Centos7 packets filtered without firewalld

Charly Roch asked:

I have 2 centos7 servers, I want to create a glusterfs shared volume on both, to do so I need the port 24007 opened on both.

I am testing with nc for the moment. Here server2 is listening to port 24007

[email protected] ~ # nc -l 24007
[email protected] ~ # netstat -na | grep 24007
tcp        0      0 0.0.0.0:24007           0.0.0.0:*               LISTEN

On both server firewalld is disabled :

[email protected] ~ # systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
   Active: inactive (dead)

[email protected] ~ # systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: inactive (dead) since Tue 2021-06-08 14:55:42 CEST; 23h ago

With server1 I am trying to connect to port 22 (for testing, it works) then 24007 (it doesn’t):

[email protected] ~ # nc -zv swarm-node2 22
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Connected to @ipsrv2:22.
Ncat: 0 bytes sent, 0 bytes received in 0.24 seconds.

[email protected] ~ # nc -zv swarm-node2 24007
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Connection timed out.

I am running a tcpdump on server2 so we can see packets arriving from srv1

[email protected] ~ # tcpdump -i eth0 -nn port 24007
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
14:41:20.223909 IP @ipsrv1.54398 > @ipsrv2.24007: Flags [S], seq 2092224680, win 29200, options [mss 1460,sackOK,TS val 85574120 ecr 0,nop,wscale 7], length 0
...
3 packets captured
3 packets received by filter

It says received by filter, I am not sure what is filter at this step (firewalld is off) so it might be iptables ?

I don’t see anything in iptables logs (it is empty even though rsyslog is saying DROP packets should be log) So I added a rule in iptables on srv2 to accept all packets comming from srv1

-A INPUT -s @ipsrv1/32 -i eth0 -m comment --comment "050 allow all from other nodes: 46.105.47.47" -j ACCEPT

As seen by TCPDUMP, packets are arriving to server2 and passed to filter but what is filter here ? firewalld is disabled and iptables should allow or at least log these packets.
Do you have any ways of testing that with more details

My answer:


"filter’ in the tcpdump command output does not refer to the firewall. It refers to the filter you specified on the tcpdump command line to specify which packets to capture, in this case you specified the filter "port 24007". There is nothing to do with the firewall.


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.