Firewall Requirements
Hypertable is a distributed application that consists of multiple processes that communicate with one another over a network. Firewalls can prevent Hypertable from working properly by blocking network traffic between the processes. This document describes the network ports used by Hypertable which need to be opened up in any firewall that sits between Hypertable processes.
Hypertable Network Ports
Port | Protocol | Service |
---|---|---|
15863 | TCP | DFS Broker |
15861 | TCP | Hyperspace |
15861 | UDP | Hyperspace |
15862 | TCP | Hyperspace |
15864 | TCP | Master |
15865 | TCP | Range Server |
15867 | TCP | Thrift Broker |
15860 | TCP | Monitoring UI |
Hypertable UDP Traffic
Hyperspace exchanges keepalive UDP packets with all of its clients (e.g. Application, RangeServer, Master, etc.). It listens for incoming UDP packets on port 15861 and returns a keepalive response to the originating address. A problem can arise due to the default behavior of clients choosing an arbitrary ephemeral port from which to send the keepalive packet. If your firewall is configured with rules that are very strict in regards to which UDP ports it will allow traffic to, it may block the keepalive responses back to the originating ephemeral port on the client. To force clients to send keepalive packets from a specific UDP port, say 15871, add the following line to your hypertable.cfg file and make sure UDP port 15871 is opened up on your firewall.
Hyperspace.Client.Datagram.SendPort=15871
iptables
iptables is the firewall that is built into the Linux kernel. If you have determined that iptables is blocking hypertable network traffic, running a script (as root) such as the following may open up the necessary ports. Consult the iptables documentation to understand exactly what this script does and to make sure it that it will, indeed, properly open up the ports.
#!/usr/bin/env bash iptables -I INPUT 1 -p tcp --dport 15860 -j ACCEPT iptables -I INPUT 1 -p tcp --dport 15867 -j ACCEPT iptables -I INPUT 1 -p tcp --dport 15865 -j ACCEPT iptables -I INPUT 1 -p tcp --dport 15864 -j ACCEPT iptables -I INPUT 1 -p tcp --dport 15862 -j ACCEPT iptables -I INPUT 1 -p tcp --dport 15861 -j ACCEPT iptables -I INPUT 1 -p tcp --dport 15863 -j ACCEPT iptables -I INPUT 1 -p udp --dport 15861 -j ACCEPT