We Keep Coding

Opening a specific port in Oracle Cloud - Ubuntu 18

The above one seems like an easy question, but believe me I have tried multiple methods but all seems to be in vain
For example : Port is 8080
1st - I followed many oracle docs and tried opening port 8080, but failed miserably
2nd - I followed another stack overflow posts - Opening port 80 on Oracle Cloud Infrastructure Compute node
Opening port 19132 on an Oracle compute instance (ubuntu-20.04)
still no success
3rd - I followed these oracle instructions and tried to open up the port - https://docs.cloud.oracle.com/en-us/iaas/developer-tutorials/tutorials/apache-on-ubuntu/01oci-ubuntu-apache-summary.htm
but not working -> to my surprise, when I tried port no 80 with the same method,it worked well..but not working for any other port at all
In short : ** I enabled port 8080 in Security rules in VNC - didnt work
** I tried ,installing firewalld and allowing through that -> didnt work for me
** Tried this -> didnt work
iptables -I INPUT 5 -i ens3 -p tcp --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT
So I was hoping someone else can find me a solution Please to open up a port, or is there any way to completely disable my firewall so that I can use any port at all - currently I am able to listen to only port 80 from outside
Thank you

Ubuntu images in Oracle Cloud seem to have this 'strange' (compared to other clouds) behavior by default where you need to explicitly enable incoming traffic in the VM:
sudo iptables -I INPUT -j ACCEPT
Then you need to make this permanent:
sudo iptables-save -f /etc/iptables/rules.v4

To open a certain port it may require creating a security application specific to the port before creating the security rule. Please refer to this walkthru on it if you haven't already - https://www.oracle.com/webfolder/technetwork/tutorials/obe/cloud/compute/permitting_public_tcp_traffic_to_compute_instances/permitting_public_tcp_traffic_to_compute_instances.html

I am using Oracle Linux and this worked for me.
First add a new rule inside the default security list(see the link below)
firewall-cmd --permanent --zone=public --add-port=8080/tcp
firewall-cmd --reload
Reference : OCI: Amend Firewall Rules
In your case, you have Ubuntu instead of Oracle Linux, so you could try the above two commands as per Ubuntu and check if it works.

Opening port 80 on Oracle Cloud Infrastructure Compute node [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 2 years ago.
The community reviewed whether to reopen this question 11 months ago and left it closed:
Original close reason(s) were not resolved
Improve this question
This is an elementary question however one I cannot seem to resolve by perusing the Oracle Cloud Infrastructure documentation. I've created an Ubuntu-based compute node, and it's attached to a subnet. In that subnet I've created a stateful rule with source 0.0.0.0/0, IP protocol: TCP, Source Port Range: All, Destination Port Range: 80.
There is no firewall configured on the server.
Despite this configuration I can't access the compute node's public IP. Any ideas?

I figured it out. The connectivity issue was due to Oracle's default use of iptables on all Oracle-provided images. Literally the very first thing I did when spinning up this instance was check ufw, presuming there were a few firewall restrictions in place. The ufw status was inactive, so I concluded the firewall was locally wide open. Because to my understanding both ufw and iptables look at the netfilter kernel firewall, and because ufw is the de facto (standard?) firewall solution on Ubuntu, I've no idea why they concluded it made sense to use iptables in this fashion. Maybe just to standardize across all images?
I learned about the rules by running:
$ sudo iptables -L
Then I saved the rules to a file so I could add the relevant ones back later:
$ sudo iptables-save > ~/iptables-rules
Then I ran these rules to effectively disable iptables by allowing all traffic through:
$ iptables -P INPUT ACCEPT
$ iptables -P OUTPUT ACCEPT
$ iptables -P FORWARD ACCEPT
$ iptables -F
To clear all iptables rules at once, run this command:
$ iptables --flush
Anyway, hope this helps somebody else out because documentation on the matter is non-existent.

When deploying compute instances at Oracle Cloud Infrastructure you need to take into account few things:
Create Internet Gateway (IGW).
Define routes to point to IGW.
Allow port 80 in the Security List associated with the IGW. By default you only have access to SSH and ICMP 3,4 type.
Allow connectivity on Compute's instance firewall (which is enabled by default).
In your example if you are using a OEL shape:
$ sudo firewall-cmd --zone=public --permanent --add-port=80/tcp
$ sudo firewall-cmd --reload

Always refer to the official guide: https://docs.cloud.oracle.com/en-us/iaas/developer-tutorials/tutorials/apache-on-ubuntu/01oci-ubuntu-apache-summary.htm
$ sudo iptables -I INPUT 6 -m state --state NEW -p tcp --dport 80 -j ACCEPT
$ sudo netfilter-persistent save
$ sudo systemctl restart apache2

credited to https://medium.com/#fathi.ria/oracle-database-cloud-open-ports-on-oci-1af24f4eb9f2
Coumputer Instance(Such as Ubuntu) -> Virtual Cloud Network -> Security List -> Ingress Rules -> Please add a rule to allow access to port 80 from anywhere

