I'm running Tomcat8 on CentOS7 in Google VM instance on port 8080.
I setup the iptables rule to map all external connections to port 80 to 8080
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
After that I save the rule with
service iptables save
Tomcat works fine and accessible from outside via port 80.
The rule is saved in /etc/sysconfig/iptables.
...
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
...
but after server reboot the rule is not applied.
It's still in the file /etc/sysconfig/iptables but not in action when I run
iptables-save
It seems that iptables rules are restored from somewhere else.
How can I persist the rule properly to preserve it after reboot?
In order to resolve the issue with IPtables you can do the following:
yum install iptables-services
systemctl mask firewalld
systemctl enable iptables
systemctl enable ip6tables
systemctl stop firewalld
systemctl start iptables
systemctl start ip6tables
However, Centos7 is using FirewallD now instead. In order to apply the firewall, you need to check first what are the available zones and which zones are active on FirewallD by running these commands:
firewall-cmd --list-all-zones
firewall-cmd --get-active-zones
If public zone is active for example, you can run these commands to enable port forwarding (port 80 to 8080 in your case):
firewall-cmd --zone=public --add-masquerade --permanent
firewall-cmd --zone=public --add-forward-port=port=80:proto=tcp:toport=8080 --permanent
Once done, you can reload the rules to make sure everything is OK by running this command:
firewall-cmd --reload
You can check man firewall-cmd for more information.
Related
enter image description here
I create a OCI Instance and got a Public IP, I configure the webserver with the allowed ports number. but not able to access web server with ip, when I check with putty able to log in and check with ifconfig but dint finds any public ip.
You Need to allow Traffic through the Firewall...install "firewall-cmd" then
Run the following command to allow traffic on port 80:
sudo firewall-cmd --permanent --zone=public --add-service=http
Run the following command to allow traffic on port 443:
sudo firewall-cmd --permanent --zone=public --add-service=https
Run the following command to save the firewalld rules:
sudo firewall-cmd --reload
On a fresh install of RHEL7.4:
# install the oc client and docker
[root#openshift1 ~]# yum install atomic-openshift-clients.x86_64 docker
# configure and start docker
[root#openshift1 ~]# sed -i '/^\[registries.insecure\]/!b;n;cregistries = ['172.30.0.0\/16']' /etc/containers/registries.conf
[root#openshift1 ~]# systemctl start docker; systemctl enable docker
# these links recommend running 'iptables -F' as a workaround for pod DNS issues
# https://github.com/openshift/origin/issues/12110
# https://github.com/openshift/origin/issues/10139
[root#openshift1 ~]# iptables -F; iptables -F -t nat
[root#openshift1 ~]# oc cluster up --public-hostname 192.168.146.200
Attempting a test apache build gives me this error:
Cloning "https://github.com/openshift/httpd-ex.git " ...
WARNING: timed out waiting for git server, will wait 1m4s
error: fatal: unable to access 'https://github.com/openshift/httpd-ex.git/': Could not resolve host: github.com; Unknown error
DNS server is present
[root#openshift1 ~]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 192.168.146.2
I can confirm that the host machine can resolve names:
[root#openshift1 ~]# host github.com
github.com has address 192.30.255.113
github.com has address 192.30.255.112
However this DNS server didn't make it's way down to the pods
[root#openshift1 ~]# oc get pods
NAME READY STATUS RESTARTS AGE
docker-registry-1-rqm9h 1/1 Running 0 38s
persistent-volume-setup-fdbv5 1/1 Running 0 50s
router-1-m6z8w 1/1 Running 0 31s
[root#openshift1 ~]# oc rsh docker-registry-1-rqm9h
sh-4.2$ cat /etc/resolv.conf
nameserver 172.30.0.1
search default.svc.cluster.local svc.cluster.local cluster.local
options ndots:5
Is there anything I am missing?
