2

I am new for fedora and backend. And i have a job recently, to build a game server via linode. The current setup is 2 linode + 1 nodebalancer, I have a memcached server on each linode and I have setup memAdmin for moitoring memcached.

My question is, how to build the firewall rules that permitting S1 (memAdmin) to telnet S2 11211? Since my memAdmin is located in S1 and it need permission to access S2 memcached. I have try a few rule like:

iptables -P INPUT DROP
iptables -A INPUT -p tcp -s (S1's ip) --dport 23 -j ACCEPT
iptables -A INPUT -p tcp -s (S1's ip) --dport 11211 -j ACCEPT

i have even try the intranet ip address like 192.168.0.0/24 for -s, but it still not work. i have setting the OPTION in /etc/sysconfig/memcached to "-l 0.0.0.0", the memcached service is listening on ip 0.0.0.0, but i still cannot telnet S2 11211 form S1.

I tried to stop the iptables service. And I can telnet to S2 via my PC, but I still cannot telnet from S1 to S2.

I am a newbie, Please help.

The output of iptables -L INPUT -vn :

Chain INPUT (policy DROP 225 packets, 13464 bytes)                                                                 
 pkts bytes target     prot opt in     out     source               destination                                    
    0     0 ACCEPT     tcp  --  *      *       S1's IP              0.0.0.0/0            tcp dpt:23                
    7   420 ACCEPT     tcp  --  *      *       S1's IP              0.0.0.0/0            tcp dpt:11211             
   24  1314 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
Chris
  • 53
  • 2
  • 9
  • It's also possible that the service isn't listening on the IP you want to connect to it via. – Falcon Momot Jul 23 '13 at 07:00
  • Thanks for your comment. The memcached service is listening on ip 0.0.0.0 – Chris Jul 23 '13 at 07:02
  • If you are logged in to S2 can you telnet s2.ip 11211 and does it work ? Again from s2 can you telnet 127.0.0.1 11211 ? What exactly is the message that telnet provides when it fails to connect ? – user9517 Jul 23 '13 at 07:05
  • If i logged in S2, i telnet successfully with both s2 ip, s2 lan ip and 127.0.0.1. However, if i am in S1, telnet s2 ip 11211, it echo "Trying s2 ip..." and timeouted after a few minute – Chris Jul 23 '13 at 07:26
  • Seems the firewall have accepted the packages, since the "pkts" and "bytes" column (row 11211) from iptables -L -n -v is not 0, and it tend to increase when i telnet s2, but the number of policy dropped package have increased too when i tend to telnet s2. Why is that? – Chris Jul 23 '13 at 07:31
  • Can you show us the output (edit your question) of `iptables -L INPUT -vn` – user9517 Jul 23 '13 at 07:34
  • It's done. Please Check. – Chris Jul 23 '13 at 07:39
  • And what about output chain? And I can't see RELATED,ESTABLISHED in the INPUT – ALex_hha Jul 23 '13 at 08:03
  • Hi, there are no rules for output chain and RELATED, ESTABLISHED in the INPUT in my setting. Do I need to set them? and how they effect the firewall? thx. – Chris Jul 23 '13 at 08:27

2 Answers2

2

Finally I found the solution. I was missing the rules for both S1 and S2: iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT Appending this rule to the end of the INPUT chain works for me. Thx again for all your answers.

Chris
  • 53
  • 2
  • 9
0

The server and the client are on the same subnet or not ? Check first if your memcached is listening on all the IP : netstat -pntle | grep 11211. You sould see in the 4th column "0.0.0.0:11211". If not, check your config, restart your server. Add the line iptables -A INPUT -j LOG to have log of reject connections.

Dom
  • 6,743
  • 1
  • 20
  • 24
  • The two server have the save subnet mask 255.255.128.0, so it suppost to be on the same subnet? And i ran netstat -pntle | grep 11211 and it return me this: tcp 0 0 0.0.0.0:11211 0.0.0.0:* LISTEN 998 17414 3698/memcache d tcp6 0 0 :::11211 :::* LISTEN 998 8882 3189/memcache d – Chris Jul 23 '13 at 07:05
  • I will try logging the firewall. Thx :) – Chris Jul 23 '13 at 07:07