Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 2 years ago.
The community reviewed whether to reopen this question 11 months ago and left it closed:
Original close reason(s) were not resolved
Improve this question
This is an elementary question however one I cannot seem to resolve by perusing the Oracle Cloud Infrastructure documentation. I've created an Ubuntu-based compute node, and it's attached to a subnet. In that subnet I've created a stateful rule with source 0.0.0.0/0, IP protocol: TCP, Source Port Range: All, Destination Port Range: 80.
There is no firewall configured on the server.
Despite this configuration I can't access the compute node's public IP. Any ideas?
I figured it out. The connectivity issue was due to Oracle's default use of iptables on all Oracle-provided images. Literally the very first thing I did when spinning up this instance was check ufw, presuming there were a few firewall restrictions in place. The ufw status was inactive, so I concluded the firewall was locally wide open. Because to my understanding both ufw and iptables look at the netfilter kernel firewall, and because ufw is the de facto (standard?) firewall solution on Ubuntu, I've no idea why they concluded it made sense to use iptables in this fashion. Maybe just to standardize across all images?
I learned about the rules by running:
$ sudo iptables -L
Then I saved the rules to a file so I could add the relevant ones back later:
$ sudo iptables-save > ~/iptables-rules
Then I ran these rules to effectively disable iptables by allowing all traffic through:
$ iptables -P INPUT ACCEPT
$ iptables -P OUTPUT ACCEPT
$ iptables -P FORWARD ACCEPT
$ iptables -F
To clear all iptables rules at once, run this command:
$ iptables --flush
Anyway, hope this helps somebody else out because documentation on the matter is non-existent.
When deploying compute instances at Oracle Cloud Infrastructure you need to take into account few things:
Create Internet Gateway (IGW).
Define routes to point to IGW.
Allow port 80 in the Security List associated with the IGW. By default you only have access to SSH and ICMP 3,4 type.
Allow connectivity on Compute's instance firewall (which is enabled by default).
In your example if you are using a OEL shape:
$ sudo firewall-cmd --zone=public --permanent --add-port=80/tcp
$ sudo firewall-cmd --reload
Always refer to the official guide: https://docs.cloud.oracle.com/en-us/iaas/developer-tutorials/tutorials/apache-on-ubuntu/01oci-ubuntu-apache-summary.htm
$ sudo iptables -I INPUT 6 -m state --state NEW -p tcp --dport 80 -j ACCEPT
$ sudo netfilter-persistent save
$ sudo systemctl restart apache2
credited to https://medium.com/#fathi.ria/oracle-database-cloud-open-ports-on-oci-1af24f4eb9f2
Coumputer Instance(Such as Ubuntu) -> Virtual Cloud Network -> Security List -> Ingress Rules -> Please add a rule to allow access to port 80 from anywhere
Pre-Requisite
VM instance should have been created and running
Access to Public and Private keys used during the creation of VM instance
Log into the VM using SSH and run the following command
$ sudo iptables --list --line-numbers
It will show the details about Chain INPUT (policy ACCEPT). From the list
required to Delete REJECT all rule in the IPTABLES.
$ sudo iptables -D INPUT <Reject Line number>
e.g.
$ sudo iptables -D INPUT 6
Check if the REJECT rule is deleted
sudo iptables --list --line-numbers
Access the Default Security List and Edit Ingress Rules to Allow Internet Traffic on Port
Edit the INGRES Rule Add CIDR 0.0.0.0/0 TCP Destination 9999
(N): Networking >Virtual Cloud Networks> Virtual Cloud Network Details>Security Lists> Security List Details
Access your application via web browser
Type http://<public IP address of the VM>:port
I guess if you add the rule below to your iptables it should work; otherwise you'll be disturbing other rules which are related to block volume attachment that comes preconfigured on those Oracle images.
iptables -I INPUT 5 -i ens3 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
If you have not created Internet Gateway yet, that might be the reason. In order to connect the VCN with the public internet you need to have an Internet Gateway and a route table to direct the traffic through the gateway.
Related
I am trying to figure out how to list ports forwarded by LXD through lxc network forward.
I have 2 NIC configured as :
ip a result
I configured network forward ports that way :
lxc network commands
My configuration works quite well and I can access my webserver from the outside :
curl success result
The problem is here : I want to know what ports are opened using this method without using lxd commande (I'm looking for a linux way to list them).