You should not flush the rules, rather you should create a new zone and open additional ports, e.g.:
firewall-cmd --permanent --new-zone dockerc
firewall-cmd --permanent --zone dockerc --add-source $(docker network inspect -f "{{range .IPAM.Config }}{{ .Subnet }}{{end}}" bridge)
firewall-cmd --permanent --zone dockerc --add-port 8443/tcp --add-port 53/udp --add-port 8053/udp
firewall-cmd --reload
Source:
https://github.com/openshift/origin/blob/release-3.7/docs/cluster_up_down.md#linux
EDIT:
Also the DNS server in your /etc/resolv.conf should be routable from your OCP instance.
Source: kubernetes skydns failure to forward request
I'm trying to open tcp and udp port 7774 on google cloud VM instance without results.
I'm sure that my server is using this network. For example, the ssh port is opened, rdp port also should be opened but i can't communicate with the server on this port, the same situation is with 7774 port, i have to setup something which needs this port to communicate, but i don't know how.
I also added rules to iptables:
iptables -A INPUT -p tcp -d 0/0 -s 0/0 --dport 7774 -j ACCEPT
iptables -A INPUT -p udp -d 0/0 -s 0/0 --dport 7774 -j ACCEPT
Without any results.
Recently I've managed to block all unused ports on my dedicated server (Linux CentOS latest 64-bit) but whenever I do so, sites that connect to my database just simply cannot connect.
iptables -A INPUT -i lo -p tcp --dport 3306 -j ACCEPT
iptables -A OUTPUT -o lo -p tcp --sport 3306 -j ACCEPT
I believe it has something to do with the OUTPUT port, but I am not sure.
Thanks.
If you want to allow remote incoming mysql connections you will need to define an INPUT rule that is not isolated to your local interface:
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
In Centos this will be defined in the /etc/sysconfig/iptables file. Then restart:
sudo service iptables restart
Alternatively, from the command line, you can use:
sudo system-config-firewall-tui
To configure your firewall, it is in the package of the same name:
sudo yum install system-config-firewall-tui -y
How to configure two different port for MySQL on same machine? I know that default port is 3306. But I also want to configure 3307 and 3308. Is it possible?
One bonus question with current one ;)
Can we assign Different Ports to Different Databases and also can assign/create Credentials respectively?
You can use the --port=port_num option. Have a look here for more information on how to configure multiple mysql instances.
You can launch several instance of mysql :
mysqld_safe --defaults-file=/path/to/my.cnf1
mysqld_safe --defaults-file=/path/to/my.cnf2
mysqld_safe --defaults-file=/path/to/my.cnf3
and change the port parameter in the [mysqld] section of each my.cnf.
If you want to have only one mysqld process/database you can use port redirection (with linux) :
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3307 -j REDIRECT --to-port 3306
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3308 -j REDIRECT --to-port 3306
You can copy /etc/mysql/my.cnf, change the port in it and change the pathes to data dirs as well, because i'm pretty sure You can't have more than 1 instance of mysql serving from the same directories.
Check http://dev.mysql.com/doc/refman/5.1/en/multiple-servers.html.
ex :
cp /etc/mysql/my.cnf /etc/mysql/my-3307.cnf
//edit my-3307.cnf, for example
port = 3307
basedir = /var/lib/mysql-3307
datadir = /var/lib/mysql-3307
//end-edit
mysql_upgrade --defaults-file=/etc/mysql/my-3307.cnf #checks the syntax and creates the dirs you need.
#start mysqld
mysqld --defaults-file=/etc/mysql/my-3307.cnf
mysqld_multi is by far the best way to handle different instances of mysql.
Some more useful tips:
mysqld_multi --example
check if apparmor isn't keeping mysql from accessing /var/lib/mysql2 if you get weird permission errors.
I'm using CentOS.
Not is too simple,
Edit file /etc/my.cnf, Search and change or add line: port=port_number.
semanage port -a -t mysqld_port_t -p tcp port_number
Restart MySQL Server. service mysqld restart