My Oracle Support Banner

iptables Missing "Table: filter" on one Node of a BDA Cluster (Doc ID 1961763.1)

Last updated on JANUARY 17, 2015

Applies to:

Big Data Appliance Integrated Software - Version 3.0.1 and later
Linux x86-64

Symptoms

Primary Symptom

The primary symptom is that "/etc/init.d/iptables status" i.e. "service iptables status" reports that iptables is missing the rules for Table filter on one node of the BDA cluster.

The example here considers Node 4 to be the node where "service iptables status" is missing the Table filter.

Run all commands as 'root' user.

1. On Node 4 of the cluster "service iptables status" reports output like:

# service iptables status
  
Table: nat
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:* to:*.*.*.4:*
2    DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:* to:*.*.*.4:*
3    DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:* to:*.*.*.4:*
4    DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:* to:*.*.*.4:*

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination


Expected output is like:

# service iptables status
  
Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Table: nat
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:* to:*.*.*.*:*

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination


2. On all nodes of the cluster, except one (Node 4 here) "service iptables status" shows the Table: filter as expected.

Note: In general "service iptables status" will not return the same configuration on each node of the cluster because not all services run on every node therefore there are differences in ports open on each server.

For more information see the Cloudera documentation: Ports Used by Cloudera Manager and Cloudera Navigator.

From Cloudera Manager you should be able to see the roles on each server.

See where service run: Oracle Big Data Appliance Software / Service Roles Layout on V3.0.0/ V3.0.1 / V4.0.0 (Doc ID 1682581.1)

Then you can compare it to ports in: Ports Used by Cloudera Manager and Cloudera Navigator.

Additional Symptoms

1.Viewing the available firewall rules on the system with "iptables --list" shows output like:

# iptables --list
  
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


This is the expected default on the BDA as there are no default firewall rules.

2. Viewing the contents of iptables rules with "/sbin/iptables-save" on for example Node 4 shows expected output like:

*filter
:INPUT ACCEPT [*:*]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [*:*]
COMMIT
# Completed on Fri Jan  9 15:31:15 2015
# Generated by iptables-save v1.4.7 on Fri Jan  9 15:31:15 2015
*nat
:PREROUTING ACCEPT [*:*]
:INPUT ACCEPT [*:*]
:OUTPUT ACCEPT [*:*]
:POSTROUTING ACCEPT [*:*]
-A PREROUTING -i bondeth0 -p tcp -m tcp --dport * -j DNAT --to-destination *.*.*.4:*
-A PREROUTING -i bondeth0 -p tcp -m tcp --dport * -j DNAT --to-destination *.*.*.4:*
-A PREROUTING -i bondeth0 -p tcp -m tcp --dport * -j DNAT --to-destination *.*.*.4:*
-A PREROUTING -i bondeth0 -p tcp -m tcp --dport * -j DNAT --to-destination *.*.*.4:*
COMMIT


Note: If the module is not loaded, then the iptables is not active.

3. As an aside you can check /etc/sysconfig/iptables but will only show the *nat rules:

# more /etc/sysconfig/iptables
  
#### DO NOT REMOVE THESE LINES ####
#### %INITIALIZED FOR BDA% ####
*nat
-A PREROUTING -i bondeth0 -p tcp -m tcp --dport * -j DNAT --to-destination *.*.*.*:*
COMMIT

 

Changes

Prior to "service iptables status" missing the Table filter the BDA rack was moved a few meters in the same DataCenter.  "service iptables status" reported  the
missing Table: filter on one cluster node after that move.

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
 Primary Symptom
 Additional Symptoms
Changes
Cause
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.