I already tried with netstat, lsof and iptables but nothing seem to let me see the port 8080 that is actually giving me the content I'm looking for :
netstat -ltnuop result
iptables -t nat -L -n result
lsof -i result
I have configured Mysql for Zabbix Server as mentioned in the link below.
https://sbcode.net/zabbix/setup_mysql_database_monitoring/
It's Works fine. I was able to monitor Mysql parameters.
I then configured and added Zabbix Agent successfully.
But when I do the same Mysql Configuration on the Zabbix Agent server Mysql service was showing down.
https://sbcode.net/zabbix/setup_mysql_database_monitoring/
On Zabbix Agent Ubuntu server, I checked Mysql service is showing an Active state and In mysql DB I have create a new user called zbx_monitor and grant it the required permissions for the database server too.
I search some configurations from internet but it did't resolve the issue.
If anyone know how to configured Mysql for Zabbix Agent Server Ubuntu will be appriciated.
Thanks!
I had same problem and i resolved it by adding "HOME=/var/lib/zabbix" in each line at the template file (/etc/zabbix/zabbix_agentd.d/template_db_mysql.conf)
For example "UserParameter=mysql.ping[*], HOME=/var/lib/zabbix mysqladmin -h"$1" -P"$2" ping"
Agent service restart is required. have fun!
Problem: Docker Automatically Inserting iptables Rules
I monitor on local RFC 1918 addresses, so there is absolutely no need to NAT or Masquerade any of the traffic.
But that is exactly what Docker does.
Docker, "helpfully" inserts rules into iptables which masquerades & NAT's traffic, busting connectivity between the Agent and Zabbix Server.
Solution:
On the HOST RUNNING THE AGENT, identify and delete the offending rules as below
IPtables ** NAT ** Table:
Identify the rules in the ** NAT ** table which are masquerading & NAT'ing traffic. You can determine which rules have effect because their packet counters will be incremented:
sudo iptables -t nat -nvx -L --line-numbers
Delete each bad rule in ** NAT ** table by RULE NUMBER:
sudo iptables -t nat -D POSTROUTING <Rule Number>
sudo iptables -t nat -D DOCKER <Rule Number>
Obviously don't use the angle brackets in your command, only specify the rule number
IPtables ** FORWARD ** Chain:
Identify the bad rules in the ** FORWARD ** chain. Note that we just remove the - nat switch in the command this time:
sudo iptables -nvx -L --line-numbers
Below are some specimen FORWARD rules:
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
num pkts bytes target prot opt in out source destination
1 145702 279577023 DOCKER-ISOLATION-STAGE-2 all -- br-33d625bd029c !br-33d625bd029c 0.0.0.0/0 0.0.0.0/0
2 40104066 107106936701 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 DROP all -- * br-33d625bd029c 0.0.0.0/0 0.0.0.0/0
2 29910 1794560 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0
3 116324 283419930 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Look at rule #1 in chain "Chain DOCKER-ISOLATION-STAGE-1": the target is "Chain DOCKER-ISOLATION-STAGE-2". We can see it has effect and is dropping traffic because the packet counter is incrementing.
Now look at chain "Chain DOCKER-ISOLATION-STAGE-2" which drops the traffic in rule #2. Again, we can see the rule has effect and is actually DROPPING traffic.
Delete each bad rule in the ** FORWARD ** chain by RULE NUMBER:
sudo iptables -D DOCKER-ISOLATION-STAGE-1 <Rule Number>
sudo iptables -D DOCKER-ISOLATION-STAGE-2 <Rule Number>
Using the specimen iptables data above, we'd execute:
sudo iptables -D DOCKER-ISOLATION-STAGE-1 1
sudo iptables -D DOCKER-ISOLATION-STAGE-2 2
If you check your Zabbix monitoring, you should see the warning has cleared.
Rebuilding Containers
Please note that when you rebuild your Docker containers, the bad rules will be restored and you'll have to delete them again.
However, merely restarting a container does NOT restore the duff iptables rules.
