Iptables + Java + ES (Service unavailable: communication timeout?)


(Diego Sosa) #1

Hello all,

I am trying to set up a firewall for a server hosting a java app and ES.
Both are on the same server and communicate to each other. The problem I am
having is that my firewall configuration prevents java from connecting to
ES. Not sure why really.... I have tried lot of stuff without any luck.

The idea is that ES should not be accessible from outside but it should be
accessible from this java app.

This is my iptables script:
echo -e Deleting rules for INPUT chain
iptables -F INPUT

echo -e Deleting rules for OUTPUT chain
iptables -F OUTPUT

echo -e Deleting rules for FORWARD chain
iptables -F FORWARD

echo -e Setting by default the drop policy on each chain
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

echo -e Open all ports from/to localhost
iptables -A INPUT -i lo -j ACCEPT

echo -e Open SSH port 22 with brute force security
iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent
--set --name SSH --rsource
iptables -A INPUT -p tcp -m tcp --dport 22 -m recent --rcheck --seconds 30
--hitcount 4 --rttl --name SSH --rsource -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp -m tcp --dport 22 -m recent --rcheck --seconds 30
--hitcount 3 --rttl --name SSH --rsource -j LOG --log-prefix "SSH brute
force "
iptables -A INPUT -p tcp -m tcp --dport 22 -m recent --update --seconds 30
--hitcount 3 --rttl --name SSH --rsource -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

echo -e Open NGINX port 80
iptables -A INPUT -p tcp --dport 80 -j ACCEPT

echo -e Open NGINX SSL port 443
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

echo -e Enable DNS
iptables -A INPUT -p tcp -m tcp --sport 53 --dport 1024:65535 -m state
--state ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -m udp --sport 53 --dport 1024:65535 -m state
--state ESTABLISHED -j ACCEPT

And I get this in the java app when this config is in place:

org.elasticsearch.cluster.block.ClusterBlockException: blocked by:
[SERVICE_UNAVAILABLE/1/state not recovered /
initialized];[SERVICE_UNAVAILABLE/2/no master];

at
org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor.postProcessPropertyValues(AutowiredAnnotationBeanPostProcessor.java:292)

at
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1185)

at
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:537)

at
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:475)

at
org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:304)

at
org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:228)

at
org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:300)

at
org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:195)

at
org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:700)

at
org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:760)

at
org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:482)

at
org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:403)

Do any of you see any problem with this configuration and ES?

Thanks in advance

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/b4ab86f5-89a1-4f1f-b176-a2b2c5ac2290%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


(system) #2