No route to host for port 6379












0















I'm getting a "no route to host" error when I'm connecting a remote server to my Redis instance on another server.



Redis is definitely running and listening on port 6379. I can connect to it locally.



The server with Redis has this configured for iptables -S



-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N FORWARD_IN_ZONES
-N FORWARD_IN_ZONES_SOURCE
-N FORWARD_OUT_ZONES
-N FORWARD_OUT_ZONES_SOURCE
-N FORWARD_direct
-N FWDI_public
-N FWDI_public_allow
-N FWDI_public_deny
-N FWDI_public_log
-N FWDO_public
-N FWDO_public_allow
-N FWDO_public_deny
-N FWDO_public_log
-N INPUT_ZONES
-N INPUT_ZONES_SOURCE
-N INPUT_direct
-N IN_public
-N IN_public_allow
-N IN_public_deny
-N IN_public_log
-N OUTPUT_direct
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES_SOURCE
-A INPUT -j INPUT_ZONES
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES_SOURCE
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -j OUTPUT_direct
-A FORWARD_IN_ZONES -g FWDI_public
-A FORWARD_OUT_ZONES -g FWDO_public
-A FWDI_public -j FWDI_public_log
-A FWDI_public -j FWDI_public_deny
-A FWDI_public -j FWDI_public_allow
-A FWDI_public -p icmp -j ACCEPT
-A FWDO_public -j FWDO_public_log
-A FWDO_public -j FWDO_public_deny
-A FWDO_public -j FWDO_public_allow
-A INPUT_ZONES -g IN_public
-A IN_public -j IN_public_log
-A IN_public -j IN_public_deny
-A IN_public -j IN_public_allow
-A IN_public -p icmp -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT


netstat -rn prints out:



0.0.0.0         178.xxx.xxx.1   0.0.0.0         UG        0 0          0 eth0
10.10.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
10.136.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
172.18.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-e071bb9e15A
178.xxx.xxx.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0


Is there anything misconfigured here, and how can I fix it so that remote servers can connect to port 6379?










share|improve this question



























    0















    I'm getting a "no route to host" error when I'm connecting a remote server to my Redis instance on another server.



    Redis is definitely running and listening on port 6379. I can connect to it locally.



    The server with Redis has this configured for iptables -S



    -P INPUT ACCEPT
    -P FORWARD ACCEPT
    -P OUTPUT ACCEPT
    -N FORWARD_IN_ZONES
    -N FORWARD_IN_ZONES_SOURCE
    -N FORWARD_OUT_ZONES
    -N FORWARD_OUT_ZONES_SOURCE
    -N FORWARD_direct
    -N FWDI_public
    -N FWDI_public_allow
    -N FWDI_public_deny
    -N FWDI_public_log
    -N FWDO_public
    -N FWDO_public_allow
    -N FWDO_public_deny
    -N FWDO_public_log
    -N INPUT_ZONES
    -N INPUT_ZONES_SOURCE
    -N INPUT_direct
    -N IN_public
    -N IN_public_allow
    -N IN_public_deny
    -N IN_public_log
    -N OUTPUT_direct
    -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -j INPUT_direct
    -A INPUT -j INPUT_ZONES_SOURCE
    -A INPUT -j INPUT_ZONES
    -A INPUT -m conntrack --ctstate INVALID -j DROP
    -A INPUT -j REJECT --reject-with icmp-host-prohibited
    -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -i lo -j ACCEPT
    -A FORWARD -j FORWARD_direct
    -A FORWARD -j FORWARD_IN_ZONES_SOURCE
    -A FORWARD -j FORWARD_IN_ZONES
    -A FORWARD -j FORWARD_OUT_ZONES_SOURCE
    -A FORWARD -j FORWARD_OUT_ZONES
    -A FORWARD -m conntrack --ctstate INVALID -j DROP
    -A FORWARD -j REJECT --reject-with icmp-host-prohibited
    -A OUTPUT -j OUTPUT_direct
    -A FORWARD_IN_ZONES -g FWDI_public
    -A FORWARD_OUT_ZONES -g FWDO_public
    -A FWDI_public -j FWDI_public_log
    -A FWDI_public -j FWDI_public_deny
    -A FWDI_public -j FWDI_public_allow
    -A FWDI_public -p icmp -j ACCEPT
    -A FWDO_public -j FWDO_public_log
    -A FWDO_public -j FWDO_public_deny
    -A FWDO_public -j FWDO_public_allow
    -A INPUT_ZONES -g IN_public
    -A IN_public -j IN_public_log
    -A IN_public -j IN_public_deny
    -A IN_public -j IN_public_allow
    -A IN_public -p icmp -j ACCEPT
    -A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT


    netstat -rn prints out:



    0.0.0.0         178.xxx.xxx.1   0.0.0.0         UG        0 0          0 eth0
    10.10.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
    10.136.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
    172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
    172.18.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-e071bb9e15A
    178.xxx.xxx.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0


    Is there anything misconfigured here, and how can I fix it so that remote servers can connect to port 6379?










    share|improve this question

























      0












      0








      0








      I'm getting a "no route to host" error when I'm connecting a remote server to my Redis instance on another server.



      Redis is definitely running and listening on port 6379. I can connect to it locally.



      The server with Redis has this configured for iptables -S



      -P INPUT ACCEPT
      -P FORWARD ACCEPT
      -P OUTPUT ACCEPT
      -N FORWARD_IN_ZONES
      -N FORWARD_IN_ZONES_SOURCE
      -N FORWARD_OUT_ZONES
      -N FORWARD_OUT_ZONES_SOURCE
      -N FORWARD_direct
      -N FWDI_public
      -N FWDI_public_allow
      -N FWDI_public_deny
      -N FWDI_public_log
      -N FWDO_public
      -N FWDO_public_allow
      -N FWDO_public_deny
      -N FWDO_public_log
      -N INPUT_ZONES
      -N INPUT_ZONES_SOURCE
      -N INPUT_direct
      -N IN_public
      -N IN_public_allow
      -N IN_public_deny
      -N IN_public_log
      -N OUTPUT_direct
      -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
      -A INPUT -i lo -j ACCEPT
      -A INPUT -j INPUT_direct
      -A INPUT -j INPUT_ZONES_SOURCE
      -A INPUT -j INPUT_ZONES
      -A INPUT -m conntrack --ctstate INVALID -j DROP
      -A INPUT -j REJECT --reject-with icmp-host-prohibited
      -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
      -A FORWARD -i lo -j ACCEPT
      -A FORWARD -j FORWARD_direct
      -A FORWARD -j FORWARD_IN_ZONES_SOURCE
      -A FORWARD -j FORWARD_IN_ZONES
      -A FORWARD -j FORWARD_OUT_ZONES_SOURCE
      -A FORWARD -j FORWARD_OUT_ZONES
      -A FORWARD -m conntrack --ctstate INVALID -j DROP
      -A FORWARD -j REJECT --reject-with icmp-host-prohibited
      -A OUTPUT -j OUTPUT_direct
      -A FORWARD_IN_ZONES -g FWDI_public
      -A FORWARD_OUT_ZONES -g FWDO_public
      -A FWDI_public -j FWDI_public_log
      -A FWDI_public -j FWDI_public_deny
      -A FWDI_public -j FWDI_public_allow
      -A FWDI_public -p icmp -j ACCEPT
      -A FWDO_public -j FWDO_public_log
      -A FWDO_public -j FWDO_public_deny
      -A FWDO_public -j FWDO_public_allow
      -A INPUT_ZONES -g IN_public
      -A IN_public -j IN_public_log
      -A IN_public -j IN_public_deny
      -A IN_public -j IN_public_allow
      -A IN_public -p icmp -j ACCEPT
      -A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT


      netstat -rn prints out:



      0.0.0.0         178.xxx.xxx.1   0.0.0.0         UG        0 0          0 eth0
      10.10.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
      10.136.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
      172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
      172.18.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-e071bb9e15A
      178.xxx.xxx.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0


      Is there anything misconfigured here, and how can I fix it so that remote servers can connect to port 6379?










      share|improve this question














      I'm getting a "no route to host" error when I'm connecting a remote server to my Redis instance on another server.



      Redis is definitely running and listening on port 6379. I can connect to it locally.



