Unable to open firewall port for external traffic.

Below is what i did to open the firewall port on

[root@vultr ~]# sudo firewall-cmd --zone=public --add-port=27012/tcp --permanent
Warning: ALREADY_ENABLED: 27012:tcp
success
[root@vultr ~]# sudo firewall-cmd --reload
success
[root@vultr ~]# firewall-cmd --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: dhcpv6-client ssh http https
  ports: 80/tcp 27012/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

[root@vultr ~]# uname -a
Linux vultr.guest 3.10.0-862.14.4.el7.x86_64 #1 SMP Wed Sep 26 15:12:11 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

When i telnet to the servers IP:Port it fails

telnet 45.76.142.202 27012
Connecting To 45.76.142.202...Could not open connection to the host, on port 27012: Connect failed

It however does connect to port 80

telnet 45.76.142.202 80

Can you please help me get firewall port 27012 connect externally just the way port 80 is connecting ?

Maybe post the output of:

firewall-cmd --list-all-zones

or use a similar command to dump the entire rule set?

[root@vultr ~]# firewall-cmd --list-all-zones
block
  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces:
  sources:
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:


dmz
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:


drop
  target: DROP
  icmp-block-inversion: no
  interfaces:
  sources:
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:


external
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: ssh
  ports:
  protocols:
  masquerade: yes
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:


home
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: ssh mdns samba-client dhcpv6-client
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:


internal
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: ssh mdns samba-client dhcpv6-client
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:


public
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: dhcpv6-client ssh http https
  ports: 27017/tcp 80/tcp 27012/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:


trusted
  target: ACCEPT
  icmp-block-inversion: no
  interfaces:
  sources:
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:


work
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: ssh dhcpv6-client
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

What process is running on port 27012 on your server?

Mongo DB -> Open Source Document Database | MongoDB

You changed from the default ports, right?

The following table lists the default TCP ports used by MongoDB:

Default Port	Description
27017	The default port for mongod and mongos instances. You can change this port with port or --port.
27018	The default port for mongod when running with --shardsvr command-line option or the shardsvr value for the clusterRole setting in a configuration file.
27019	The default port for mongod when running with --configsvr command-line option or the configsvr value for the clusterRole setting in a configuration file.

Anyway, if you are running a DB on this port, normally sys admins only bind the DB to localhost or 127.0.0.1 for security reasons.

Do something like netstat -an | grep 27012 and post the output. Thanks.

Per my note above, you need to check to see if your DB is bound to localhost or to your IP address.

If it is bound to localhost (127.0.0.1) you will not be able to telnet to that port using the IP address you were using.

Check your config for:

bind_ip: 127.0.0.1
1 Like
netstat -an | grep 27017
tcp        0      0 127.0.0.1:27012         0.0.0.0:*               LISTEN
unix  2      [ ACC ]     STREAM     LISTENING     6534678  /tmp/mongodb-27012.sock

Yes that is why you cannot telnet to that port from the IP address you provided.

Your DB is bound to 127.0.0.1 as mentioned

Neo helped resolve the issue. Changing MongoDB port to 0.0.0.0 and restarting works fine.

Thanks for the update.

I do not advise binding your DB to 0.0.0.0 or your server's IP address because this can open up your DB to outside attackers.

Normally, web admins bind the DB to the localhost so only processes which originate on the localhost can assess the DB, for security reasons.

In other words, for security reasons, you should design your system so you do not need to telnet or otherwise remotely connect to your DB.