Fedora 35 firewalld add port and service problem - fedora

Hello i just installeed Fedora and I'm trying to open the port 20190
I do everything just as normal but when i use firewall-cmd --list-all to see if the port is opened, i see nothing !!!
This is what i do to open the port
firewall-cmd --zone=public --permanent --add-port=20190/tcp
Then i reload it
firewall-cmd --reload
Then this is the firewall-cmd --list-all result which my ports is empty !!!!!!
FedoraServer (active)
target: default
icmp-block-inversion: no
interfaces: eno1
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

you are adding the port 20190 to the zone public.
By default, --list-all default to the "default zone (FedoraServer)". See the target in default in your output.
Explicitly mention public to see the rules for the zone "public" like below
firewall-cmd --list-all --zone=public
Additional tip:
If you want to make public as the default zone, use
firewall-cmd --set-default-zone=public

Related

OCI not able to access public ip

enter image description here
I create a OCI Instance and got a Public IP, I configure the webserver with the allowed ports number. but not able to access web server with ip, when I check with putty able to log in and check with ifconfig but dint finds any public ip.
You Need to allow Traffic through the Firewall...install "firewall-cmd" then
Run the following command to allow traffic on port 80:
sudo firewall-cmd --permanent --zone=public --add-service=http
Run the following command to allow traffic on port 443:
sudo firewall-cmd --permanent --zone=public --add-service=https
Run the following command to save the firewalld rules:
sudo firewall-cmd --reload

Opening a specific port in Oracle Cloud - Ubuntu 18

The above one seems like an easy question, but believe me I have tried multiple methods but all seems to be in vain
For example : Port is 8080
1st - I followed many oracle docs and tried opening port 8080, but failed miserably
2nd - I followed another stack overflow posts - Opening port 80 on Oracle Cloud Infrastructure Compute node
Opening port 19132 on an Oracle compute instance (ubuntu-20.04)
still no success
3rd - I followed these oracle instructions and tried to open up the port - https://docs.cloud.oracle.com/en-us/iaas/developer-tutorials/tutorials/apache-on-ubuntu/01oci-ubuntu-apache-summary.htm
but not working -> to my surprise, when I tried port no 80 with the same method,it worked well..but not working for any other port at all
In short : ** I enabled port 8080 in Security rules in VNC - didnt work
** I tried ,installing firewalld and allowing through that -> didnt work for me
** Tried this -> didnt work
iptables -I INPUT 5 -i ens3 -p tcp --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT
So I was hoping someone else can find me a solution Please to open up a port, or is there any way to completely disable my firewall so that I can use any port at all - currently I am able to listen to only port 80 from outside
Thank you
Ubuntu images in Oracle Cloud seem to have this 'strange' (compared to other clouds) behavior by default where you need to explicitly enable incoming traffic in the VM:
sudo iptables -I INPUT -j ACCEPT
Then you need to make this permanent:
sudo iptables-save -f /etc/iptables/rules.v4
To open a certain port it may require creating a security application specific to the port before creating the security rule. Please refer to this walkthru on it if you haven't already - https://www.oracle.com/webfolder/technetwork/tutorials/obe/cloud/compute/permitting_public_tcp_traffic_to_compute_instances/permitting_public_tcp_traffic_to_compute_instances.html
I am using Oracle Linux and this worked for me.
First add a new rule inside the default security list(see the link below)
firewall-cmd --permanent --zone=public --add-port=8080/tcp
firewall-cmd --reload
Reference : OCI: Amend Firewall Rules
In your case, you have Ubuntu instead of Oracle Linux, so you could try the above two commands as per Ubuntu and check if it works.