      The server with Redis has this configured for iptables -S



      -P INPUT ACCEPT
      -P FORWARD ACCEPT
      -P OUTPUT ACCEPT
      -N FORWARD_IN_ZONES
      -N FORWARD_IN_ZONES_SOURCE
      -N FORWARD_OUT_ZONES
      -N FORWARD_OUT_ZONES_SOURCE
      -N FORWARD_direct
      -N FWDI_public
      -N FWDI_public_allow
      -N FWDI_public_deny
      -N FWDI_public_log
      -N FWDO_public
      -N FWDO_public_allow
      -N FWDO_public_deny
      -N FWDO_public_log
      -N INPUT_ZONES
      -N INPUT_ZONES_SOURCE
      -N INPUT_direct
      -N IN_public
      -N IN_public_allow
      -N IN_public_deny
      -N IN_public_log
      -N OUTPUT_direct
      -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
      -A INPUT -i lo -j ACCEPT
      -A INPUT -j INPUT_direct
      -A INPUT -j INPUT_ZONES_SOURCE
      -A INPUT -j INPUT_ZONES
      -A INPUT -m conntrack --ctstate INVALID -j DROP
      -A INPUT -j REJECT --reject-with icmp-host-prohibited
      -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
      -A FORWARD -i lo -j ACCEPT
      -A FORWARD -j FORWARD_direct
      -A FORWARD -j FORWARD_IN_ZONES_SOURCE
      -A FORWARD -j FORWARD_IN_ZONES
      -A FORWARD -j FORWARD_OUT_ZONES_SOURCE
      -A FORWARD -j FORWARD_OUT_ZONES
      -A FORWARD -m conntrack --ctstate INVALID -j DROP
      -A FORWARD -j REJECT --reject-with icmp-host-prohibited
      -A OUTPUT -j OUTPUT_direct
      -A FORWARD_IN_ZONES -g FWDI_public
      -A FORWARD_OUT_ZONES -g FWDO_public
      -A FWDI_public -j FWDI_public_log
      -A FWDI_public -j FWDI_public_deny
      -A FWDI_public -j FWDI_public_allow
      -A FWDI_public -p icmp -j ACCEPT
      -A FWDO_public -j FWDO_public_log
      -A FWDO_public -j FWDO_public_deny
      -A FWDO_public -j FWDO_public_allow
      -A INPUT_ZONES -g IN_public
      -A IN_public -j IN_public_log
      -A IN_public -j IN_public_deny
      -A IN_public -j IN_public_allow
      -A IN_public -p icmp -j ACCEPT
      -A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT


      netstat -rn prints out:



      0.0.0.0         178.xxx.xxx.1   0.0.0.0         UG        0 0          0 eth0
      10.10.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
      10.136.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
      172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
      172.18.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-e071bb9e15A
      178.xxx.xxx.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0


      Is there anything misconfigured here, and how can I fix it so that remote servers can connect to port 6379?







      linux networking iptables






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Jan 25 at 0:39









      AAAAAA

      1093




      1093






















          1 Answer
          1






          active

          oldest

          votes


















          0














          From the chain names, your configuration is using firewalld which uses iptables as backend and generates iptables rules from its own configuration. Redhat provides a lot of documentation for its usage. For your case, providing access should be done with:



          firewall-cmd --add-port=6379/tcp


          This will probably be reflected like this in the iptables rules:



          # iptables -S -t filter | grep -w 6379
          -A IN_public_allow -p tcp -m tcp --dport 6379 -m conntrack --ctstate NEW -j ACCEPT


          This will grant temporarily access to redis running on the host. If you think you made a mistake, you can revert the configuration with:



          firewall-cmd --reload


          Once fine with the results, you can run again the same comment with the additonal option --permanent to write the configuration instead of altering the rules, like this for a permanent setting:



          firewall-cmd --permanent --add-port=6379/tcp


          For later, you always need two commands to alter it permanently: once for the configuration, once for the running firewall (a firewall-cmd --reload after a firewall-cmd --permanent ... is good enough).






          share|improve this answer
























          • This solution assumes the redis service is really visible on the host, with a socket opened on the host, not only for example just inside Docker.

            – A.B
            Jan 27 at 12:10













          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "3"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1398152%2fno-route-to-host-for-port-6379%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          0














          From the chain names, your configuration is using firewalld which uses iptables as backend and generates iptables rules from its own configuration. Redhat provides a lot of documentation for its usage. For your case, providing access should be done with:



          firewall-cmd --add-port=6379/tcp


          This will probably be reflected like this in the iptables rules:



          # iptables -S -t filter | grep -w 6379
          -A IN_public_allow -p tcp -m tcp --dport 6379 -m conntrack --ctstate NEW -j ACCEPT


          This will grant temporarily access to redis running on the host. If you think you made a mistake, you can revert the configuration with:



          firewall-cmd --reload


          Once fine with the results, you can run again the same comment with the additonal option --permanent to write the configuration instead of altering the rules, like this for a permanent setting:



          firewall-cmd --permanent --add-port=6379/tcp


          For later, you always need two commands to alter it permanently: once for the configuration, once for the running firewall (a firewall-cmd --reload after a firewall-cmd --permanent ... is good enough).






          share|improve this answer
























          • This solution assumes the redis service is really visible on the host, with a socket opened on the host, not only for example just inside Docker.

