LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-01-2019, 06:55 AM   #1
miccze
LQ Newbie
 
Registered: Sep 2018
Distribution: Centos
Posts: 17

Rep: Reputation: Disabled
firewalld doesn't open port


Hello all,

I have problem with opening port in firewalld on Centos 7.
Situation:
I have server Alfa on which i run tomcat and i configured jmx port to get data about java on port 9999.
Now, on server Beta, i set up docker container with jmx-scraper image to scrape the data about tomcat on server Alfa ( configured to read data from port 9999 on server Alfa). Problem is that the scraper cannot access the port 9999 when firewall is started on server Alfa. When i stop firewall, then scpraping is happening fine.
Firewall details:
Code:
firewall-cmd --zone=public --list-ports --permanent
10051/tcp 10050/tcp 80/tcp 443/tcp 8080/tcp 9100/tcp 9999/udp 9999/tcp
Code:
firewall-cmd --get-active-zones
public
  interfaces: eth0
Code:
firewall-cmd --zone=public --list-all --permanent
public
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: dhcpv6-client ssh
  ports: 10051/tcp 10050/tcp 80/tcp 443/tcp 8080/tcp 9100/tcp 9999/udp 9999/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
Code:
netstat -plaunt | grep 9999
tcp        0      0 0.0.0.0:9999            0.0.0.0:*               LISTEN      23434/java

I tried to interfere with direct mode, but it also doesnt seem to help. Iptables service is disabled.
Logs from container:
Code:
SEVERE: JMX scrape failed: java.rmi.ConnectIOException: Exception creating connection to: <server Alfa>; nested exception is:
        java.net.NoRouteToHostException: No route to host (Host unreachable)

When i stop firewall on server alfa, it immediately starts to work..
 
Old 08-01-2019, 08:41 AM   #2
berndbausch
LQ Addict
 
Registered: Nov 2013
Location: Tokyo
Distribution: Mostly Ubuntu and Centos
Posts: 6,316

Rep: Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002
Are you sure that Beta uses 9999? Have you tried connect to Alpha with other clients, such as telnet or netcat?
 
Old 08-01-2019, 10:22 AM   #3
miccze
LQ Newbie
 
Registered: Sep 2018
Distribution: Centos
Posts: 17

Original Poster
Rep: Reputation: Disabled
Once firewall is stopped, the scraper gets data from tomcat, which enables them on port 9999.

Also netstat from scraper:
Code:
bash-4.4# netstat -plaunt | grep 9999
tcp        0      0 ::ffff:172.17.0.3:35600 ::ffff:<alfa'sIP>:9999 TIME_WAIT   -
(means he tries making connection to alfa:9999)

nc from scraper:
Code:
nc -vz alfa 9999
alfa (alfa'sIP:9999) open
Configuration of the scraper:
Code:
cat /opt/jmx_exporter/config.yml
startDelaySeconds: 0
hostPort: alfa:9999
username:
password:
ssl: false
lowercaseOutputName: false
lowercaseOutputLabelNames: false
rules:
- pattern: '.*'

So theoretically, port is open, scraper tries to scrape from port 9999, but the connection TIME_WAITS. Once firewall is stopped, the scraper works and tomcat is exporting the data over JMX port which is 9999, so scraper tries to scrape from alfa:9999.
What does that mean? What is wrong?
 
Old 08-02-2019, 03:26 AM   #4
miccze
LQ Newbie
 
Registered: Sep 2018
Distribution: Centos
Posts: 17

Original Poster
Rep: Reputation: Disabled
The issue is resolved. It turns out that the scraper is using also rmi port for scraping. So it needed 2 ports open. As i didn't know that, tomcat didn't have specified rmi port, so it was using random port for that. And this random port was blocked by firewall obviously.
Some info about it:
http://www.perftactique.com/2018/03/...-the-firewall/

You can configure rmi port the same as the jmx port in tomcat's configuration:
-Dcom.sun.management.jmxremote.port=9999 -Dcom.sun.management.jmxremote.rmi.port=9999

Once the rmi port was specified, and port 9999 was opened in firewall, it worked.

Anyway, thanks for you contribution berndbausch

Cheers.
 
  


Reply

Tags
centos7, firewalld, java, tomcat


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
firewalld port should be open but it isn't mjbradakis Linux - Security 4 04-09-2019 08:10 PM
port 5432 open nmap online but closed status with firewalld and local nmap scan mtdew3q Linux - Security 6 06-04-2018 06:20 PM
firewalld port forwarding specific ip how? packets Linux - Security 1 01-02-2016 09:48 PM
firewalld port forwarding sometimes not working packets Linux - Security 1 12-15-2015 05:49 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:13 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration