debian VM refusing all traffic apart from http

james lewis asked:

I’ve got a VM with a fresh install of Debian (wheezy) and I’ve installed node and mongo on it. The VM is using a bridged network connection so I was expecting to be able to point my host machines browser at the ip address of the Debian VM (port 1337 for my node example or port 28017 for my mongo status page) and see one of the two services (node or mongo). My requests are refused though.

As far as I can tell Debian allows all traffic by default and you have to manually configure iptables to drop traffic. I’ve checked iptables and it says it’s setup to allow anything through. It looks like this:

root@devbox:/home/jlewis# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination   

As a test I setup nginx and I was able to get to the nginx landing page from my host no problems so obviously http traffic is allowed. I then set nginx up to forward all traffic upstream to mongo – no problems there, I was able to see the status page. I then did the same for my example node server and again, no problems. So http traffic is fine, but all other traffic is blocked.

Anyone know why debian might be refusing all other traffic other than iptables being setup to drop it?

EDIT – output from netstat -nltp:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0*               LISTEN      1762/mongod     
tcp        0      0 *               LISTEN      1541/rpc.statd  
tcp        0      0    *               LISTEN      2462/sshd       
tcp        0      0*               LISTEN      2794/node       
tcp        0      0  *               LISTEN      2274/exim4      
tcp        0      0*               LISTEN      1762/mongod     
tcp        0      0   *               LISTEN      1510/rpcbind    
tcp        0      0    *               LISTEN      2189/nginx      
tcp6       0      0 :::22                   :::*                    LISTEN      2462/sshd       
tcp6       0      0 :::45335                :::*                    LISTEN      1541/rpc.statd  
tcp6       0      0 ::1:25                  :::*                    LISTEN      2274/exim4      
tcp6       0      0 :::111                  :::*                    LISTEN      1510/rpcbind    

My answer:

The ports you mention, 1337 and 28017, (as well as 25) are not listening on all interfaces, but only on, or localhost. So they cannot be accessed outside of the local machine. For security reasons, this is generally what you want.

By contrast, the services on port 22, 80, 111, 45335 and 51028 are bound to or :: and are thus accessible to the world.

If you really mean for these services to be accessible to the world, you’ll have to configure them as such, following their own respective configuration directives.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.