The Problem
An application is getting “connection refused” from other servers. The application is accessible from localhost and also it listens to the expected port.
The Solution
This may be a case of Firewall on the local server dropping inbound connection attempts from other servers. By default, CentOS/RHEL 7 uses the FIREWALLD service to manage the IPTABLES rules. The older IPTABLES subsystem is still available and may be used directly if the FIREWALLD service is disabled.
Determine if the FIREWALLD service is being used
To see if the firewalld target is active on the system, use the below command:
# systemctl status firewalld.service ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled) Active: active (running) since Thu 2017-12-21 15:03:59 EST; 4s ago Docs: man:firewalld(1) Main PID: 18880 (firewalld) CGroup: /system.slice/firewalld.service └─18880 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid Dec 21 15:03:58 testserver systemd[1]: Starting firewalld - dynamic firewall daemon... Dec 21 15:03:59 testserver systemd[1]: Started firewalld - dynamic firewall daemon. Dec 21 15:04:01 testserver firewalld[18880]: WARNING: ICMP type 'beyond-scope' is not supported by the kernel for ipv6. Dec 21 15:04:01 testserver firewalld[18880]: WARNING: beyond-scope: INVALID_ICMPTYPE: No supported ICMP type., ignoring for run-time. Dec 21 15:04:01 testserver firewalld[18880]: WARNING: ICMP type 'failed-policy' is not supported by the kernel for ipv6. Dec 21 15:04:01 testserver firewalld[18880]: WARNING: failed-policy: INVALID_ICMPTYPE: No supported ICMP type., ignoring for run-time. Dec 21 15:04:01 testserver firewalld[18880]: WARNING: ICMP type 'reject-route' is not supported by the kernel for ipv6. Dec 21 15:04:01 testserver firewalld[18880]: WARNING: reject-route: INVALID_ICMPTYPE: No supported ICMP type., ignoring for run-time.
As you can see from the output above, the firewalld service in active and running.
Determine if the IPTABLES service is being used
To determine if the iptables service is running on the system, use the below command.
# systemctl status iptables.service * iptables.service - IPv4 firewall with iptables Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled) Active: active (exited) since Thu 2017-12-21 17:51:12 UTC; 26min ago Process: 440 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS) Main PID: 440 (code=exited, status=0/SUCCESS) CGroup: /system.slice/iptables.service Dec 21 17:51:12 testserver systemd[1]: Starting IPv4 firewall with iptables... Dec 21 17:51:12 testserver iptables.init[440]: iptables: Applying firewall rules: [ OK ] Dec 21 17:51:12 testserver systemd[1]: Started IPv4 firewall with iptables.
As seen from the output above, the iptables target is in disabled state.
Prior to CentOS/RHEL 7, checking the system firewall using the iptables command was sufficient to know if a firewall was being used. For example, checking with below command was enough to determine how to control the firewall rules:
# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:domain ... INPUT_direct all -- anywhere anywhere INPUT_ZONES_SOURCE all -- anywhere anywhere INPUT_ZONES all -- anywhere anywhere DROP all -- anywhere anywhere ctstate INVALID REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
With CentOS/RHEL 7, either the newer FIREWALLD service or the older IPTABLES-SERVICE could be controlling the firewall rules.