I'm trying to launch a flask app, which runs on default port: 5000. Initially, I tried to allow for open connections with ufw under the following configuration:
However, all remote requests were being refused. I eventually ran the following command: iptables -I INPUT -p tcp --dport 5000 -j ACCEPT, which then allows for all commands.
I have two separate questions.
1. Why did the iptables command work but the ufw configuration not work?
2. My current process for deploying the app is: 1) launch screen session 2) run IPTables command 3) run python app.py 4) detach from screen. This seems to do the job initially, but after a while, the app begins to refuse connections. Any thoughts on why this might happen?
The problem was that the VM was configured to use a puppet server, so ufw was being ignored/overwritten entirely.
Related
I have some tensorboard data and I want my server to let me see the data. I don't want to have to send the tensorboard data files to my computer, so it would be ideal if I can just access them remotely. How does one do that? I would assume that the server would just host it as a normal website? What are the Tensorboard commands for this?
I know that locally one can do:
tensorboard --logdir=path/to/log-directory
and then go to the browser to do:
http://localhost:6006/
but is it possible to the equivalent from a server and then just read the data in my local browser/computer from the server?
Assuming that there is no firewall preventing access to port 6006 from the outside, and that your server's address is server.example.com you should be able to simply type http://server.example.com:6006 into your browser and have it work.
In case of a restrictive firewall, tunneling the tensorboard port over SSH using Local Port Forwarding is a good approach (this is also more secure than opening random ports publicly). When logging in to your server, you could type (for instance):
ssh -L 12345:localhost:6006 server.example.com
After that, start tensorboard on the server as usual, and you will be able to access it at http://localhost:12345 in your browser.
mvoelske instructions for setting up port forwarding are correct. If you have administrative privileges on the machine, you can open port 6006 to your IP address using the following commands:
$ sudo iptables -A INPUT -p tcp -s <insert your ip> --dport 6006 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
$ sudo iptables -A OUTPUT -p tcp --sport 6006 -m conntrack --ctstate ESTABLISHED -j ACCEPT
The iptables change can be saved with the following command:
$ sudo service iptables save
Note that this is for CentOS v6 and below. CentOS v7 and above used Firewalld by default.
If you have reached this stackoverflow question because you are troubleshooting a previously working TensorBoard setup, you might consider adding the --bind-all flag to your command line.
$ tensorboard --logdir=path/to/log-directory --bind-all
This resolved my problem reaching TensorBoard by URL within an internal network.
http://my_server.company.com:6006
I'm trying to run a node web app (built with meteor) on a Centos7 server running EasyApache4 with WHM cPanel. I'm trying to run it on a subdomain off of one of our main websites on port 8080.
When going to the subdomain on port 8080, the connection just times out, but can see the html when using curl to access it.
Does anyone have any ideas why it won't work through the browser, and also how I can get it to look like it's running straight from the subdomain instead of having to go directly to the port.
EDIT
Below is the curl we are using to view the html
curl http://subdomain.site.com:8080
Doing that brings back the html no problems
Had the same problem today. I am using Memset Centos7 server with WHM/CPanel, running EasyApache 4.
After trying everything I could think of, I realised that I had a basic firewall setup, which closed all ports that were not listed. After adding port 8080, it worked.
Used this:
sudo iptables -I INPUT 1 -i + -p tcp --dport 8080 -j ACCEPT
I am not 100% certain how secure this is, as I am still researching.
I try to access my node.js server running on Ubuntu. My PC is connected with TP-link router. Now, I want to access node services from other IP(not from my local host or local IPs). What can I do? I used following code.
Note: This server works fine and accessible from local IP but can't access from my public IP
http.listen(6000,"0.0.0.0",function(){
log.info("server started");
})
You have to use :-
iptables -A OUTPUT -p tcp --sport 8080 -j ACCEPT
for the outgoing rule (not dport). Apart from that, maybe there's an earlier rule that blocks the traffic? Try iptables -L.
