When we are working on critical services like puppet master we have to secure master in many ways. In that, one is enabling the firewall to close all the ports expect 8140 port where master listens to node requests. In this post, we will see how to enable or open this port on the master.
Before checking master firewall check if you are able to connect to master or not from puppet node. And if you try to connect node to master by using puppet agent -td you will get below error as well
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
debug: report supports formats: b64_zlib_yaml pson raw yaml; using pson
err: Could not send report: No route to host – connect(2)
If we see the above error, it clearly states that there is no route to host, which in many cases are related to master firewall.
To confirm it, try to telnet to puppet master on 8140 port from puppet node.
[root@node1 surendra]# telnet 192.168.122.42 8140 Trying 192.168.122.42... telnet: connect to address 192.168.122.42: No route to host
So it’s confirmed, port 8140 on the master is blocked and we can check what is the status of your firewall at present by using iptables -L as Shown below on puppet master.
[root@master puppet]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination
If you see it’s a default firewall rule in Redhat based machines which by default blocks all the TCP connections expect SSH. We have to insert a rule at the start of INPUT chain for our 8140 port. Execute below firewall rule and save it.
iptables -I INPUT -p tcp -m tcp --dport 8140 -j ACCEPT
Save iptables and restart
service iptables save service iptables restart
Output:
[root@master puppet]# service iptables save iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ] [root@master puppet]# service iptables restart iptables: Flushing firewall rules: [ OK ] iptables: Setting chains to policy ACCEPT: filter [ OK ] iptables: Unloading modules: [ OK ] iptables: Applying firewall rules: [ OK ]
Now check if your rule is updated or not using iptables -L
[root@master puppet]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:8140
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
ACCEPT tcp -- anywhere anywhere tcp dpt:8140
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Firewall rules are updated with the desired status, we can now try to check if the port is open from the node or not.
[root@node1 surendra]# telnet 192.168.122.42 8140 Trying 192.168.122.42... Connected to 192.168.122.42. Escape character is '^]'. ^]q telnet> q Connection closed.
That’s it we are connected now. We can now run puppet agent -td to check if we are able to communicate to master from puppet node.
Latest posts by Surendra Anne (see all)
- Docker: How to copy files to/from docker container - June 30, 2020
- Anisble: ERROR! unexpected parameter type in action:
Fix - June 29, 2020 - FREE: JOIN OUR DEVOPS TELEGRAM GROUPS - August 2, 2019
- Review: Whizlabs Practice Tests for AWS Certified Solutions Architect Professional (CSAP) - August 27, 2018
- How to use ohai/chef-shell to get node attributes - July 19, 2018
