Elastic Search listening only on IPv6 [CentOS]

Question

I've installed Elastic Search 1.7.4 on CentOS 7.2 this way:

wget https://download.elastic.co/elasticsearch/elasticsearch/elasticsearch-1.7.4.noarch.rpm
sudo rpm -ivh elasticsearch-1.7.4.noarch.rpm

The service is started and ES works (verified with curl), however, it only listens to IPv6 with default configuration. netstat -na gives me the following:

tcp6       0      0 :::9200                 :::*                    LISTEN     
tcp6       0      0 :::9300                 :::*                    LISTEN

Using nmap from other servers I see that ports 9200 and 9300 are filtered, firewall is disabled.

Editing /etc/elasticsearch/elasticsearch.yml and setting:

network.bind_host: 0.0.0.0

doesn't change anything. Setting this to the external IPv4 address of the server does add the additional two entries in netstat -na output, but I need ES to be accessible to my local network, so this is useless and netstat still registers this as tcp6.

tcp6       0      0 192.168.0.54:9200       :::*                    LISTEN     
tcp6       0      0 192.168.0.54:9300       :::*                    LISTEN

setting:

network.bind_host: _eth0:ipv4_

Causes ES to bind to the local IPv4 and then it is of course only available from the local server. Omitting the "ipv4" part causes ES to bind to IPv6 address of the NIC.

How do I enable ES to bind to IPv4? I have no alternative, my network is IPv4 only and I have to use this old version of ES because I'm running some applications that require this version.

2: enp0s3: mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 08:00:27:b4:6c:f7 brd ff:ff:ff:ff:ff:ff inet 192.168.0.54/24 brd 192.168.0.255 scope global enp0s3 valid_lft forever preferred_lft forever inet6 fe80::a00:27ff:feb4:6cf7/64 scope link valid_lft forever preferred_lft forever — miloske85, Oct 22 '16 at 20:54
1: lo: mtu 65536 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever — miloske85, Oct 22 '16 at 20:55
try `network.bind_host: _enp0s3:ipv4_` ? or use `network.host: _non_loopback_` and remove `network.bind_host` and `network.publish_host` — Jacob Evans, Oct 22 '16 at 20:58
@JacobEvans already tried, it binds to IPv4, but then ES is available only from localhost. It should bind to 0.0.0.0 — miloske85, Oct 22 '16 at 21:00
that is really strange, I would try removing all network.bind options, and then install with the yum repo file instead of the RPM, never had this issue with a few hundred ES Servers built. — Jacob Evans, Oct 22 '16 at 21:21
@MichaelHampton This is freshly installed CentOS VM, no firewall was installed and I checked that iptables and ufw are not present. I can SSH into the machine. Unless I'm missing something this isn't a firewall issue — miloske85, Oct 23 '16 at 18:35
A freshly installed CentOS _does_ have a running firewall by default. See [the documentation](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html) to learn how to configure it. — Michael Hampton, Oct 23 '16 at 18:36
@MichaelHampton That was it! I guess I'm spending too much time with Debian/Ubuntu. — miloske85, Oct 23 '16 at 18:47

score 7 · Accepted Answer · edited Apr 13 '17 at 12:37

From unix exchange.

This is happening because by default, AF_INET6 sockets will actually work for both IPv4 and IPv6. See section 3.7 - Compatibility with IPv4 Nodes of RFC 3493 - Basic Socket Interface Extensions for IPv6

But as you've figured out, firewalld is enabled out of the box.

create this file to your /etc/firewalld/services/elasticsearch.xml

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>Elasticsearch</short>
  <description>Elasticsearch is a distributed, open source search and analytics engine, designed for horizontal scalability, reliability, and easy management.</description>
  <port protocol="tcp" port="9300"/>
  <port protocol="tcp" port="9200"/>
</service>

Update permissions

chmod 0400 /etc/firewalld/services/elasticsearch.xml
chown root: /etc/firewalld/services/elasticsearch.xml

Run these commands

firewall-cmd --zone=public --add-service=elasticsearch --permanent
firewall-cmd --reload

Also works for kibana! You could add the kibana port here or create a kibana.xml. — Daniel, May 30 '17 at 23:46

score 2 · Answer 2 · answered Oct 27 '16 at 14:27

2

This is a common pitfall with ES, because there are two network settings that need to be set: network.bind_host AND network.publish_host. Because of this, the ES devs have added this shortcut:

network.host: 0.0.0.0

I've had some other problems with ES when IPv6 was enabled but not configured so you might want to edit the sysctl.conf:

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

And do sysctl -p.

answered Oct 27 '16 at 14:27

mzhaase

3,778
2
19
32

2

Why are you recommending to disable IPv6 on the network interfaces? Some of us are in the 21st century and cannot do this. Whatever the problem is, there must be a real solution. – Michael Hampton Oct 27 '16 at 16:25
@MichaelHampton See: https://github.com/elastic/puppet-elasticsearch/issues/596 – mzhaase Oct 31 '16 at 11:41
Doesn't look like a problem with your network. That indicates that your local host was misconfigured. Leaving everything at its defaults instead of trying to forcibly remove IPv6 from the lo interface (which someone did to that system) would have been fine. I would expect other stuff to break if someone removed 127.0.0.1 from lo as well. – Michael Hampton Oct 31 '16 at 17:28
@MichaelHampton everything was left at the default, there simply was no SLAAC in the network. – mzhaase Nov 01 '16 at 07:24

user1398287 · Answer 3 · 2018-10-04T21:25:06.257

-2

Try disabling the firewall that comes pre packed with centos

systemctl disable firewalld
systemctl stop firewalld

https://bytefreaks.net/gnulinux/how-to-startstop-or-enabledisable-firewalld-on-centos-7

I recommend a dedicated hardware firewall in front of the machine, I would NOT rely on a software firewall on the machine you are using. If an attacker is hitting the machine, it's already too late.

edited Oct 04 '18 at 21:25

answered Oct 04 '18 at 18:18

user1398287

97
1

I mentioned that a firewall exists. I certainly DO NOT recommend disabling it. – Michael Hampton Oct 04 '18 at 19:11
ok i've taken your credit out. – user1398287 Oct 04 '18 at 21:07
Dedicated hardware firewall is not an option for a cheap VPS server and besides, with [supply chain attacks](https://www.schneier.com/blog/archives/2018/10/another_bloombe.html) hitting the news, I'd put more trust in open source software than add another hardware firewall. Not to mention that hardware firewall can have security vulnerabilities. In any case, simply getting rid of a firewall is not a good choice. – miloske85 Oct 22 '18 at 19:03
I have a $5 VPS with upcloud, it comes with a dedicated firewall. they manage the firewall and all the security updates. – user1398287 Oct 23 '18 at 20:24

Elastic Search listening only on IPv6 [CentOS]

3 Answers3