Clicky

Hi experts,

I am currently having problems connecting to certain ports on a Linux server. The server is a VPS my company has bought and my Linux knowledge is low. It's an Ubuntu 10.10 (Maverick) running with only terminal. I have been able to install all the software I need, it's just the last bit of connecting all our applications to it which doesn't work. The application that needs to connect to it is a JBoss server application which needs ports: 1098, 1099, 4444, 9000, 8080, 8090-8092, 3732-3764, 8005, 8009 and 5001 open. Which I've tried to implement into the iptables on the server:
iptables.txt
  • 1 KB
  • IPTABLES on the server.
iptables.txt


The VPS hosting company says that there is no firewall in front of the server in the network, yet I am always getting "Connection refused." when I try to connect to it. What have I done wrong or what do I need to do?

Any help appreciated,
eX.

    asked 12/12/2011 09:46

    eXpired's gravatar image

    eXpired ♦♦


    24 Answers:
    Your iptables looks fine, but are you 100% sure the server is even listening on those ports?

    For instance, can you do on the server itself something like "telnet localhost 9000" and get a response?

    You can check if its listening using netstat:

    1:
    2:
    xterm@foo> netstat -na | grep :9000
    tcp        0      0 0.0.0.0:9000              0.0.0.0:*               LISTEN
    link

    answered

    xterm's gravatar image

    xterm

    I just glanced at your iptables rules.

    There is no drop or reject statement in iptables, so anything will be able to come through so its not the firewall blocking the application.

    You can test this by opening all ports on the firewall like this:

    iptables -F

    I think you will see that its not the firewall/iptables.


    Are you sure you started all the services? Just because you installed the application doesn't mean its running.


    Also you can check what ports are listening on the machine with netstat command.

    netstat -an | grep -i listen

    Thats a good starting point.
    link

    answered 2011-12-12 at 17:54:30

    savone's gravatar image

    savone

    BTW, if this machine is public facing you might want to lock it down better.  
    link

    answered 2011-12-12 at 17:56:11

    savone's gravatar image

    savone

    root@exxica:~# netstat -an | grep "LISTEN "
    tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN
    tcp        0      0 127.0.0.1:587           0.0.0.0:*               LISTEN
    tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
    tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN
    tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
    tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN
    tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN
    tcp6       0      0 127.0.0.1:8005          :::*                    LISTEN
    tcp6       0      0 :::8009                 :::*                    LISTEN
    tcp6       0      0 :::5001                 :::*                    LISTEN
    tcp6       0      0 :::1098                 :::*                    LISTEN
    tcp6       0      0 :::8080                 :::*                    LISTEN
    tcp6       0      0 :::9650                 :::*                    LISTEN
    tcp6       0      0 :::53                   :::*                    LISTEN
    tcp6       0      0 :::22                   :::*                    LISTEN
    tcp6       0      0 :::9655                 :::*                    LISTEN
    tcp6       0      0 ::1:953                 :::*                    LISTEN

    I'm guessing it's not listening to port 9000 as I'm not able to start the JBoss and specific application server because it gets a "Connection refused" error in JVM as well.

    "ps aux | less" gives:

    USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
    root         1  0.0  0.1  23324  1596 ?        Ss   Dec07   0:02 init
    root      1112  0.0  0.0  21084  1044 ?        Ss   Dec07   0:00 cron
    syslog    1163  0.0  0.0  12452   840 ?        Ss   Dec07   0:00 /sbin/syslogd -u syslog
    root      1453  0.0  0.1  69504  2428 ?        Ss   Dec07   0:02 sendmail: MTA: accepting connections
    bind      7335  0.0  1.1 181320 17320 ?        Ssl  Dec07   0:00 /usr/sbin/named -u bind
    www-data 11706  0.0  1.2 209480 20336 ?        S    Dec08   0:00 /usr/sbin/apache2 -k start
    www-data 11722  0.0  1.2 209480 20360 ?        S    Dec08   0:01 /usr/sbin/apache2 -k start
    www-data 11724  0.0  1.3 210504 21396 ?        S    Dec08   0:00 /usr/sbin/apache2 -k start
    www-data 11961  0.0  0.8 202312 13772 ?        S    Dec08   0:00 /usr/sbin/apache2 -k start
    root     14227  0.0  0.1  49268  2684 ?        Ss   Dec07   0:00 /usr/sbin/sshd -D
    root     15549  0.0  0.0  19528  1000 ?        Ss   Dec07   0:00 /usr/sbin/xinetd -pidfile /var/run/xinetd.pid -stayalive -inetd_compat -inetd_ipv6
    root     18005  0.0  0.0  25784  1544 ?        Ss   Dec07   0:00 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 108:112
    mysql    18291  0.0  1.7 255060 27752 ?        Ssl  Dec07   0:20 /usr/sbin/mysqld
    root     19936  0.0  0.6 196168  9908 ?        Ss   Dec07   0:02 /usr/sbin/apache2 -k start
    www-data 19940  0.0  1.7 217672 27456 ?        S    Dec07   0:01 /usr/sbin/apache2 -k start
    root     22521  0.0  0.2  71372  3464 ?        Rs   07:11   0:00 sshd: root@pts/0
    root     23556  0.0  0.1  17880  1964 pts/0    Ss   07:11   0:00 -bash
    root     23587  0.0  0.0  14980  1100 pts/0    R+   07:16   0:00 ps aux
    root     23588  0.0  0.0   8532   892 pts/0    S+   07:16   0:00 less

