opening up a port on centos 7 firewall (using firewalld)
There I was on an AWS hosted node trying to access port 2181 and 9092 on another AWS node where I just followed the instructions at http://kafka.apache.org/documentation/#quickstart to get a stand-alone instance of Kafka running. After some exceptions that suggested I could not reach these ports, I fell back to trusty old telnet to verify that was problem.
[root@ip-172-xxx-xxx-86 kafka]# telnet kafka 22 Trying 172.xxx.xxx.45... Connected to kafka. Escape character is '^]'. SSH-2.0-OpenSSH_6.6.1 ^C Connection closed by foreign host. [root@ip-172-xxx-xxx-86 kafka]# [root@ip-172-xxx-xxx-86 kafka]# telnet kafka 2181 Trying 172.xxx.xxx.45... telnet: connect to address 172.xxx.xxx.45: No route to host [root@ip-172-xxx-xxx-86 kafka]#
Yep, "no route to host"!! After double-checking that these two AWS hosts should be able to talk to each other on these ports it seemed logical that the box's firewall might be "helping" me out. I quickly found out that with CentOS 7, we've moved away from iptables and to firewalld. Thankfully, man firewall-cmd
was there to help me out. I just needed to add these two ports and the following commands show what the configuration looked like before and after I made these mods.
[root@ip-172-xxx-xxx-45 kafka_2.11-0.10.1.0]# firewall-cmd --info-zone=public public (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: dhcpv6-client ssh vnc-server ports: protocols: masquerade: no forward-ports: sourceports: icmp-blocks: rich rules: [root@ip-172-xxx-xxx-45 kafka_2.11-0.10.1.0]# firewall-cmd --permanent --zone=public --add-port=2181/tcp success [root@ip-172-xxx-xxx-45 kafka_2.11-0.10.1.0]# firewall-cmd --permanent --zone=public --add-port=9092/tcp success [root@ip-172-xxx-xxx-45 kafka_2.11-0.10.1.0]# firewall-cmd --reload success [root@ip-172-xxx-xxx-45 kafka_2.11-0.10.1.0]# firewall-cmd --info-zone=public public (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: dhcpv6-client ssh vnc-server ports: 2181/tcp 9092/tcp protocols: masquerade: no forward-ports: sourceports: icmp-blocks: rich rules: [root@ip-172-xxx-xxx-45 kafka_2.11-0.10.1.0]#
Then I was "cooking with bacon" as telnet shows!
[root@ip-172-xxx-xxx-86 ~]# telnet kafka 2181 Trying 172.xxx.xxx.45... Connected to kafka. Escape character is '^]'. ^CConnection closed by foreign host. [root@ip-172-xxx-xxx-86 ~]# telnet kafka 9092 Trying 172.xxx.xxx.45... Connected to kafka. Escape character is '^]'. ^CConnection closed by foreign host. [root@ip-172-xxx-xxx-86 ~]#
More importantly, I could not connect to this novel Kafka configuration I was using for some testing.
[root@ip-172-xxx-xxx-86 kafka]# bin/kafka-console-consumer.sh --zookeeper kafka:2181 --topic lestertester --from-beginning Now is the time for all good men to come to the aid of their country. Now is the time for all good men to come to the aid of their country. Now is the time for all good men to come to the aid of their country. ^CProcessed a total of 3 messages [root@ip-172-xxx-xxx-86 kafka]#
Good luck on your use of CentOS 7's firewalld and don't forget to consult your friendly man page as needed.