Can't let firewall pass port 8065 at Oracle Cloud

I'm setting up the service at Oracle Free Tier service; the service is up and running on local interfaces, but I can't reach it from outside (via public IP) on port 8065.
No firewall rules on Ubuntu machine, Oracle firewall is configured and says "TCP traffic for ports: 8065". Exact same (build-in) rule works just fine.
Oracle's Ubuntu default image, Linux's firewall seems to be disabled:
$ sudo ufw status
Status: inactive
I'm getting "Connection refused" (TCP level) from outside, when trying to connect.
Any help would be much appreciated.
it's turned out that a posted answer works - as an Oracle's Ubuntu instance use iptables, so, you need not only to work on the cloud's firewall and ufw, but on iptables level as well, quoting related answer:
Opening port 80 on Oracle Cloud Infrastructure Compute node
Oracle Ubuntu have in build iptables rules in Ubuntu20, you have two choice
enable ufw
sudo ufw allow HTTP
sudo ufw enable
sudo systemctl enable ufw
disable ufw and config iptables
Sometimes ufw is not Compatible with iptables in Ubuntu20
such as, if you use mosh need open udp port 60000-61000
detele /etc/iptables/rules.v4 and v6

Can't connect to port 80 on Google Cloud Compute instance despite firewall rule

In summary, although I've set a firewall rule that allows tcp:80, my GCE instance, which is on the "default" network, is not accepting connections to port 80. It appears only port 22 is open on my instance. I can ping it, but can't traceroute to it in under 64 hops.
What follows is my investigation that led me to those conclusions.
gcloud beta compute firewall-rules list
NAME NETWORK DIRECTION PRIORITY ALLOW DENY
default-allow-http default INGRESS 1000 tcp:80
default-allow-https default INGRESS 1000 tcp:443
default-allow-icmp default INGRESS 65534 icmp
default-allow-internal default INGRESS 65534 tcp:0-65535,udp:0-65535,icmp
default-allow-rdp default INGRESS 65534 tcp:3389
default-allow-ssh default INGRESS 65534 tcp:22
temp default INGRESS 1000 tcp:8888
gcloud compute instances list
NAME ZONE MACHINE_TYPE PREEMPTIBLE INTERNAL_IP EXTERNAL_IP STATUS
ssrf3 us-west1-c f1-micro true 10.138.0.4 35.197.33.182 RUNNING
gcloud compute instances describe ssrf3
...
name: ssrf3
networkInterfaces:
- accessConfigs:
- kind: compute#accessConfig
name: external-nat
natIP: 35.197.33.182
type: ONE_TO_ONE_NAT
kind: compute#networkInterface
name: nic0
network: https://www.googleapis.com/compute/v1/projects/hack-170416/global/networks/default
networkIP: 10.138.0.4
subnetwork: https://www.googleapis.com/compute/v1/projects/hack-170416/regions/us-west1/subnetworks/default
...
tags:
fingerprint: 6smc4R4d39I=
items:
- http-server
- https-server
I ssh into 35.197.33.182 (which is the ssrf3 instance) and run:
sudo nc -l -vv -p 80
On my local machine, I run:
nc 35.197.33.182 80 -vv
hey
but nothing happens.
So I try to ping the host. That looks healthy:
ping 35.197.33.182
PING 35.197.33.182 (35.197.33.182): 56 data bytes
64 bytes from 35.197.33.182: icmp_seq=0 ttl=57 time=69.172 ms
64 bytes from 35.197.33.182: icmp_seq=1 ttl=57 time=21.509 ms
Traceroute quits after 64 hops, without reaching the 35.197.33.182 destination.
So I check which ports are open with nmap:
nmap 35.197.33.182
Starting Nmap 7.12 ( https://nmap.org ) at 2017-06-18 16:39 PDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.06 seconds
nmap 35.197.33.182 -Pn
Starting Nmap 7.12 ( https://nmap.org ) at 2017-06-18 16:39 PDT
Nmap scan report for 182.33.197.35.bc.googleusercontent.com (35.197.33.182)
Host is up (0.022s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 1 IP address (1 host up) scanned in 6.84 seconds
… even when I’m running nc -l -p 80 on 35.197.33.182.
Ensure that VM level firewall is not intervening. For example, Container-Optimized OS is a bit special in comparison to all other default images:
By default, the Container-Optimized OS host firewall allows only outgoing connections, and accepts incoming connections only through the SSH service. To accept incoming connections on a Container-Optimized OS instance, you must open the ports your services are listening on.
https://cloud.google.com/container-optimized-os/docs/how-to/firewall
Checking the two check boxes "Allow HTTP traffic" and "Allow HTTPS traffic" did the trick. This created two Firewall rules, that opened the ports 80 and 443.
Manually adding rules for those port didn't work for some reason, but it worked with checking the boxes.
On a quick glance, your setup seems to be correct.
You have allowed INGRESS tcp:80 for all instances in the default network.
Your VM is on the default network.
Traceroute will not give a good indication when you have VMs running on Cloud providers, because of the use of SDNs, virtual networks and whole bunch of intermediate networking infrastructure unfortunately.
One thing I notice is that your instance has 2 tags http-server and https-server. These could be used by some other firewall rules possibly which is somehow blocking traffic to your VM's tcp:80 port.
There are other variables in your setup and I'm happy to debug if needed further.
Tag based firewall rules
You can try tag based firewall rules which will apply the firewall rule only to instances which have the specified target tag.
Network tags are used by networks to identify which instances are
subject to certain firewall rules and network routes. For example, if
you have several VM instances that are serving a large website, tag
these instances with a shared word or term and then use that tag to
apply a firewall rule that allows HTTP access to those instances. Tags
are also reflected in the metadata server, so you can use them for
applications running on your instances. When you create a firewall
rule, you can provide either sourceRanges or sourceTags but not both.
# Add a new tag based firewall rule to allow ingress tcp:80
gcloud compute firewall-rules create rule-allow-tcp-80 --source-ranges 0.0.0.0/0 --target-tags allow-tcp-80 --allow tcp:80
# Add the allow-tcp-80 target tag to the VM ssrf3
gcloud compute instances add-tags ssrf3 --tags allow-tcp-80
It might take a few seconds to couple of minutes for the changes to take effect.
NOTE: Since you're opening up ports of VM's external IPs to the internet, take care to restrict access accordingly as per the needs of your application running on these ports.
After lots of trail and error, the following worked for me on ubuntu-1404-trusty-v20190514
, with a nodejs app listening on port 8080. Accept port 80 and 8080, and then redirect 80 to 8080.
sudo iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -i eth0 -p tcp --dport 8080 -j ACCEPT
sudo iptables -t nat -A OUTPUT -o lo -p tcp --dport 80 -j REDIRECT --to-port 8080
sudo iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
Incase you are a windows server instance , You could try to turn off the Windows Defender and check if it's blocking the incoming connection.