    savone> BTW, if this machine is public facing you might want to lock it down better.
    Priority is getting it on-line, then comes security. I might have to create another question on that as I have no clue on that matter either, but this first.
    link

    answered 2011-12-12 at 17:56:52

    eXpired's gravatar image

    eXpired

    So your real issue is that JBoss isn't starting - what is the error, and do the logs show anything meaningful?  Likely it needs some environmental tweak or something to get it going.
    link

    answered 2011-12-12 at 19:21:17

    xterm's gravatar image

    xterm

    Sadly I did a "iptables -F" and it booted me from the server and now I cannot login with PuTTy any more, having to reset the server I guess? The error was just simply that JVM could not connect and it got a STACK OVERFLOW error.
    link

    answered 2011-12-12 at 19:31:51

    eXpired's gravatar image

    eXpired

    the command "iptables -F" flushes the firewall entirely - technically it should be impossible for that to lock you out.  Can you still ping the server?

    At any rate, I guess get that all squared away and then please paste the verbatim error and perhaps we can help you get that going.

    link

    answered 2011-12-12 at 19:40:55

    xterm's gravatar image

    xterm

    Not able to ping the server. All packets lost. Have re-installed the server but will take me some time to get all back to where it was. Will post the error when it resurfaces.
    link

    answered 2011-12-12 at 19:45:55

    eXpired's gravatar image

    eXpired


    if you did iptables -F and got locked, than default policy on firewall input rules (and probably even for the output is DROP)

    So you have to this:

    iptables INPUT -P ACCEPT
    iptables OUTPUT -P ACCEPT
    iptables -X
    iptables -F

    do a netstat -tan command and send it here
    link

    answered 2011-12-12 at 19:52:53

    shukalo83's gravatar image

    shukalo83

    All his policies are set to ACCEPT check the txt file he attached in the original post.
    link

    answered 2011-12-13 at 00:05:25

    savone's gravatar image

    savone

    @savone. Sorry. You are right. Just proceed with netstat -tan command.
    link

    answered 2011-12-13 at 03:17:35

    shukalo83's gravatar image

    shukalo83

    Hi again, this is the error message I receive from JVM:
    1:
    2:
    3:
    4:
    5:
    6:
    7:
    8:
    9:
    10:
    11:
    12:
    13:
    14:
    15:
    16:
    17:
    18:
    19:
    20:
    21:
    22:
    23:
    24:
    25:
    26:
    27:
    28:
    29:
    30:
    31:
    Overall status: Unable to start Aware IM server
    Aware IM was unable to create or locate the databases it requires.
     Error message returned by the database is:
    Unable to create database BASDB Communications link failure due to underlying exception:
    
    ** BEGIN NESTED EXCEPTION **
    
    java.net.SocketException
    MESSAGE: java.net.ConnectException: Connection refused
    
    STACKTRACE:
    
    java.net.SocketException: java.net.ConnectException: Connection refused
            at com.mysql.jdbc.StandardSocketFactory.connect(StandardSocketFactory.java:156)
            at com.mysql.jdbc.MysqlIO.<init>(MysqlIO.java:284)
            at com.mysql.jdbc.Connection.createNewIO(Connection.java:2555)
            at com.mysql.jdbc.Connection.<init>(Connection.java:1485)
            at com.mysql.jdbc.NonRegisteringDriver.connect(NonRegisteringDriver.java:266)
            at java.sql.DriverManager.getConnection(DriverManager.java:582)
            at java.sql.DriverManager.getConnection(DriverManager.java:207)
            at com.bas.basserver.persistence.dbplugins.MySQLInterface.createDatabase(Unknown Source)
            at com.bas.basserver.persistence.DatabaseEnvironment.createDatabase(Unknown Source)
            at com.bas.basserver.persistence.PersistenceManager$_A.C(Unknown Source)
            at com.bas.basserver.persistence.PersistenceManager.initialise(Unknown Source)
            at com.bas.basserver.bsmanager.F.A(Unknown Source)
            at com.bas.basserver.bsmanager.O.B(Unknown Source)
            at com.bas.basserver.bsmanager.J$_C.run(Unknown Source)
            at java.lang.Thread.run(Thread.java:662)
    
    
    ** END NESTED EXCEPTION **


    and "netstat -tan" gives:
     
