Can not access web service, port is open, service is running

September 8, 2016 244 views
API Deployment Firewall Ubuntu 16.04

Hi all,

I was running docker containers in my droplet and that was working fine with port mapping and such through docker. However, there is a very nasty memory leak with Docker and JVMs (and perhaps not just JVMs) that cause my docker containers to crash in short order. So I am now trying to just run my java service on the droplet OS itself outside of Docker. I am able to start it up no problem, just like I do on my dev box. It starts on port 8090. I try an external port check site and it says 8090 is open on my droplet IP.

When I make a request using <ip>:8090 it just hangs until it finally times out and says it could not get a response. When I try other ports, like port 80, it immediately fails.

I added an iptables entry and now my iptables -S looks like below. I am unclear if the -A INPUT line below the -N DOCKER-ISOLATION some how screws this up, and I dont know much about iptables so not sure if there is something else I need to do to get the service listening on the port to accept a request. I did confirm with netstat -ulntp that it is listening on 8090 as well. At this point I am not sure what could be up. I suspect it may have something to do with the Docker mappings taking over all ports and then nothing listening inside of Docker. If that is the case, what to do to map 8090 to my java service running on the droplet?

-A INPUT -p tcp -m tcp --dport 8090 -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER -d ! -i docker0 -o docker0 -p tcp -m tcp --dport 5432 -j ACCEPT

  • If you disable your droplet's firewall to test, are you able to access the service? Try disabling the iptables service with service iptables stop and then attempt to access your service on port 8090. If you are able to get there then I would recommend starting over your iptables configuration cleanly testing as you add your rules in. If the service is not accessible after disabling iptables then you'll want to look at the service configuration itself and make sure that it is listening on your public IP address and not just on localhost.

  • Can you also provide the output of:

    netstat -rn

    That will print out all of our routing tables as well as open and listening ports and what IPs they are on.

    That way you can tell if the system is listening on the port and IP addresses you expect and we can see if it's potentially a firewall rules issue, or if in fact the IP/port isn't as expected.

Be the first one to answer this question.