I'm trying to setup iptables to lockdown my ES cluster to only speak to
itself, my kibana frontend, and the logstash indexers. I'm having a
difficult time figuring out what ports I need to leave open. There are
plenty of references to ports 9200-9300. However, with netstat I see
plenty of inter-cluster communication on ports in the 30000 to high 50000s.
Can someone clarify what ports are necessary to open up, if I'm starting
with a default of dropping all incoming, and allowing outgoing.
It does not make much sense to run iptable filters inside of a cluster.
You should set up a private network and hide Elasticsearch nodes behind
reverse proxy at HTTP port 80 or 443 so there won't be a need to think
about internal ports.
In the stock ES, there are two port ranges, 9200-9299 (http) and
9300-9399 (cluster node transport). With plugins there may be more IP
ranges. The ports at 30000-60000 are randomly allocated by your
operating system, these are at the client side of the connections. Note,
as ports may be rearranged in the config, you can also use other port
ranges.
Jörg
Am 17.02.13 16:28, schrieb Bruce Lysik:
Hi,
I'm trying to setup iptables to lockdown my ES cluster to only speak
to itself, my kibana frontend, and the logstash indexers. I'm having
a difficult time figuring out what ports I need to leave open. There
are plenty of references to ports 9200-9300. However, with netstat I
see plenty of inter-cluster communication on ports in the 30000 to
high 50000s.
Can someone clarify what ports are necessary to open up, if I'm
starting with a default of dropping all incoming, and allowing outgoing.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.