New Logstash setup issue with iptables


(Lois Bennett) #1

Hi All

I am trying to set up a very simple logstash test. I am following the book
and I have been successful with getting a server going with one instance of
each element in the ELK stack. Successful as long as I turn off iptables!

Since this is not an option I need some guidance to what ports I need to
have open.

This is the iptables status:
root # service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
3 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type
255
4 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
5 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
6 ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp
dpt:5353
7 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp
dpt:631
8 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
dpt:631
9 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW
tcp dpt:22
10 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW
tcp dpt:80
11 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW
tcp dpt:443
12 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW
tcp dpt:536
13 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW
tcp dpts:9200:9400
14 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW
tcp dpt:9302
15 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW
tcp dpt:9303
16 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW
tcp dpt:9304
17 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW
tcp dpt:9305
18 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW
tcp dpt:5514
19 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW
tcp dpt:6379
20 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW
tcp dpt:9300
21 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW
tcp dpt:9301
22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW
tcp dpt:9200
23 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW
tcp dpt:9292
24 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW
tcp dpt:537
25 ACCEPT tcp -- 172.27.104.0/24 0.0.0.0/0
26 ACCEPT tcp -- 172.27.80.0/25 0.0.0.0/0
27 ACCEPT tcp -- 0.0.0.0/0 224.2.2.4
28 REJECT all -- 0.0.0.0/0 0.0.0.0/0
reject-with icmp-host-prohibited

It seems to have something to do with discovery in the elasticsearch
initialization. After logstash is running I can turn iptables on and it
continues to work.
Does anyone have a suggestion on what iptables might be blocking? I could
do a work around to start iptables after logstash and elasticsearch are up
and running but that doesn't seem right.

I can send logs if that would help.

This is the system and versions

Red Hat Enterprise Linux Server release 6.5 (Santiago)

Logstash Version:

/opt/logstash/bin/logstash --version

logstash 1.4.2-modified

Elasticsearch Version:
from the elasticsearch logs
version[1.2.1], pid[17907], build[6c95b75/2014-06-03T15:02:52Z]

Redis version
2.4.10

Thanks
Lois

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/61335730-1253-487d-b613-1ec306c85159%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


(Linus Askengren) #2

Hi Lois,

I had the exact same problem, the discovery is running on udp 54328 by
default
http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/modules-discovery-zen.html,
opening that port solved it for me.

Hope it helps
Linus

On Thursday, July 3, 2014 9:16:31 PM UTC+2, Lois Bennett wrote:

Hi All

I am trying to set up a very simple logstash test. I am following the
book and I have been successful with getting a server going with one
instance of each element in the ELK stack. Successful as long as I turn
off iptables!

Since this is not an option I need some guidance to what ports I need to
have open.

This is the iptables status:
root # service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
3 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp
type 255
4 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
5 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
6 ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp
dpt:5353
7 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp
dpt:631
8 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
dpt:631
9 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state
NEW tcp dpt:22
10 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state
NEW tcp dpt:80
11 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state
NEW tcp dpt:443
12 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state
NEW tcp dpt:536
13 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state
NEW tcp dpts:9200:9400
14 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state
NEW tcp dpt:9302
15 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state
NEW tcp dpt:9303
16 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state
NEW tcp dpt:9304
17 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state
NEW tcp dpt:9305
18 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state
NEW tcp dpt:5514
19 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state
NEW tcp dpt:6379
20 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state
NEW tcp dpt:9300
21 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state
NEW tcp dpt:9301
22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state
NEW tcp dpt:9200
23 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state
NEW tcp dpt:9292
24 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state
NEW tcp dpt:537
25 ACCEPT tcp -- 172.27.104.0/24 0.0.0.0/0
26 ACCEPT tcp -- 172.27.80.0/25 0.0.0.0/0
27 ACCEPT tcp -- 0.0.0.0/0 224.2.2.4
28 REJECT all -- 0.0.0.0/0 0.0.0.0/0
reject-with icmp-host-prohibited

It seems to have something to do with discovery in the elasticsearch
initialization. After logstash is running I can turn iptables on and it
continues to work.
Does anyone have a suggestion on what iptables might be blocking? I could
do a work around to start iptables after logstash and elasticsearch are up
and running but that doesn't seem right.

I can send logs if that would help.

This is the system and versions

Red Hat Enterprise Linux Server release 6.5 (Santiago)

Logstash Version:

/opt/logstash/bin/logstash --version

logstash 1.4.2-modified

Elasticsearch Version:
from the elasticsearch logs
version[1.2.1], pid[17907], build[6c95b75/2014-06-03T15:02:52Z]

Redis version
2.4.10

Thanks
Lois

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/2ff23064-d9a4-4319-87ff-2bb35feee907%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


(Lois Bennett) #3

Thank you, Linus! That did the trick!

Peace and Joy,
Lois

On Saturday, July 5, 2014 8:51:19 AM UTC-4, Linus Askengren wrote:

Hi Lois,

I had the exact same problem, the discovery is running on udp 54328 by
default
http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/modules-discovery-zen.html,
opening that port solved it for me.

Hope it helps
Linus

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/387bd4dd-cd80-41c2-815f-329eeac33f63%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


(system) #4