Can't save iptables rule on Google Cloud VM instance (CentOS 7)

I'm running Tomcat8 on CentOS7 in Google VM instance on port 8080.
I setup the iptables rule to map all external connections to port 80 to 8080
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
After that I save the rule with
service iptables save
Tomcat works fine and accessible from outside via port 80.
The rule is saved in /etc/sysconfig/iptables.
...
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
...
but after server reboot the rule is not applied.
It's still in the file /etc/sysconfig/iptables but not in action when I run
iptables-save
It seems that iptables rules are restored from somewhere else.
How can I persist the rule properly to preserve it after reboot?
In order to resolve the issue with IPtables you can do the following:
yum install iptables-services
systemctl mask firewalld
systemctl enable iptables
systemctl enable ip6tables
systemctl stop firewalld
systemctl start iptables
systemctl start ip6tables
However, Centos7 is using FirewallD now instead. In order to apply the firewall, you need to check first what are the available zones and which zones are active on FirewallD by running these commands:
firewall-cmd --list-all-zones
firewall-cmd --get-active-zones
If public zone is active for example, you can run these commands to enable port forwarding (port 80 to 8080 in your case):
firewall-cmd --zone=public --add-masquerade --permanent
firewall-cmd --zone=public --add-forward-port=port=80:proto=tcp:toport=8080 --permanent
Once done, you can reload the rules to make sure everything is OK by running this command:
firewall-cmd --reload
You can check man firewall-cmd for more information.