7

I have just created an EC2 instance on a brand new AWS account, behind a security group, and loaded some software on it. I am running Sinatra on the machine on port 4567 (currently), and have opened that port in my security group to whole world. Further, I am able to ssh into the EC2 instance, but I cannot connect on port 4567. I am using the public IP to connect:

shakuras:~ tyler$ curl **.***.**.***:22
SSH-2.0-OpenSSH_6.2p2 Ubuntu-6ubuntu0.1
curl: (56) Recv failure: Connection reset by peer
shakuras:~ tyler$ curl **.***.**.***:4567
curl: (7) Failed connect to **.***.**.***:4567; Connection refused

But my webserver is running, since I can see the site when I curl from localhost:

ubuntu@ip-172-31-8-160:~$ curl localhost:4567
Hello world! Welcome

I thought it might be the firewall but I ran iptables and got: 

ubuntu@ip-172-31-8-160:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

I'm pretty lost on what is going on here. Why can't I connect from the outside world?

trlemburg
  • 137
  • 1
  • 2
  • 6
  • What interface is the web server listening on? – ajtrichards Mar 11 '14 at 19:04
  • You allocated and associated an elastic IP with this EC2 instance? – user602525 Mar 11 '14 at 19:41
  • I did use an elastic IP for this EC2 instance, yes. As far as the interface, I believe that is correct. netstat -an returns Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 127.0.0.1:4567 0.0.0.0:* LISTEN so I'm pretty sure it's listening to the right stuff there – trlemburg Mar 11 '14 at 19:55
  • Just curious, but if you change it to another port, like 80 or something and open that open, then can you connect? Lastly, "have you tried turning it off and on again?" – user602525 Mar 11 '14 at 20:01
  • Yep, I tried both of those. – trlemburg Mar 11 '14 at 20:16
  • And this machine isn't in a private subnet on a VPC? – user602525 Mar 11 '14 at 21:01
  • @user602525 This machine is in a standard Amazon VPC. I thought this might be the problem but I can't see anywhere in those settings where I'm supposed to forward a port or anything...reading Amazon's docs seems to indicate that the VPC will translate to the appropriate private IP automatically. – trlemburg Mar 12 '14 at 14:13

5 Answers5

3

Are you sure that the web server is listening on other interfaces than localhost? Check the output of netstat -an | grep 4567

If it isn't listening on 0.0.0.0 then that is the cause.

RasmusW
  • 3,355
  • 3
  • 28
  • 46
  • I think it is, the result of that command was ubuntu@ip-172-31-8-160:~$ netstat -an | grep 4567 tcp 0 0 127.0.0.1:4567 0.0.0.0:* LISTEN – trlemburg Mar 11 '14 at 19:51
2

You are listening on 127.0.0.1 based on your netstat command. This is what the output should be something like this:

tcp        0      0 :::8080                     :::*                        LISTEN

Can you post your Sinatra configs? What are you using to start it ?

Rico
  • 58,485
  • 12
  • 111
  • 141
  • No Sinatra configs, my app is literally `require 'sinatra'; get '/'; 'hello world'; end` and I'm running it with `ruby app.rb`. Just trying to get this to work before making it more complicated. – trlemburg Mar 12 '14 at 14:14
  • 2
    This was the issue, I needed -o 0.0.0.0 on this command. Thank you. :) – trlemburg Mar 12 '14 at 14:18
2

This sounds like issue with the Sinatra binding. Could check this and this and even this link which talks about binding Sinatra to all IP addresses.

Community
  • 1
  • 1
slayedbylucifer
  • 22,878
  • 16
  • 94
  • 123
  • For future readers, even though I wasn't doing anything with Sinatra, this was still my problem: the application I was running was only bound to the loopback address. The moral of the story is: check with netstat before blaming AWS security groups! – Wildcard May 04 '17 at 02:00
0

This doesnot work on a simple Amazon AMI , with installation as shown in http://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-install.html

Step 1 , 2, 3 works (agent installation and starting demon ) as shown

[ec2-user@ip-<ip> ~]$ curl http://localhost:51678/v1/metadata
curl: (7) Failed to connect to localhost port 51678: Connection refused

infact netstat shows some listening tcp ports but one able to connect , definitely not 51678 tcp .

RajDev
  • 160
  • 3
  • 8
  • Found answer for this AWS documents did not help . You will get this error because the ECS agent is unable to execute and call ECS service . this will only work if the IAM role is set, i.e. when agent is able to execute for ECS privileges . For me it worked , hope it helps others . – RajDev Aug 23 '16 at 02:43
0

If you're using Amazon EC2 and make sure that you have security rule in Custom TCP for 0.0.0.0 in security groups, and still can't connect; try adding 0.0.0.0 to first line of the /etc/hosts by

sudo vim /etc/hosts
//or
sudo nano /etc/hosts

add space to the last ip on the first line, and it should look like

127.0.0.1 localhost 0.0.0.0

Val
  • 17,336
  • 23
  • 95
  • 144
Mehmet Burak Sayıcı
  • 452
  • 1
  • 4
  • 13