5

I have an AWS ec2 instance. I have installed tomcat and now want to access it via the browser on port 8080. When I try to do so, the browser hangs. I HAVE ADDED 8080 TO THE DEFAULT SECURITY GROUP. I see that you can open different ports for different regions, I have added the port for every region.

Here is what I've done so far:

//install tomcat
# sudo yum install tomcat6
//open port on server

# sudo iptables -A INPUT -i eth0 -p tcp --sport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT


//start tomcat

# sudo service tomcat6 start

//and rule to AWS security group for port 8080
AWS dashboard > ec2 > security groups > default group > inbound rule: 8080 (HTTP*) 0.0.0.0/0


//check via cli that tomcat is running on port 8080
# udo fuser -v 8080/tcp

(successful response) 8080/tcp:            tomcat    16353 F.... java

//check via browser
http://ec2-instance-dns:8080 (browser tries to load page indefinitely)
waigani
  • 181
  • 1
  • 2
  • 4
  • 1
    Have you opened the port in AWS firewall? – Smudge Oct 03 '11 at 12:04
  • I have added the port to the default security group in AWS, as detailed in the original question. – waigani Oct 03 '11 at 22:23
  • You added the rule, but did you remember to 'Apply Rule Changes'? – pguardiario Oct 05 '11 at 07:46
  • @pguardiario yes. I went back and double checked that the rule was applied for each region. – waigani Oct 06 '11 at 02:26
  • @waigani You've added 8080 to the default security group - can you confirm that this security group is associated with the instance in question? AWS dash > ec2 > instances > instances > (click specific instance). Is the security group listed in the 'Security Groups' section of the description? If not, it needs to be, or, add your rules to the security group listed there. I just had this problem and that was my solution, but yours may be different of course :) – oli Oct 24 '11 at 00:51
  • This might sounds silly, but have you tried to look at the webpage on the instance itself? Maybe something is missing from the instance... – Gyuri Feb 14 '13 at 19:11
  • Oh, and 2 more things that might be interesting: I had this happen: I enumerated my security rules from the command line and after adding it on the GUI console, the relevant one was missing. So I had to add it from the command line. The other thing is if the application itself goes down between the udo command and the browser check, the page will not load... [Again, just something that happened to me] – Gyuri Mar 14 '13 at 05:23
  • You have to ensure that the instance is using the same default security group! Anyway, really old question... How did this end up getting bumped? – hookenz Oct 18 '16 at 00:33
  • Any updates? I'm having the same exact issue. All the rules are added - port is still not forwarding. Please help – Tengiz Feb 14 '21 at 18:34

3 Answers3

10

You also need to add the port in the security group in the AWS-config-panel.

enter image description here

Bart De Vos
  • 17,761
  • 6
  • 62
  • 81
  • I have added the port to the default security group in AWS, as detailed in the original question. – waigani Oct 03 '11 at 22:23
3

By default AWS EC2 instances have a security group that doesn't allow access other than SSH. You have to go and configure the security group to allow what traffic you want to allow into the instances. The browser hang you are experiencing is because of the AWS firewall not being configured to allow port 8080/tcp through so it is dropping the packets and your browser is just waiting for the response to the TCP handshake which will never happen.

Eliminate as many moving variables... Disable iptables firewall. If it works then your security group is configured properly and your iptables rule which has --sport 8080 rather than --dport 8080 would be at fault. Your udo ... command would have more than likely utilized the loopback interface if you ran it from the EC2 instance itself so it would have ignored any iptables rule affecting eth0 only.

Jeremy Bouse
  • 11,241
  • 2
  • 27
  • 40
  • I have added the port to the default security group in AWS, as detailed in the original question. – waigani Oct 03 '11 at 22:23
  • OK... How about does it work if you disable iptables on the EC2 instance? I just noticed your iptables rule lists "--sport 8080" rather than "--dport 8080" when I re-read your question. – Jeremy Bouse Oct 04 '11 at 01:50
  • do you mean turn disable the whole iptables firewall (# iptables stop) ? – waigani Oct 04 '11 at 03:56
  • I ran # /etc/init.d/iptables stop then tried to reload the page, no luck. Btw url = http://ec2-50-19-157-107.compute-1.amazonaws.com:8080. I turned iptables back on after the test. – waigani Oct 04 '11 at 04:01
  • what does `netstat -plunta |grep :8080` show when ran on your EC2 instance. I've been using AWS EC2 instances for over 2 years and have never had this much trouble getting a service made available. – Jeremy Bouse Oct 04 '11 at 10:49
  • tcp 0 0 :::8080 :::* LISTEN 10824/java tcp 376 0 ::ffff:10.210.214.88:8080 ::ffff:139.80.54.99:64196 ESTABLISHED 10824/java – waigani Oct 05 '11 at 21:34
  • OKay then I'm at a loss as all the details you're providing show it should be working and you're stating it's not. – Jeremy Bouse Oct 05 '11 at 22:39
  • I've assigned it an EIP: 107.20.136.74. 107.20.136.74:8080 still hangs. Is there anything else I can try? Any other information you need? – waigani Oct 06 '11 at 02:32
  • Honestly I've never had this much trouble before and I have over a dozen instances currently running with a handful of various security groups forming a layered security model from ELB -> front-end -> back-end -> database. Adding an EIP only adds more complexity. I'd start with straight EC2 instance running no iptables and ensure security group is working before adding the iptables firewall, then when that's all still working add the EIP. Make things simple and get it working then make it more complex. Easier to track problems. – Jeremy Bouse Oct 07 '11 at 00:49
  • Did you try locally if Tomcat is ok? telnet locahost 8080 and then check Tomcat's catalina.out logs to see if Tomcat started properly – unixrules Oct 15 '12 at 21:13
-1

I usually try to toggle SELinux to "disabled" and reboot or just do

echo 0 > /sys/fs/selinux/enforce

then if that fixed it, permit the port in SELinux

Community
  • 1
Andrew
  • 145
  • 8