Node-RED on Debian 9 server cannot connect to MQTT brokers

0

My Node-RED flow:

[{"id":"6c5780e.7e86f","type":"mqtt in","z":"fa8ef0ce.69a348","name":"","topic":"bs/esp8266/ldr","qos":"2","datatype":"auto","broker":"11952de3.32d7b2","x":320,"y":420,"wires":[["e5ac261a.a24058"]]},{"id":"11952de3.32d7b2","type":"mqtt-broker","z":"","name":"","broker":"localhost","port":"1883","clientid":"","usetls":false,"compatmode":true,"keepalive":"60","cleansession":true,"birthTopic":"","birthQos":"0","birthPayload":"","closeTopic":"","closeQos":"0","closePayload":"","willTopic":"","willQos":"0","willPayload":""}]

I have one MQTT node connected on localhost (local mosquitto server) and 4 nodes connected to HiveMQ broker. None of them can connect.

My iptables rules:

Chain INPUT (policy DROP 243 packets, 11542 bytes)
 pkts bytes target     prot opt in     out     source               destination
   34  1700 ACCEPT     all  --  lo     any     anywhere             anywhere
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:1883
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:1883
  735 80016 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:1880
  771 55433 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:3000

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy DROP 156 packets, 11397 bytes)
 pkts bytes target     prot opt in     out     source               destination
   34  1700 ACCEPT     all  --  any    lo      anywhere             anywhere
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp spt:1883
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp spt:1883
 1175 2794K ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp spt:1880
 2369 6542K ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp spt:3000

I can connect to my mosquitto server from another machine (a Windows machine with Node-RED installed), even using MQTTS and a certificate.

I was thinking maybe the problem relies on my iptables rules, but I'm not sure, and I'm a beginner in this topic. Thank you in advance.

EDIT: I could connect from my Windows machine to the broker before modifying my iptables rules. With the new ones (the ones I pasted here at first) it doesn't connect. I only used these rules before, when it still worked: 

sudo iptables -A INPUT -p tcp --dport 1883--jump ACCEPT
sudo iptables -A INPUT -p tcp --dport 8883--jump ACCEPT

Biel

Posted 2019-04-10T16:23:33.653

Reputation: 3

Answers

0

I did have a problem with my iptables rules. I changed them following the next script (change your ssh port if needed, and add the rules you want):

#!/bin/bash

IPTABLES=/sbin/iptables

echo " * flushing old rules"
${IPTABLES} --flush
${IPTABLES} --delete-chain
${IPTABLES} --table nat --flush
${IPTABLES} --table nat --delete-chain

echo " * setting default policies"
${IPTABLES} -P INPUT DROP
${IPTABLES} -P FORWARD DROP
${IPTABLES} -P OUTPUT ACCEPT

echo " * allowing loopback devices"
${IPTABLES} -A INPUT -i lo -j ACCEPT
${IPTABLES} -A OUTPUT -o lo -j ACCEPT

${IPTABLES} -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
${IPTABLES} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

## BLOCK ABUSING IPs HERE ##
#echo " * BLACKLIST"
#${IPTABLES} -A INPUT -s _ABUSIVE_IP_ -j DROP
#${IPTABLES} -A INPUT -s _ABUSIVE_IP2_ -j DROP

echo " * allowing ssh on port 22"
${IPTABLES} -A INPUT -p tcp --dport 34254  -m state --state NEW -j ACCEPT

echo " * allowing ftp on port 21"
${IPTABLES} -A INPUT -p tcp --dport 21  -m state --state NEW -j ACCEPT

echo " * allowing dns on port 53 udp"
${IPTABLES} -A INPUT -p udp -m udp --dport 53 -j ACCEPT

echo " * allowing dns on port 53 tcp"
${IPTABLES} -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT

echo " * allowing http on port 80"
${IPTABLES} -A INPUT -p tcp --dport 80  -m state --state NEW -j ACCEPT

echo " * allowing https on port 443"
${IPTABLES} -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT

echo " * allowing smtp on port 25"
${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT

echo " * allowing submission on port 587"
${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 587 -j ACCEPT

echo " * allowing imaps on port 993"
${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 993 -j ACCEPT

echo " * allowing pop3s on port 995"
${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 995 -j ACCEPT

echo " * allowing imap on port 143"
${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT

echo " * allowing pop3 on port 110"
${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT

echo " * allowing mosquitto on ports 1883 and 8883"
${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 1883 -j ACCEPT
${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 8883 -j ACCEPT

echo " * allowing grafana on port 3000"
${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 3000 -j ACCEPT

echo " * allowing node-red on port 1880"
${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 1880 -j ACCEPT

echo " * allowing ping responses"
${IPTABLES} -A INPUT -p ICMP --icmp-type 8 -j ACCEPT

# DROP everything else and Log it
${IPTABLES} -A INPUT -j LOG
${IPTABLES} -A INPUT -j DROP

#
# Save settings
#
echo " * SAVING RULES"

if [[ -d /etc/network/if-pre-up.d ]]; then
    if [[ ! -f /etc/network/if-pre-up.d/iptables ]]; then
        echo -e "#!/bin/bash" > /etc/network/if-pre-up.d/iptables
        echo -e "test -e /etc/iptables.rules && iptables-restore -c /etc/iptables.rules" >> /etc/network/if-pre-up.d/iptables
        chmod +x /etc/network/if-pre-up.d/iptables
    fi
fi

iptables-save > /etc/fwall.rules
iptables-restore -c /etc/fwall.rules

I still cannot connect to my own mosquitto broker from my debian server right now, but it might be a credentials issue. I got this script from here.

Biel

Posted 2019-04-10T16:23:33.653

Reputation: 3

Asked: 2019-04-10T16:23:33.653

Viewed: 88 times

Active: 2019-04-11T21:09:47.883