Pre-Requisite
VM instance should have been created and running
Access to Public and Private keys used during the creation of VM instance
Log into the VM using SSH and run the following command
$ sudo iptables --list --line-numbers
It will show the details about Chain INPUT (policy ACCEPT). From the list
required to Delete REJECT all rule in the IPTABLES.
$ sudo iptables -D INPUT <Reject Line number>
e.g.
$ sudo iptables -D INPUT 6
Check if the REJECT rule is deleted
sudo iptables --list --line-numbers
Access the Default Security List and Edit Ingress Rules to Allow Internet Traffic on Port
Edit the INGRES Rule Add CIDR 0.0.0.0/0 TCP Destination 9999
(N): Networking >Virtual Cloud Networks> Virtual Cloud Network Details>Security Lists> Security List Details
Access your application via web browser
Type http://<public IP address of the VM>:port

I guess if you add the rule below to your iptables it should work; otherwise you'll be disturbing other rules which are related to block volume attachment that comes preconfigured on those Oracle images.
iptables -I INPUT 5 -i ens3 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

If you have not created Internet Gateway yet, that might be the reason. In order to connect the VCN with the public internet you need to have an Internet Gateway and a route table to direct the traffic through the gateway.

Can't connect to port 80 on Google Cloud Compute instance despite firewall rule

In summary, although I've set a firewall rule that allows tcp:80, my GCE instance, which is on the "default" network, is not accepting connections to port 80. It appears only port 22 is open on my instance. I can ping it, but can't traceroute to it in under 64 hops.
What follows is my investigation that led me to those conclusions.
gcloud beta compute firewall-rules list
NAME NETWORK DIRECTION PRIORITY ALLOW DENY
default-allow-http default INGRESS 1000 tcp:80
default-allow-https default INGRESS 1000 tcp:443
default-allow-icmp default INGRESS 65534 icmp
default-allow-internal default INGRESS 65534 tcp:0-65535,udp:0-65535,icmp
default-allow-rdp default INGRESS 65534 tcp:3389
default-allow-ssh default INGRESS 65534 tcp:22
temp default INGRESS 1000 tcp:8888
gcloud compute instances list
NAME ZONE MACHINE_TYPE PREEMPTIBLE INTERNAL_IP EXTERNAL_IP STATUS
ssrf3 us-west1-c f1-micro true 10.138.0.4 35.197.33.182 RUNNING
gcloud compute instances describe ssrf3
...
name: ssrf3
networkInterfaces:
- accessConfigs:
- kind: compute#accessConfig
name: external-nat
natIP: 35.197.33.182
type: ONE_TO_ONE_NAT
kind: compute#networkInterface
name: nic0
network: https://www.googleapis.com/compute/v1/projects/hack-170416/global/networks/default
networkIP: 10.138.0.4
subnetwork: https://www.googleapis.com/compute/v1/projects/hack-170416/regions/us-west1/subnetworks/default
...
tags:
fingerprint: 6smc4R4d39I=
items:
- http-server
- https-server
I ssh into 35.197.33.182 (which is the ssrf3 instance) and run:
sudo nc -l -vv -p 80
On my local machine, I run:
nc 35.197.33.182 80 -vv
hey
but nothing happens.
So I try to ping the host. That looks healthy:
ping 35.197.33.182
PING 35.197.33.182 (35.197.33.182): 56 data bytes
64 bytes from 35.197.33.182: icmp_seq=0 ttl=57 time=69.172 ms
64 bytes from 35.197.33.182: icmp_seq=1 ttl=57 time=21.509 ms
Traceroute quits after 64 hops, without reaching the 35.197.33.182 destination.
So I check which ports are open with nmap:
nmap 35.197.33.182
Starting Nmap 7.12 ( https://nmap.org ) at 2017-06-18 16:39 PDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.06 seconds
nmap 35.197.33.182 -Pn
Starting Nmap 7.12 ( https://nmap.org ) at 2017-06-18 16:39 PDT
Nmap scan report for 182.33.197.35.bc.googleusercontent.com (35.197.33.182)
Host is up (0.022s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 1 IP address (1 host up) scanned in 6.84 seconds
… even when I’m running nc -l -p 80 on 35.197.33.182.

Ensure that VM level firewall is not intervening. For example, Container-Optimized OS is a bit special in comparison to all other default images:
By default, the Container-Optimized OS host firewall allows only outgoing connections, and accepts incoming connections only through the SSH service. To accept incoming connections on a Container-Optimized OS instance, you must open the ports your services are listening on.
https://cloud.google.com/container-optimized-os/docs/how-to/firewall

Checking the two check boxes "Allow HTTP traffic" and "Allow HTTPS traffic" did the trick. This created two Firewall rules, that opened the ports 80 and 443.
Manually adding rules for those port didn't work for some reason, but it worked with checking the boxes.

