We use proprietary and third party´s cookies to improve your experience and our services, identifying your Internet Browsing preferences on our website; develop analytic activities and display advertising based on your preferences. If you keep browsing, you accept its use. You can get more information on our Cookie Policy
Cookies Policy
Ask Your Question
1

Cloud security groups not working with CentOS

asked 2016-02-18 01:57:23 +0200

jcarmaker gravatar image

I've created a CentOS Virtual Host and I've opened the port 5050 in my security groups, however I can't access that port in my Virtual Host.

I've tested the same thing with Ubuntu and there was no problem with it.

It is very easy to reproduce.

  1. You create a new security group and you add a rule to open port 5050 from 0.0.0.0/0
  2. Deploy a new CentOS instance. When it is up you can run a netcat process listening in that port.

nc -l 5050

  1. From any remote host, you try to telnet that host

telnet $MYHOSTIP 5050

It wont work. However if you do the same steps using Ubuntu instead of CentOS it will work without any problem

Any help would be appreciated.

edit retag flag offensive close merge delete

1 answer

Sort by » oldest newest most voted
2

answered 2016-02-18 03:11:09 +0200

jicg gravatar image

This question has a lot to do with CentOS default and CentOS administration rather than with the cloud itself.

By default, CentOS has its own firewall (its own iptables configurations) which is more restrictive than the values you set in the security rules configurations. This means that CentOS will reject access to port 5050 even though you activate it in the rules of your security groups.

This is so because it is CentOS philosophy and it is respected in Fiware's Cloud.

What to do? One of these things: a). You could disable your CentOS firewall and relay on your Security Groups' rules:

service iptables stop
chkconfig iptables off ### To keep configurations upon reboots.

b). You could enable the rule in your iptables. This is the way IP tables is configured by default:

# iptables -S 
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A INPUT -j REJECT --reject-with icmp-host-prohibited 
-A FORWARD -j REJECT --reject-with icmp-host-prohibited 

These rules are processed sequentially, so you can't append a rule (iptables -A) because the rule will appended and proccessed after it the REJECT. The way is inserting the rule:

iptables -I INPUT 4 -p tcp -m state --state NEW -m tcp --dport 5050 -j ACCEPT

This way, the rule will be inserted just before:

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 

And the rule will be processed before any reject and the port will be accesible. However, we need to update the iptables rules to be persistent upon reboots:

cp /etc/sysconfig/iptables /etc/sysconfig/iptables.old
iptables-save > /etc/sysconfig/iptables

edit flag offensive delete link more
Login/Signup to Answer

Question Tools

1 follower

Stats

Asked: 2016-02-18 01:57:23 +0200

Seen: 3,428 times

Last updated: Feb 18 '16