New node not joining to cluster over iptable rule

Currently, I am using Nginx to secure my elasticsearch API. I want to add the new node to my current single node cluster.

So I use network.publish_host: <node-ip> and make the port accessible only by the other node of the cluster using the iptables rule

iptables -I INPUT -p tcp ! -s <ip address> --dport 9300 -j DROP

Node - 1
network.publish_host: ["", ":9300"]
discovery.zen.minimum_master_nodes: 1

Node - 2 <Cluster Name> <Node Name - 2>
network.publish_host: <node2-ip> ["", "<Older-node-ip>:9300"]
discovery.zen.minimum_master_nodes: 1

Can anybody tell what am I doing wrong here ??


can you first try to disable all firewalls and see if that works? Apart from that, does it work with telnet/netcat/nmap? Also, every node in the cluster needs to be able to connect to every other node to port 9300, is that part of your firewall rules? That input rule also takes the bidirectional nature of tcp packets into account (my iptables times are long gone, thus the stupid questions).

Also, the first config contains :9300 is node setting? is that intended? On top of that you also have to change minimum master nodes setting, when you have two nodes, but first the should of course connect to each other.


I don't think it's problem with iptables. After i change the configuration from network.publish_host to But when I change the configuration my elasticsearch API open to all IPs using <node-ip>:9200. So there is no use of Nginx.

Then I create one more rule that allows only the current node API to access elasticsearch API, not others. And I use the Nginx to port forward from :8000 (Nginx port) to :9200. Now it's working fine.

Is there any other thing I have to consider for security reasons. And thanks for your response :slight_smile:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.