Details
-
Type: extRequest
-
Status: Closed
-
Priority: Major
-
Resolution: Done
-
Fix Version/s: 2021
-
Component/s: FIWARE-LAB-HELP
-
Labels:None
-
HD-Node:Spain
Description
Dear all,
We have defined a Centos based image on the Fiware cloud platform and created some security rules for our integration tests.
Please see below, all the ports seem working except 5050 and we need this for our Cygnus installation.
We cant telnet to this specific port.
Could you please help us with this problem?
Thank, regards
Omer Ozdemir
Atos Research & Innovation
Bu mesaj ve ekleri gönderilen kiþiye özeldir ve gizli bilgiler içerebilir. Eðer mesajýn gönderilmek istendiði kiþi deðilseniz lütfen kopyalamayýnýz, baþkalarýna göndermeyiniz ve göndericiyi bilgilendiriniz. Internet üzerinden gönderilen mesajlarýn güvenli ve hatasýz olduðunun garantisi olmadýðýndan Atos grubu mesajýn içeriðinden sorumlu tutulamaz. Göndericinin bilgisayarý anti-virüs sistemleri tarafýndan taranmaktadýr, ancak yine de mesajýn virüs içermediði garanti edilemez ve gönderici, meydana gelebilecek zararlardan sorumlu tutulamaz.
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Atos group liability cannot be triggered for the message content. Although the sender endeavors to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.
Since January 1st, old domains won't be supported and messages sent to any domain different to @lists.fiware.org will be lost.
Please, send your messages using the new domain (Fiware-tech-help@lists.fiware.org) instead of the old one.
_______________________________________________
Fiware-tech-help mailing list
Fiware-tech-help@lists.fiware.org
https://lists.fiware.org/listinfo/fiware-tech-help
Activity
Hello Jose,
I've used command below to enable port 5050, but not sure if im doing the correct thing, any help would be appreciated.
sudo iptables -A INPUT -p tcp -m tcp --dport 5050 -j ACCEPT
sudo iptables save
reboot vm
telnet VM_IP 5050
gives connection time out..
Dear Jose Ignacio,
We inserted the rule with the same "iptables -I FORWARD xxxx" option, but still does not seem to work, would you have any other suggestions?
or is there a problem with the interpretation of this security rules at the cloud portal perhaps?
Thanks again..
Hello Jose,
Here please check out our iptables taken from our centos image:
[root@demo-instance centos]# more /etc/sysconfig/iptables
- Generated by iptables-save v1.4.7 on Tue Feb 9 13:30:32 2016
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4:448]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 5050 -j ACCEPT
#-A INPUT -j REJECT --reject-with icmp-host-prohibited
#-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
Are we doing something wrong here?
Thanks kr
Omer
Please, tell me what's your VM. Its Id or its IP. I'd also like you to
send me the output of "iptables -S" or "iptables -L".
Thank you.
Regards,
José Ignacio.
________________________________
Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción.
The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it.
Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição
Hello Jose,
Please find the details:
vm ip: 130.206.115.215
[root@demo-instance centos]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all – anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT tcp – anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp – anywhere anywhere state NEW tcp dpt:mmcc
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@demo-instance centos]# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 5050 -j ACCEPT
Thanks kr
Omer
The port seems to be opened and nothing seems to be listening on port
5050 —
Regards,
José Ignacio.
________________________________
Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción.
The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it.
Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição
Hello Jose,
When i do a [root@demo-instance centos]# nmap -sT -O localhost
on the image, i can't see port 5050 in the list and when you do a telnet to this port it cant establish a connection.
I have restarted Cygnus service which listens on 5050 and I cant see this port anywhere..
How did you find out that it seems to be open?
Thanks kind regards
Omer
I found out that it seems to be closed —
I know the way they work: They DROP packages which aren't allowed and
they permit allowed traffic.
When you telnet your IP port 5051 (which is not ALLOWED) it takes a long
time till the command gets a timeout (a DROP rule in a firewall – .
However, when you telnet port 5050, I got a quick response with a
different error: Unable to connect to remote host: Connection refused
So the packages weren't being dropped and it was your VM the one that
answered.
Regards,
José Ignacio.
________________________________
Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción.
The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it.
Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição
Hello Jose,
Well we are trying to make this port open for a couple of days and I never saw it was open tbh..
nor telnet from outside. nor wget localhost:5050 inside the machine..
We have defined the port in iptables, Im not expert on system adm. area but to me, it should've worked
Hello,
By default CentOS works this way: It has its own firewall and this
firewall is only opened for port 22. — We have to choosen to respect
the CentOS philosophy and let the instances work the same way CentOS
does because it is the way CentOS is expected to work.
However, as you said, you may need some previous knownledge in system
administration if you decide to use CentOS. To this aspect, Ubuntu is
much easier and ready to use than CentOS.
Regards,
José Ignacio.
________________________________
Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción.
The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it.
Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição
Hello Jose,
Yes I know Ubuntu is much more easier than Centos for sure but IDAS is suggested to be installed on Centos.
And we need this port 5050 accessible from the internet.
As I mentioned in my previous emails we have defined security group in Cloud portal as documented and added this port in iptables.
But at the end we are not able to telnet or access this port...
I've sent you the iptables and the rules previously.
Do you have any advise for us? How can we open this port?
Thanks kind regards
Omer
Hi Jose Ignacio,
Thanks very much. Could you please let us know how you opened the port please? As we may need to do this for another GE instance.
Thanks,
ilknur
I've done some "recapitulation" based on you case here:
https://ask.fiware.org/question/386/cloud-security-groups-not-working-with-centos/
Please, feel free to comment on the response with your experience.
Regards,
José Ignacio.
________________________________
Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción.
The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it.
Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição
Dear Spain node team,
The tenant id for our community account is: ilknur-chulani cloud (ID 00000000000000000000000000009378)
Omer created a security rule for port 5050 in this cloud resource, but we believe it is not accessible. Could you kindly take a look and let us know if we need to set this security rule in a different way?
Many thanks,
ilknur