    1:
    2:
    3:
    4:
    5:
    6:
    7:
    8:
    9:
    10:
    11:
    12:
    13:
    14:
    15:
    16:
    17:
    18:
    19:
    root@exxica:/AwareIM/bin# netstat -tan
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State
    tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN
    tcp        0      0 127.0.0.1:587           0.0.0.0:*               LISTEN
    tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN
    tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
    tcp        0      0 84.234.221.41:53        0.0.0.0:*               LISTEN
    tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN
    tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
    tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN
    tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN
    tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN
    tcp        0      0 84.234.221.41:22        80.202.134.185:51314    ESTABLISHED
    tcp        0    232 84.234.221.41:22        80.202.134.185:51121    ESTABLISHED
    tcp6       0      0 :::53                   :::*                    LISTEN
    tcp6       0      0 :::22                   :::*                    LISTEN
    tcp6       0      0 ::1:953                 :::*                    LISTEN
    tcp6       0      0 127.0.0.1:54539         127.0.0.1:8080          TIME_WAIT
    link

    answered 2011-12-13 at 05:04:32

    eXpired's gravatar image

    eXpired

    It worked when I used "localhost" as the BASServer.props - but doesn't work when I use the server's IP adress - which lead me to believe that some ports were blocked.
    link

    answered 2011-12-13 at 10:27:04

    eXpired's gravatar image

    eXpired

    Your original firewall pasted showed only permit lines, but no denys.. so you have an explicit accept all firewall, and nothing is being blocked.  It's just going to be a matter of getting the processes to fire up and be listening on all the ports.
    link

    answered 2011-12-13 at 10:28:29

    xterm's gravatar image

    xterm

    Yes, I haven't configured the iptables as of yet.

    The processes can't fire up because their connection is being refused though. So I'm quite stumped here.
    link

    answered 2011-12-13 at 10:31:12

    eXpired's gravatar image

    eXpired

    This isn't any kind of firewall issue though - check out this link:

    http://www.java-samples.com/showtutorial.php?tutorialid=209
    link

    answered 2011-12-13 at 10:54:00

    xterm's gravatar image

    xterm

    The blog post you're linking to says that I have to delete a file called "org-netbeans-modules-web-httpmonitor.jar" in the "Tomcat/common/lib" folder. But it's not there, all there is is:
    1:
    2:
    3:
    root@exxica:/AwareIM/Tomcat/common/lib# ls
    commons-el.jar           jasper-compiler.jar  jsp-api.jar              naming-factory.jar    servlet-api.jar
    jasper-compiler-jdt.jar  jasper-runtime.jar   naming-factory-dbcp.jar  naming-resources.jar


    And the "HTTPMonitorFilter" block is not in the "Tomcat/conf/web.xml" at all.
    link

    answered 2011-12-13 at 10:57:26

    eXpired's gravatar image

    eXpired

    Oh well, it was a long shot - I'm not really familiar with your application itself, but jumped on board because the question was posted in the context of Linux networking/firewalls which is my area of expertise.

    You might want to add some tags to the question like java, JBoss, tomcat, etc. to see if you can pull in some additional subject matter experts.  At this time, I can say with 100% certainty that no firewall is preventing you from doing this.  I have one last idea relating to this, and then I declare it an application issue.

    What is the output of this command on your system?
    link

    answered 2011-12-13 at 11:23:41

    xterm's gravatar image

    xterm

    -bash: /usr/sbin/getenforce: No such file or directory
    link

    answered 2011-12-13 at 11:30:30

    eXpired's gravatar image

    eXpired

    Okay, then it's not selinux messing with you (I was pretty sure that wasn't a default on Ubuntu anyway, but it was worth a look)

    Like I say, try putting this question into a more appropriate category (or re-asking it in a new one with a new title) and perhaps you will have some greater response.
    link

    answered 2011-12-13 at 11:33:08

    xterm's gravatar image

    xterm

    To shut selinux off the command is:

    setenforce 0

    Not getenforce. Replace the g with an s

    Also some applications need to be told to listen on specific IP addresses. This would explain why it works on localhost and not via IP.

    Check the config file for listen statements.
    link

    answered 2011-12-13 at 11:40:07

    savone's gravatar image

    savone

    Figured out what the problem was - apparently the application was not meant to run over WAN, only LAN.

    Will have to work concurrently on separate computers and then upload the changes to the server.

    Thanks for help, will award the points to the two of you.
    link

    answered 2011-12-13 at 13:45:18

    eXpired's gravatar image

    eXpired

    Not solved. Worked around.

    Points awarded.
    link

    answered 2011-12-13 at 13:55:10

    eXpired's gravatar image

    eXpired

    @savone:
    The getenforce command tells you the current state (Enforcing, Permissive, Disabled)  Had the author discovered that it was enabled, I would've informed of how to shut it off using setenforce, however as I suspected it is not enabled by default on Ubuntu.
    link

    answered 2011-12-13 at 13:57:26

    xterm's gravatar image

    xterm

    Your answer
    [hide preview]

    Follow this question

    By Email:

    Once you sign in you will be able to subscribe for any updates here

    By RSS:

    Answers

    Answers and Comments

    Tags:

    ×1
    ×141
    ×11
    ×118
    ×5
    ×42
    ×15
    ×31

    Asked: 12/12/2011 09:46

    Seen: 315 times

    Last updated: 12/13/2011 05:57