Skip to content

Symptoms: Firewall Shadow Rule

  • A new microservice notification-svc on host 10.60.5.30 (port 8443) was deployed and an iptables ACCEPT rule was added to allow traffic from the API gateway subnet 10.60.10.0/24.
  • Connections from the API gateway (10.60.10.15) to 10.60.5.30:8443 are refused -- curl returns "connection refused" or times out.
  • The firewall admin confirms the ACCEPT rule exists in the iptables INPUT chain.
  • Telnet to port 8443 from within the same host (localhost) works, confirming the service is listening.
  • Other services on the same host (ports 8080, 443) are reachable from the API gateway without issues.
  • The rule was added using iptables -A INPUT (append) after the existing rules.
  • The iptables ruleset was last reviewed over a year ago and has grown to 47 rules in the INPUT chain.
  • No recent changes were made to the service or its listening configuration.