“I checked my Security Lists and NSGs; they are correct, but I still can’t connect to the service in my instance”. #
Originally posted at the Oracle University Learning Community
Setting up the rules for your environment can sometimes be tricky, and it gets more complicated as your infrastructure evolves and gets bigger. With so many variables to track and sometimes managed by different teams, it is easy to forget that your instances on OCI come with stringent rules and their local firewall enabled.
In the platform images host firewall, along with some required internal ports and networks, the default inbound rules that are allowed are:
- Windows comes with the Remote Desktop allowed (3389/TCP). Extra tip: it is not allowed in the default security list.
- Linux distributions (Oracle Linux, Autonomous Linux, CentOS, and Ubuntu) come with SSH access allowed.
After installing and starting a service, e.g., an HTTP server, on Linux instances, adding the service ports and client networks to Security Lists and NSGs is not enough to grant access. When you try to access the service, you will not be able to establish a connection, and your client will show an error. If you are installing IIS on Windows, it will typically set up the port access for you.
For Oracle Linux and CentOS instances, firewalld handles the rules in the 7.x, 8.x, and 9.x versions. In our example, where an HTTP server was installed, the command to allow access to it is:
sudo firewall-cmd --zone=public --add-port=80/tcp --permanent
(replace 80 with 443 for HTTPS)
Or
sudo firewall-cmd --zone=public --add-service=http –permanent
(replace http with https for HTTPS)
I’ll leave the discussion of firewall-cmd “ports vs. services” to another post :)
If Oracle Linux uses firewalld, for Ubuntu instances, you will use ufw, right? Not so fast; Ubuntu images on OCI do not use ufw. They use just iptables. In this case, you will allow access by adding the following line to the /etc/iptables/rules.v4 file:
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
You can search for the same line with port 22 and add it right after it. Replace 80 with 443 if you want to allow HTTPS. Once the file is changed and saved, you can make the changes effective running:
$ sudo iptables-restore < /etc/iptables/rules.v4
Have you faced a similar problem as I described in this tip? How did you solve it? I hope this tip can save you some time when you are troubleshooting issues in the future.