How do I access port 10,000 on AWS?

Question

How can I access port 10000 on Amazon Web Services? I added port 10,000 to a security group, but I still cannot access it.

Imgur

I can only access the service locally.

[root@ip-172-31-15-65 ~]# curl -I http://localhost:10000
HTTP/1.0 200 Document follows
Date: Sat, 5 Apr 2014 03:03:40 GMT
Server: MiniServ/1.680

When I try from my external (to AWS) IP, then it doesn't work.

$ curl -I http://54.186.222.91:10000
curl: (28) Connection timed out after 300138 milliseconds

Here is netstat

[root@ip-172-31-15-65 ~]# sudo netstat -tunlp |grep 10000
tcp        0      0 0.0.0.0:10000               0.0.0.0:*                   LISTEN      14258/perl
udp        0      0 0.0.0.0:10000               0.0.0.0:*                               14258/perl

Here is iptables. It's a brand new instance.

[root@ip-172-31-15-65 ~]# sudo iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

For some reason, this command fixed it. I don't understand why because line 1 and 3 already accepts all.

iptables --delete INPUT 5

Here is verbose iptables

[root@ip-172-31-15-65 postfix]# iptables -L -nv
Chain INPUT (policy ACCEPT 3348 packets, 173K bytes)
 pkts bytes target     prot opt in     out     source               destination
89357   80M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
  102  5883 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
   14  2248 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 50224 packets, 17M bytes)
 pkts bytes target     prot opt in     out     source               destination

Are you able to try from a different computer? Maybe your local ISP or firewall is blocking the traffic. — Brandon, Apr 05 '14 at 12:00
What happens if you spin up another instance (a micro so it's cheap) and try from it? That'll let you isolate the issue. — ceejayoz, Apr 05 '14 at 15:39
Have you configured your http service/server to use your external ip specifically? It may be configured by default to only use the loopback adapter. Or it maybe configured to limit responses to a certain ip range as well. — David, Apr 05 '14 at 18:17
I think the output of `iptables -L -nv` or `iptables-save` would have been more helpful for understanding the current ruleset. I assume that there is something more to line 3 than what can be seen in the output included in the question (maybe it only applies to some specific interface? loopback?). As for line 1 it's not applicable to new connections. — Håkan Lindqvist, Apr 06 '14 at 19:52
iptables doesn't show the complete rule unless you specify `-v` for verbose, thus normal output is misleading. — Michael Hampton, Apr 06 '14 at 19:53

Jacob · Accepted Answer · 2014-04-06T22:37:40.247

Danger!

Please please do not just turn off your firewall here and think it's a solution. You were on the right track, except you turned a debugging step into a solution. What should we do instead?

How do I truly fix this?

Well you were right that you were only accepting everything from the lo interface. So we just need to allow this port to be accessed ahead of the REJECT rule. Below are example rules to get you setup. I'll break them down below?

iptables -I INPUT 1 -p tcp --dport 10000 -j ACCEPT
iptables -A INPUT -j REJECT
/etc/init.d/iptables save

What do these commands do?

The first line is telling iptables to insert the rule at line 1 -I 1 and to allow all traffic heading to port 10000 TCP to be accepted. I am using rule one in this example to ensure that it is placed ahead of the REJECT rule. (It is also telling iptables to jump -j to ACCEPT to allow the traffic)

The second line is telling iptables to append (insert at the bottom) -A to REJECT all traffic that isn't explicitly allowed in the rules before it. This is how a default deny is setup as without this rule you might as well not be running a firewall as stated in comments.

The third and final line has iptables save the rules so that they are persistent upon restart.

What about other services I want to enable?

Use the first example rule from above to allow those. You should also read on the flexibility of iptables as it is much more powerful in what you can do with rules.

Ok awesome! This is very helpful and constructive! I added the other standard mail & web ports as well. — Chloe, Apr 06 '14 at 22:36

score 3 · Answer 2 · edited Apr 13 '17 at 12:14

3

You only have port 22 open in the system firewall.

Run system-config-firewall-tui to either disable the firewall, or open port 10000.

edited Apr 13 '17 at 12:14

Community

1

answered Apr 06 '14 at 19:54

Michael Hampton

244,070
43
506
972

That command doesn't work on CentOS 6.5. `[root@ip-172-31-15-65 postfix]# system-config-firewall-tui Traceback (most recent call last): File "/usr/bin/system-config-firewall-tui", line 29, in import fw_tui File "/usr/share/system-config-firewall/fw_tui.py", line 35, in from snack import * ImportError: No module named snack`. – Chloe Apr 06 '14 at 20:17
3

Something's horribly broken with your system. You really should fix that. – Michael Hampton Apr 06 '14 at 20:21
It's a fresh install with `yum update`. – Chloe Apr 06 '14 at 20:22
@Chloe Fresh install is irrelevant to whether it works or not. It's broken. You've broken it in some fashion, or you picked a bad AMI out of the list at AWS. Now you need to fix it. – Magellan Apr 27 '14 at 04:04

score -7 · Answer 3 · answered Apr 06 '14 at 20:28

-7

For some reason, this command fixed it.

iptables --delete INPUT 5

I think I understand why now even though line 1 and 3 already accepts all. With -v I see lo for the in column, and lo is the name of the interface in ifconfig which is only for local connections. So no ports were open except 22, SSH.

answered Apr 06 '14 at 20:28

Chloe

1,164
4
19
35

Your conclusion that effectively only port 22 was open appears correct but the command that "fixed it" seems undesirable as I suppose that will have left everything wide open. – Håkan Lindqvist Apr 06 '14 at 20:42
This isn't a solution at all. Instead of fixing your firewall you decided to allow everything. – Jacob Apr 06 '14 at 20:59
@Jacob Thanks for your concern, but without another solution, I will accept this in a week or so. – Chloe Apr 06 '14 at 21:46
This is a badly written answer hence the down votes. There is no explanation. – hookenz Apr 06 '14 at 21:49
2

Might as well do `service iptables stop` for all the good it's doing you – Joel E Salas Apr 06 '14 at 21:53
1

@Chloe I've included an answer so that you reconsider what "fixing it" is. – Jacob Apr 06 '14 at 22:16

How do I access port 10,000 on AWS?

3 Answers3

Danger!

How do I truly fix this?

What do these commands do?

What about other services I want to enable?