Configure Linux firewall for Jira applications
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Atlassian applications allow the use of Firewalls within our products, however Atlassian Support does not provide assistance for configuring it. Consequently, Atlassian cannot guarantee providing any support for it.
- If assistance with configuration is required, please raise a question on Atlassian Answers.
Purpose
This documentation describes how to allow JIRA to run behind a Firewall (Iptables) on Linux.
Verifying the Firewall rules
1- To make sure your firewall is enabled, run the following command (will also show the active rules):
iptables -nL2 - Allowing the JIRA's port to be reached behind the firewall:
iptables -I INPUT -p tcp --dport 8080 -j ACCEPT
iptables -I FORWARD -p tcp --dport 8080 -j ACCEPT
iptables -P OUTPUT ACCEPT3 - Add these lines if you are running JIRA on port 8443:
iptables -I INPUT -p tcp --dport 8443 -j ACCEPT
iptables -I FORWARD -p tcp --dport 8443 -j ACCEPT4 - Allowing connections to JIRA from itself (to ensure you don't run into problems with gadget titles showing as __MSG_gadget)
iptables -t nat -I OUTPUT -p tcp -o lo --dport 80 -j REDIRECT --to-ports 80805 - Allowing the forward connections:
Add the following line on /etc/sysctl.conf
net.ipv4.ip_forward = 16 - To save the current rules, run the following command
service iptables save7 - The last thing to do is restart the iptables service
service iptables reloadIf you are running Centos 7, the management of firewall has changed. To disable the firewall follow the steps below:
Solution
Disable Firewalld
To disable firewalld, run the following command as root:
systemctl disable firewalldStop Firewalld
To stop firewalld, run the following command as root:
systemctl stop firewalldCheck the Status of Firewalld
To check the status of firewalld, run the following command as root:
systemctl status firewalldIf you prefer to keep Firewalld active, there are a few more steps to be taken:
Verifying the firewall rules on Firewalld
1- Allowing ports
Allow ports in permanent configuration (takes effect upon restart)
firewall-cmd --permanent --add-port=8080/tcp
firewall-cmd --permanent --add-port=8443/tcpAllow ports temporarily (effective immediately, reverts to permanent configuration upon restart)
firewall-cmd --add-port=8080/tcp
firewall-cmd --add-port=8443/tcp
2- Add services
Allow ports in permanent configuration (takes effect upon restart):
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=httpsAllow ports temporarily (effective immediately, reverts to permanent configuration upon restart):
firewall-cmd --add-service=http
firewall-cmd --add-service=https3- Configure forwarding
To finish, the following commands are required to configure the forwarding:
Change in permanent configuration (takes effect upon restart):
firewall-cmd --permanent --add-masquerade
firewall-cmd --permanent --direct --add-rule ipv4 nat OUTPUT 1 -p tcp -d 127.0.0.1 --dport 443 -j REDIRECT --to-ports 8443
firewall-cmd --permanent --direct --add-rule ipv4 nat PREROUTING 1 -p tcp -d <jira-public-ip> --dport 443 -j REDIRECT --to-ports 8443Change temporarily (effective immediately, reverts to permanent configuration upon restart):
firewall-cmd --add-masquerade
firewall-cmd --direct --add-rule ipv4 nat OUTPUT 1 -p tcp -d 127.0.0.1 --dport 443 -j REDIRECT --to-ports 8443
firewall-cmd --direct --add-rule ipv4 nat PREROUTING 1 -p tcp -d <jira-public-ip> --dport 443 -j REDIRECT --to-ports 8443