-Firewall-1-INPUT (2 references)
pkts bytes target prot opt in out source destination
14286 19M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
8 672 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 255
0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:631
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:631
181K 29M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 164 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:55
148 7676 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8008
2 120 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
11208 621K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
2202 123K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
5372 951K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
UPDATE (added before last rule):
*# /sbin/iptables -L -n -v --line-numbers*
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 585K 123M RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 782K packets, 822M bytes)
num pkts bytes target prot opt in out source destination
Chain RH-Firewall-1-INPUT (2 references)
num pkts bytes target prot opt in out source destination
1 31867 43M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
2 27 2232 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 255
3 0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0
5 0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353
6 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:631
7 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:631
8 502K 76M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
9 4 268 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:55
10 189 9780 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8008
11 8 480 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
12 29633 1656K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
13 6138 345K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
14 14841 2635K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
*# /sbin/iptables --insert RH-Firewall-1-INPUT 14 -p tcp --dport 8983 -j ACCEPT
# /sbin/iptables -L -n -v --line-numbers*
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 599K 127M RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 801K packets, 841M bytes)
num pkts bytes target prot opt in out source destination
Chain RH-Firewall-1-INPUT (2 references)
num pkts bytes target prot opt in out source destination
1 32631 44M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
2 27 2232 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 255
3 0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0
5 0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353
6 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:631
7 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:631
8 514K 78M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
9 4 268 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:55
10 292 15136 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8008
11 8 480 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
12 30425 1701K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
13 6304 355K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
14 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8983
15 15130 2690K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Even though the ACCEPT rule was added before the last line of the RH-Firewall-1-INPUT Chain, it is still not working
The order of iptables rules is important, as first-match-wins. Red Hat, like most sensible people, usually puts a blanket REJECT at the end of its chain, and adding rules to permit solr traffic - or any other kind of traffic - after that won't help, as the packet will never get that far down the chain.
If this is what's biting you, you need to do an
iptables -L -n -v --line-number, find the number of the blanket rule at the end, and useiptables -I RH-Firewall-1-INPUT n ...to insert your ACCEPT at line numbern, where n is less than the number of the blanket REJECT.Edit: thanks for the listing. See that blanket
REJECT all -- * *at the end? There's no point adding yourACCEPTafter that, as you'll never get that far. Try doing the--line-numberlisting to find out where you need to insert that line - anywhere before the last line should do - and see if that works.Edit 2: can you also confirm that
netstat -an|grep 8983on the server returns something sensible?Edit 3: then your server's not listening on port 8983, which is why you can't connect to it even after opening up the port in the firewall. If you had a listener on that port, you'd see something like
The above example being taken from my webserver, which is why it's port 443 not 8983. You're going to need to find out why there's no listener on 8983 before we can make any more progress.
Edit 4: you can't connect to a daemon that's not listening. I know you said that "taking down the firewall fixes everything", and that may have been true when the daemon was listening; but right now I doubt it. If you're willing to repeat the experiment: taking the firewall down, confirming that
netstat -an|grep 8983on the server still returns nothing, and then showing thattelnet server 8983gives a connection, I shall be pleasantly surprised.Edit 5: glad to help!