0

I have a VM with two public IPs. I have installed OpenStack controller node on the VM. I have access from the external network to Horizon and Keystone service running on apache2 web server on ports 80 and 5000 respectively.

However when I run my Node.js Express service on port 3010 I am unable to access it from the external network. I can access it from localhost and from other VMs running on the same host.

I tried to put following rules in iptables:

sudo iptables -A INPUT -p tcp -m tcp --dport 3010 -j ACCEPT

sudo ip6tables -A INPUT -p tcp -m tcp --dport 3010 -j ACCEPT

Following is the output of sudo iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
neutron-linuxbri-INPUT  all  --  anywhere             anywhere            
nova-api-INPUT  all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             controller           tcp dpt:3010

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
neutron-filter-top  all  --  anywhere             anywhere            
neutron-linuxbri-FORWARD  all  --  anywhere             anywhere            
nova-filter-top  all  --  anywhere             anywhere            
nova-api-FORWARD  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
neutron-filter-top  all  --  anywhere             anywhere            
neutron-linuxbri-OUTPUT  all  --  anywhere             anywhere            
nova-filter-top  all  --  anywhere             anywhere            
nova-api-OUTPUT  all  --  anywhere             anywhere            

Chain neutron-filter-top (2 references)
target     prot opt source               destination         
neutron-linuxbri-local  all  --  anywhere             anywhere            

Chain neutron-linuxbri-FORWARD (1 references)
target     prot opt source               destination         

Chain neutron-linuxbri-INPUT (1 references)
target     prot opt source               destination         

Chain neutron-linuxbri-OUTPUT (1 references)
target     prot opt source               destination         

Chain neutron-linuxbri-local (1 references)
target     prot opt source               destination         

Chain neutron-linuxbri-sg-chain (0 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain neutron-linuxbri-sg-fallback (0 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             /* Default drop rule for unmatched traffic. */

Chain nova-api-FORWARD (1 references)
target     prot opt source               destination         

Chain nova-api-INPUT (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             controller           tcp dpt:8775

Chain nova-api-OUTPUT (1 references)
target     prot opt source               destination         

Chain nova-api-local (1 references)
target     prot opt source               destination         

Chain nova-filter-top (2 references)
target     prot opt source               destination         
nova-api-local  all  --  anywhere             anywhere

Following is the output of sudo netstat -nap | grep 3010

tcp6    0    0    :::3010    :::*    LISTEN    7538/node

which is same as sudo netstat -nap | grep 80

tcp6    0    0    :::80    :::*    LISTEN    2932/apache2

which is also same as sudo netstat -nap | grep 5000

tcp6    0    0    :::5000    :::*    LISTEN    2932/apache2

I can't even telnet to 3010 from the external network.

I only have access to the VM and not its host. So I cannot set any NAT or port forwarding on the host.

Also, I don't think any port forwarding rules are set for port 80 and 5000 as these services were started automatically by OpenStack after creation on VM (And I don't have access to host so I can't set these port forwarding rules myself).

The ufw is disabled as well. I checked using it sudo ufw status which shows as inactive.

I need to know what I can do to access by service running on port 3010 from the external network.

Marki
  • 2,795
  • 3
  • 27
  • 45
Varun Risbud
  • 11
  • 4
  • Please learn to format your questions in order for them to be readable if you expect anyone to spend time with them. See the help section of the editor. You can mark code as such and the post will look nice. – Marki Apr 06 '16 at 23:01

1 Answers1

0

I hate iptables -L output. not sure how anyone reads it. iptables-save is king and iptables -S will usually do in a pinch. (Just personal anecdotes).

Let's run through the troubleshooting process:

Iptables

As far as I can tell the only DROP statement in your firewall is never referenced. (EG: unreachable). If port 80 is working without a special firewall statement it is probably safe to say that the firewall is not the issue. If you want to be entirely sure, Disable the firewall. Flush the tables and set it to full open. My assumption is that the connection still won't work.

Listening

Since netstat is reports the process as listening on the given port, we can assume that the port has been bound to.

This leaves us with two directions to go for troubleshooting. Inward toward the application and outward toward your [end-user] connection.

Accepting

The application needs to bind to a port to LISTEN. Once that is done the application must ACCEPT any incoming connections. I doubt that there is an issue in this exact sport but it is a possibility here is some kind of error in the application logic that hangs it somewhere and prevents it from accepting connections. 

ssh user@yourserver.example.com
> telnet 127.0.0.1 3010

If you get a connection, it is not an issue with the ACCEPT within the application.

External Influences

If you are able to get a connection to the server from the server, some external entity is interfering. Changing the application to listen on another port may allow the traffic to pass but you must still determine if the interfering firewall/etc is on your premise or somewhere between your own DMARC and your server.

Failing all of this, you might try:

 -A INPUT -m tcp -p tcp --dport 3010 -j LOG
 -A OUTPUT -m tcp -p tcp --sport 3010 -j LOG

just to see if there is anything strange happening with the TCP stack that might point you toward a solution. tcpdump is an alternative to the iptables rules.

Daniel Widrick
  • 3,418
  • 2
  • 12
  • 26
  • Thanks Daniel for your comment. I found that the issue is with the firewall. I am doing an academic project. The VM I am connecting to is hosted on a server behind university firewall. The university firewall only provides access to ports 22 & 80 from external networks. As in the case of port 5000 if we look closely then process listening on port 80 and 5000 is the same. So I guess there is a forwarding rule on port 80 to redirect all the traffic to port 5000. – Varun Risbud Apr 08 '16 at 08:53