On a quick glance, your setup seems to be correct.
You have allowed INGRESS tcp:80 for all instances in the default network.
Your VM is on the default network.
Traceroute will not give a good indication when you have VMs running on Cloud providers, because of the use of SDNs, virtual networks and whole bunch of intermediate networking infrastructure unfortunately.
One thing I notice is that your instance has 2 tags http-server and https-server. These could be used by some other firewall rules possibly which is somehow blocking traffic to your VM's tcp:80 port.
There are other variables in your setup and I'm happy to debug if needed further.
Tag based firewall rules
You can try tag based firewall rules which will apply the firewall rule only to instances which have the specified target tag.
Network tags are used by networks to identify which instances are
subject to certain firewall rules and network routes. For example, if
you have several VM instances that are serving a large website, tag
these instances with a shared word or term and then use that tag to
apply a firewall rule that allows HTTP access to those instances. Tags
are also reflected in the metadata server, so you can use them for
applications running on your instances. When you create a firewall
rule, you can provide either sourceRanges or sourceTags but not both.
# Add a new tag based firewall rule to allow ingress tcp:80
gcloud compute firewall-rules create rule-allow-tcp-80 --source-ranges 0.0.0.0/0 --target-tags allow-tcp-80 --allow tcp:80
# Add the allow-tcp-80 target tag to the VM ssrf3
gcloud compute instances add-tags ssrf3 --tags allow-tcp-80
It might take a few seconds to couple of minutes for the changes to take effect.
NOTE: Since you're opening up ports of VM's external IPs to the internet, take care to restrict access accordingly as per the needs of your application running on these ports.

After lots of trail and error, the following worked for me on ubuntu-1404-trusty-v20190514
, with a nodejs app listening on port 8080. Accept port 80 and 8080, and then redirect 80 to 8080.
sudo iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -i eth0 -p tcp --dport 8080 -j ACCEPT
sudo iptables -t nat -A OUTPUT -o lo -p tcp --dport 80 -j REDIRECT --to-port 8080
sudo iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080

Incase you are a windows server instance , You could try to turn off the Windows Defender and check if it's blocking the incoming connection.

Spoofing mysql-client connection request for demo purposes

For demo purpose, I wanted to start at least 5 MySQL-client connection to only one server. Mysql-server is running on a fixed IP.
In my script, I have added many IP's as following.
eth0 inet addr:1.2.3.4
eth0:1 inet addr:1.2.3.5
I am the mysql client request as follows:
mysql -u test -h mysql.domain.com -p
This request always goes with 1.2.3.4? Can I start the mysql-client request with the IP I wanted?

I'm not sure it can be defined in the mysql client.
However good'ol networking should be your friend here.
The idea here is to make sure that IP traffic from your machine to the server machine goes through the desired NIC as its gateway.
The command on *nix is 'route add' and the syntax should be something in the spirit of:
route add -host <YOUR DB SERVER IP> gw 1.2.3.5 dev <YOUR NIC DEVICE NAME>

How can I keep Google Chromium from making unrequested outgoing connections?

I'm using the Chromium browser as the display for an embedded openSUSE-based project. Everything's going well, but I just now found out that Chromium is making dozens of connections to various *.ie100.net domains. I know this is Google's safe browsing system kicking in, but in my case this is useless because Chromium is just showing my own embedded server. I also know it isn't nefarious, and won't cause explicit harm, but I'm worried customers will see the traffic and get worried.
I've tried turning off safe browsing by editing .config/chromium/Default/Preferences...
"safebrowsing": {
"enabled": false
},
... but to no avail. I'm also worried that there are other Chromium features that may kick in and send backdoor traffic.
So, how can I tell Chromium to stop making unrequested outgoing connections? Do I need to block it at the system level?

My best solution has been to use iptables to block all outgoing request to ports 80 or 433. Yes, this prevents other browswers from being used in my product, but this isn't a problem for an embedded system.
Here's the script which cleans up any previous rules and then sets up blocking rules:
# Chrome has a nasty habit of connecting to various *.ie100.net domains, probably for
# safe browsing but who knows. Concern is that our customers will see these
# connections and wonder what the heck's going on. So, we block them.
# Kill any previous KILL_CHROME chain. First, get rid of all referencing rules
RULES=$(sudo iptables -L OUTPUT --line-numbers | grep KILL_CHROME | cut -d' ' -f1 | sort -r )
for rule in $RULES; do
sudo iptables -D OUTPUT $rule
done
# Clean out chain
sudo iptables --flush KILL_CHROME
# Remove chain
sudo iptables -X KILL_CHROME
# Now, build new rules. Add new iptables chain KILL_CHROME
sudo iptables -N KILL_CHROME
# Any newly-created outgoing tcp connections on eth0 to port 80 are routed to KILL_CHROME
sudo iptables -A OUTPUT -o eth0 -m conntrack --ctstate NEW -p tcp --dport 80 -j KILL_CHROME
# Any newly-created outgoing tcp connections on eth0 to port 443 are routed to KILL_CHROME
sudo iptables -A OUTPUT -o eth0 -m conntrack --ctstate NEW -p tcp --dport 443 -j KILL_CHROME
# Log every connection in KILL_CHROME
sudo iptables -A KILL_CHROME -j LOG --log-prefix "New Dropped: "
# And drop it like a hot potato.
sudo iptables -A KILL_CHROME -j
'Twould be good for Chromium to support some sort of flag to prevent this behavior, but since there doesn't seem to be one this is the best I can do.