            – A.B
            Jan 27 at 12:10


















          0














          From the chain names, your configuration is using firewalld which uses iptables as backend and generates iptables rules from its own configuration. Redhat provides a lot of documentation for its usage. For your case, providing access should be done with:



          firewall-cmd --add-port=6379/tcp


          This will probably be reflected like this in the iptables rules:



          # iptables -S -t filter | grep -w 6379
          -A IN_public_allow -p tcp -m tcp --dport 6379 -m conntrack --ctstate NEW -j ACCEPT


          This will grant temporarily access to redis running on the host. If you think you made a mistake, you can revert the configuration with:



          firewall-cmd --reload


          Once fine with the results, you can run again the same comment with the additonal option --permanent to write the configuration instead of altering the rules, like this for a permanent setting:



          firewall-cmd --permanent --add-port=6379/tcp


          For later, you always need two commands to alter it permanently: once for the configuration, once for the running firewall (a firewall-cmd --reload after a firewall-cmd --permanent ... is good enough).






          share|improve this answer
























          • This solution assumes the redis service is really visible on the host, with a socket opened on the host, not only for example just inside Docker.

            – A.B
            Jan 27 at 12:10
















          0












          0








          0







          From the chain names, your configuration is using firewalld which uses iptables as backend and generates iptables rules from its own configuration. Redhat provides a lot of documentation for its usage. For your case, providing access should be done with:



          firewall-cmd --add-port=6379/tcp


          This will probably be reflected like this in the iptables rules:



          # iptables -S -t filter | grep -w 6379
          -A IN_public_allow -p tcp -m tcp --dport 6379 -m conntrack --ctstate NEW -j ACCEPT


          This will grant temporarily access to redis running on the host. If you think you made a mistake, you can revert the configuration with:



          firewall-cmd --reload


          Once fine with the results, you can run again the same comment with the additonal option --permanent to write the configuration instead of altering the rules, like this for a permanent setting:



          firewall-cmd --permanent --add-port=6379/tcp


          For later, you always need two commands to alter it permanently: once for the configuration, once for the running firewall (a firewall-cmd --reload after a firewall-cmd --permanent ... is good enough).






          share|improve this answer













          From the chain names, your configuration is using firewalld which uses iptables as backend and generates iptables rules from its own configuration. Redhat provides a lot of documentation for its usage. For your case, providing access should be done with:



          firewall-cmd --add-port=6379/tcp


          This will probably be reflected like this in the iptables rules:



          # iptables -S -t filter | grep -w 6379
          -A IN_public_allow -p tcp -m tcp --dport 6379 -m conntrack --ctstate NEW -j ACCEPT


          This will grant temporarily access to redis running on the host. If you think you made a mistake, you can revert the configuration with:



          firewall-cmd --reload


          Once fine with the results, you can run again the same comment with the additonal option --permanent to write the configuration instead of altering the rules, like this for a permanent setting:



          firewall-cmd --permanent --add-port=6379/tcp


          For later, you always need two commands to alter it permanently: once for the configuration, once for the running firewall (a firewall-cmd --reload after a firewall-cmd --permanent ... is good enough).







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Jan 27 at 12:09









          A.BA.B

          1,3781511




          1,3781511













          • This solution assumes the redis service is really visible on the host, with a socket opened on the host, not only for example just inside Docker.

            – A.B
            Jan 27 at 12:10





















          • This solution assumes the redis service is really visible on the host, with a socket opened on the host, not only for example just inside Docker.

            – A.B
            Jan 27 at 12:10



















          This solution assumes the redis service is really visible on the host, with a socket opened on the host, not only for example just inside Docker.

          – A.B
          Jan 27 at 12:10







          This solution assumes the redis service is really visible on the host, with a socket opened on the host, not only for example just inside Docker.

          – A.B
          Jan 27 at 12:10




















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Super User!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1398152%2fno-route-to-host-for-port-6379%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Сан-Квентин

          8-я гвардейская общевойсковая армия

          Алькесар