The above one seems like an easy question, but believe me I have tried multiple methods but all seems to be in vain
For example : Port is 8080
1st - I followed many oracle docs and tried opening port 8080, but failed miserably
2nd - I followed another stack overflow posts - Opening port 80 on Oracle Cloud Infrastructure Compute node
Opening port 19132 on an Oracle compute instance (ubuntu-20.04)
still no success
3rd - I followed these oracle instructions and tried to open up the port - https://docs.cloud.oracle.com/en-us/iaas/developer-tutorials/tutorials/apache-on-ubuntu/01oci-ubuntu-apache-summary.htm
but not working -> to my surprise, when I tried port no 80 with the same method,it worked well..but not working for any other port at all
In short : ** I enabled port 8080 in Security rules in VNC - didnt work
** I tried ,installing firewalld and allowing through that -> didnt work for me
** Tried this -> didnt work
iptables -I INPUT 5 -i ens3 -p tcp --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT
So I was hoping someone else can find me a solution Please to open up a port, or is there any way to completely disable my firewall so that I can use any port at all - currently I am able to listen to only port 80 from outside
Thank you
Ubuntu images in Oracle Cloud seem to have this 'strange' (compared to other clouds) behavior by default where you need to explicitly enable incoming traffic in the VM:
sudo iptables -I INPUT -j ACCEPT
Then you need to make this permanent:
sudo iptables-save -f /etc/iptables/rules.v4
To open a certain port it may require creating a security application specific to the port before creating the security rule. Please refer to this walkthru on it if you haven't already - https://www.oracle.com/webfolder/technetwork/tutorials/obe/cloud/compute/permitting_public_tcp_traffic_to_compute_instances/permitting_public_tcp_traffic_to_compute_instances.html
I am using Oracle Linux and this worked for me.
First add a new rule inside the default security list(see the link below)
firewall-cmd --permanent --zone=public --add-port=8080/tcp
firewall-cmd --reload
Reference : OCI: Amend Firewall Rules
In your case, you have Ubuntu instead of Oracle Linux, so you could try the above two commands as per Ubuntu and check if it works.
I'm setting up the service at Oracle Free Tier service; the service is up and running on local interfaces, but I can't reach it from outside (via public IP) on port 8065.
No firewall rules on Ubuntu machine, Oracle firewall is configured and says "TCP traffic for ports: 8065". Exact same (build-in) rule works just fine.
Oracle's Ubuntu default image, Linux's firewall seems to be disabled:
$ sudo ufw status
Status: inactive
I'm getting "Connection refused" (TCP level) from outside, when trying to connect.
Any help would be much appreciated.
it's turned out that a posted answer works - as an Oracle's Ubuntu instance use iptables, so, you need not only to work on the cloud's firewall and ufw, but on iptables level as well, quoting related answer:
Opening port 80 on Oracle Cloud Infrastructure Compute node
Oracle Ubuntu have in build iptables rules in Ubuntu20, you have two choice
enable ufw
sudo ufw allow HTTP
sudo ufw enable
sudo systemctl enable ufw
disable ufw and config iptables
Sometimes ufw is not Compatible with iptables in Ubuntu20
such as, if you use mosh need open udp port 60000-61000
detele /etc/iptables/rules.v4 and v6
I have a Fedora 21 server running on a local private LAN. I have setup a minecraft server. It is running on port 25565 and running the server produces no errors. My problem is that I cannot get the client to connect to it. The client connects fine to minecraft servers outside of the local private LAN and when I tested minecraft server on an Ubuntu desktop, the windows machine was able to connect to that server. So, it seems isolated to the Fedora 21 machine. It is running as a server, so no GUI! I have performed a netstat -a on it and see that it states that it is listening to port 25565. I have turned off firewalld ('sudo systemctl stop firewalld' and then 'sudo systemctl disable firewalld' just to be sure) to see if that was blocking it. I was still not able to connect. I can provide other information as needed. Oh, I am also using Java 1.8u25 and minecraft_server.1.8.1.
Thanks for your help.
I have found the problem. Apparently the change requires a server reboot. Perhaps just restarting the service may also take care of the issue but definitely rebooting the server cleared the problem.
EDIT: I have found that using iptables will open the firewall to allow the game to connect. I only stated that turning off firewalld allows the game to operate after saving iptables and restarting firewalld.
This should work (let me know if it doesn't):
Be sure to place this before any REJECT statements in the iptables.
You can use iptables -L --line-numbers | less to display the table. I pipe it out to "less" because the table can be quite long and this way one can easily scroll through the information.
iptables -I INPUT ## -p tcp --dport 25565 -j ACCEPT
iptables -I INPUT ## -p udp --dport 25565 -j ACCEPT
iptables-save
To do a restart of the firewalld type sudo systemctl restart firewalld.
Also keep in mind that this is for the default port in server.properties file. Obviously if the default port is changed in this file, then so would the iptables setting.
Hopefully this will help anyone who may run into this same problem.