Ubuntu have very good firewall and default system is not allow to external IP to response
In express and node js or any server like that
http.listen(6000,"0.0.0.0",function(){
log.info("server started");
})
It will work on your IP, localhost and public IP
but on external IP can't access it
first of all replace
localhost -> 0.0.0.0
when you want to run frontend and backend simultaneously
then it is better to use public IP directly instead of 0.0.0.0
If you are using ubuntu then we need to change in firewall settings using ufw
UFW is installed by default on Ubuntu. If it has been uninstalled for some reason, you can install it with apt-get:
sudo apt-get install ufw
then
sudo nano /etc/default/ufw
check this line and make it yes
IPV6=yes
save file using Ctrl-X to exit the file, then shift + y to save the changes that you made, then ENTER
At any time, you can check the status of UFW with this command:
sudo ufw status verbose
By default, UFW is disabled so you should see something like this:
Output:
Status: inactive
Not most important point
sudo ufw allow portNumber // here portNumber is port-number in integer
in your case
sudo ufw allow 6000
and allow
sudo ufw allow http
for more rules and firewall on ubuntu click here
I am currently trying to open port 8787 for rstudio server. I have set this up on an ubuntu host, and want to point my browser at the ip address of the ubuntu host, using port 8787 to direct it to rstudio. I can do this from the host machine, but no such luck using a different computer.
When I do
netstat - peantl | grep ":8787"
I get nothing returned, unlike when checking port 22 which is confirmed as listening. I can there ssh from external machines into the ubuntu host.
So I tried to open up port 8787 with iptables:
sudo iptables -A INPUT -p tcp --dport 8787 -j ACCEPT
command runs fine, but then re-checking with netstat I still do not get any output (I was expecting similar output to port 22 as mentioned previously)
I also allowed port 8787 on ufw:
sudo ufw allow 8787
using gufw it confirms port 8787 is open.
What could be the issue? If my network has restricted port 8787 how can I tell? Am I allowing port 8787 correctly with iptables?
Thanks.
All your iptables and ufw commands are doing is opening ports in the firewall itself. The fact that there is no output from the netstat|grep line means that the rstudio software does not actually have the port open for anyone to connect to. This is the issue you need to fix first.
I'm running a node.js server, that will serve requests on port 80 amongst others. Clearly this requires the application running as root (on Linux).
Looking at this post (http://syskall.com/dont-run-node-dot-js-as-root) as an example it's clear that there are simple ways to allow node to be run as a non-root user, but I'm wondering if anyone has views on the advantages/disadvantages of the different methods suggested:
code: use setuid() to drop down from root to non-priviledged user after listening on port 80 is established.
using a proxy server of some sort to redirect requests to a port >1024 (and so not need node to run as root)
using IP tables to forward to another port (ditto node would not run as root)
Thanks
Option 1 requires you launch the node server as root. Not ideal.
Option 2 adds overhead to every handled request and adds another failure point to your stack.
Option 3 Is the simplest and most efficient method.
To implement Option 3, add the following to your system init scripts. (/etc/rc.d/rc.local on RedHat based systems like AWS).
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3000
That will redirect requests from port 80 to port 3000.
(I haven't got enough reputation to add a comment the the one of Matt Browne, so I write this as an answer. Feel free to edit.)
There is a simpler method to load iptables rules automatically after a reboot than the one described in the link of Matt Browne: One can install iptables-persistent from the repositories using apt-get:
apt-get install iptables-persistent
Rules still need to be saved manually like this:
IPv4:
iptables-save > /etc/iptables/rules.v4
IPv6:
iptables-save > /etc/iptables/rules.v6
(Source: http://www.thomas-krenn.com/de/wiki/Iptables_Firewall_Regeln_dauerhaft_speichern (german))
I love the simplicity of this workaround:
sudo setcap 'cap_net_bind_service=+ep' `which node`
It also works for programs other than nodejs btw.
Basically as 2nd parameter you type the path to the program executable (like /usr/bin/nodejs on Ubuntu), in the above case which node should provide it dynamically, thus making this work independently from Linux distro.
Beware though that when you upgrade nodejs or the executable gets overwritten for some other reason you would have to execute that same command again.
Sources:
How to: Allow Node to bind to port 80 without sudo,
Is there a way for non-root processes to bind to "privileged" ports on Linux?