iptables messing up Tomcat?-Collection of common programming errors

10 years ago
admin
3 minutes

I encountered the following problem(s) using Tomcat 7 with iptables on.

1) Namely, there’s this Tomcat 7 instance that I run on server-1 (directly exposed), and this Tomcat instance hosts a REST web-service. Tomcat itself is configured with SSL (NIO, not APR/native), with clientAuth="true". Keystores, certs, and everything seems to be set up OK and working.

On this server, iptables are up and running allowing all traffic from server-2, and the last rule in the filter INPUT chain is:

-A INPUT -j REJECT –reject-with icmp-host-prohibited

Now, from server-2, I try to call the web-service and I fail with connection / read timeout exceptions.

2) Tomcat won’t shut down – I get “No route to host” exception message when trying to shut it down via its shutdown script.

As soon as the last rule specified above in iptables on server-1 is removed, both problems go away… Both servers are running CentOS 6 64.

Can someone shed some light on this?

EDIT
Here are all the other current INPUT rules:

// VPN Related -A INPUT -s xx.xx.xx.xx -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp –dport 1723 -j ACCEPT -A INPUT -i eth0 -p gre -j ACCEPT -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p udp -m udp –dport 1701 -j ACCEPT -A INPUT -i eth0 -p udp -m udp –dport 4500 -j ACCEPT -A INPUT -i eth0 -p udp -m udp –dport 443 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp –dport 443 -j ACCEPT -A INPUT -i eth0 -p udp -m udp –dport 500 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp –dport 1701 -j ACCEPT // FreeRadius -A INPUT -i eth0 -p tcp -m tcp –dport 1812 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp –dport 1813 -j ACCEPT -A INPUT -i eth0 -p udp -m udp –dport 1812 -j ACCEPT -A INPUT -i eth0 -p udp -m udp –dport 1813 -j ACCEPT // Tomcat -A INPUT -i eth0 -p tcp -m tcp –dport 4445 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp –dport 8345 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp –dport 8007 -j ACCEPT -A INPUT -i eth0 -p udp -m udp –dport 4445 -j ACCEPT -A INPUT -i eth0 -p udp -m udp –dport 8345 -j ACCEPT // Allow all from server-2 -A INPUT -i eth0 -s xx.xx.xx.xx -j ACCEPT // System -A INPUT -i eth0 -p tcp -m tcp –dport 22 -j ACCEPT // Reject

-A INPUT -j REJECT –reject-with icmp-host-prohibited