james lewis asked:
I’ve got a VM with a fresh install of Debian (wheezy) and I’ve installed node and mongo on it. The VM is using a bridged network connection so I was expecting to be able to point my host machines browser at the ip address of the Debian VM (port 1337 for my node example or port 28017 for my mongo status page) and see one of the two services (node or mongo). My requests are refused though.
As far as I can tell Debian allows all traffic by default and you have to manually configure iptables to drop traffic. I’ve checked iptables and it says it’s setup to allow anything through. It looks like this:
root@devbox:/home/jlewis# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
As a test I setup nginx and I was able to get to the nginx landing page from my host no problems so obviously http traffic is allowed. I then set nginx up to forward all traffic upstream to mongo – no problems there, I was able to see the status page. I then did the same for my example node server and again, no problems. So http traffic is fine, but all other traffic is blocked.
Anyone know why debian might be refusing all other traffic other than iptables being setup to drop it?
EDIT – output from netstat -nltp:
Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:28017 0.0.0.0:* LISTEN 1762/mongod tcp 0 0 0.0.0.0:51028 0.0.0.0:* LISTEN 1541/rpc.statd tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2462/sshd tcp 0 0 127.0.0.1:1337 0.0.0.0:* LISTEN 2794/node tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2274/exim4 tcp 0 0 127.0.0.1:27017 0.0.0.0:* LISTEN 1762/mongod tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1510/rpcbind tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2189/nginx tcp6 0 0 :::22 :::* LISTEN 2462/sshd tcp6 0 0 :::45335 :::* LISTEN 1541/rpc.statd tcp6 0 0 ::1:25 :::* LISTEN 2274/exim4 tcp6 0 0 :::111 :::* LISTEN 1510/rpcbind
The ports you mention, 1337 and 28017, (as well as 25) are not listening on all interfaces, but only on 127.0.0.1, or localhost. So they cannot be accessed outside of the local machine. For security reasons, this is generally what you want.
By contrast, the services on port 22, 80, 111, 45335 and 51028 are bound to 0.0.0.0 or :: and are thus accessible to the world.
If you really mean for these services to be accessible to the world, you’ll have to configure them as such, following their own respective configuration directives.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.