Opening port 80 on Oracle Cloud Infrastructure Compute node

Question

This is an elementary question however one I cannot seem to resolve by perusing the Oracle Cloud Infrastructure documentation. I've created an Ubuntu-based compute node, and it's attached to a subnet. In that subnet I've created a stateful rule with source 0.0.0.0/0, IP protocol: TCP, Source Port Range: All, Destination Port Range: 80.

There is no firewall configured on the server.

Despite this configuration I can't access the compute node's public IP. Any ideas?

Jason · Answer 1 · 2020-04-27T15:44:40.137

61

I figured it out. The connectivity issue was due to Oracle's default use of iptables on all Oracle-provided images. Literally the very first thing I did when spinning up this instance was check ufw, presuming there were a few firewall restrictions in place. The ufw status was inactive, so I concluded the firewall was locally wide open. Because to my understanding both ufw and iptables look at the netfilter kernel firewall, and because ufw is the de facto (standard?) firewall solution on Ubuntu, I've no idea why they concluded it made sense to use iptables in this fashion. Maybe just to standardize across all images?

I learned about the rules by running:

$ sudo iptables -L

Then I saved the rules to a file so I could add the relevant ones back later:

$ sudo iptables-save > ~/iptables-rules

Then I ran these rules to effectively disable iptables by allowing all traffic through:

$ iptables -P INPUT ACCEPT
$ iptables -P OUTPUT ACCEPT
$ iptables -P FORWARD ACCEPT
$ iptables -F

To clear all iptables rules at once, run this command:

$ iptables --flush

Anyway, hope this helps somebody else out because documentation on the matter is non-existent.

edited Apr 27 '20 at 15:44

answered Feb 21 '19 at 15:01

Jason

2,190
2
19
28

2

Oracle documents the use of iptables instead of ufw and security implications of opening up iptables to all traffic in their best practices documentation: https://docs.cloud.oracle.com/en-us/iaas/Content/Compute/References/bestpracticescompute.htm – QA Automator May 19 '20 at 20:37
You're my hero, seriously. Thx! – tisaksen May 26 '20 at 13:48
Perfect! Now I can just use ufw – Pepijn Olivier Jun 12 '20 at 10:10
2

WARNING!!!! If you run $iptables --flush, you will lose all access to the machine, essentially bricking it!!! – Him Jul 05 '20 at 23:26
Works perfectly. Thanks. – Tapan Halani Aug 09 '20 at 06:50
1

I wish it wouldn't have been so hard for me to find this answer. I don't know why Oracle bothers with adding firewall rules on the server, when everything is protected at the infrastructure level. Thank you! – GeekLad Oct 23 '20 at 18:40
2

this should be the accepted answer! – dark_ruby Nov 16 '20 at 13:23
Perfect! Issue Resolve! Why iptables instead on ufw on Ubuntu? btw, I have zero idea with iptables. How do it make the changes persistent.I have to rerun the commands after server restart – Saquib Ahmed Mar 02 '21 at 11:38

score 45 · Accepted Answer · edited Feb 25 '19 at 17:13

45

When deploying compute instances at Oracle Cloud Infrastructure you need to take into account few things:

Create Internet Gateway (IGW).
Define routes to point to IGW.
Allow port 80 in the Security List associated with the IGW. By default you only have access to SSH and ICMP 3,4 type.
Allow connectivity on Compute's instance firewall (which is enabled by default).

In your example if you are using a OEL shape:

$ sudo firewall-cmd --zone=public --permanent --add-port=80/tcp

$ sudo firewall-cmd --reload

edited Feb 25 '19 at 17:13

Jason

2,190
2
19
28

answered Feb 22 '19 at 22:11

IaaSgeek

566
4
3

1

Awesome! In my case, ssh(22) worked great, port 80 was not. As I followed all steps above(including "firewall-cmd" steps), the magic happened! – kimchoky Sep 28 '19 at 10:18
14

This worked for me but only after `sudo apt install firewalld` – Constructor Nov 01 '19 at 21:43
the comment above me made all the difference, I had to install the firewall too – Yaron Avital Oct 23 '20 at 12:39
1

@kimchoky yes I also had the same situation. I can't understand why port 22 would be treated differently. Access via SSH didn't require any setup (except for the keys). But access via HTTP would require more rules. I find it confusing, had no insight, and still can't understand the reason for the difference. – Kamafeather Jan 10 '21 at 17:37
It is the security list associated with the vcn – anand Jan 21 '21 at 15:21

score 8 · Answer 3 · answered Aug 29 '20 at 14:29

8

Always refer to the official guide: https://docs.cloud.oracle.com/en-us/iaas/developer-tutorials/tutorials/apache-on-ubuntu/01oci-ubuntu-apache-summary.htm

$ sudo iptables -I INPUT 6 -m state --state NEW -p tcp --dport 80 -j ACCEPT
$ sudo netfilter-persistent save
$ sudo systemctl restart apache2

answered Aug 29 '20 at 14:29

Sum Chen

111
1
3

For my single Ubuntu 20.04 instance, I configured Ingress Rules for many other [app required port], such as MySQL 3306 and TightVNCServer 5901, but they are not taking effect. After I executed "sudo iptables -I INPUT 6 -m state --state NEW -p tcp --dport [app required port] -j ACCEPT" and "sudo netfilter-persistent save", my instance can be accessed from Internet, magically. – oraclesoon Sep 16 '20 at 17:57

score 7 · Answer 4 · answered Oct 04 '19 at 14:54

7

credited to https://medium.com/@fathi.ria/oracle-database-cloud-open-ports-on-oci-1af24f4eb9f2

Coumputer Instance(Such as Ubuntu) -> Virtual Cloud Network -> Security List -> Ingress Rules -> Please add a rule to allow access to port 80 from anywhere

answered Oct 04 '19 at 14:54

new2cpp

2,149
3
21
31

score 7 · Answer 5 · answered Oct 08 '19 at 09:58

Pre-Requisite

VM instance should have been created and running
Access to Public and Private keys used during the creation of VM instance

Log into the VM using SSH and run the following command

$ sudo iptables --list --line-numbers

It will show the details about Chain INPUT (policy ACCEPT). From the list required to Delete REJECT all rule in the IPTABLES.

$ sudo iptables -D INPUT <Reject Line number>
e.g.
$ sudo iptables -D INPUT 6

Check if the REJECT rule is deleted

sudo iptables --list --line-numbers

Access the Default Security List and Edit Ingress Rules to Allow Internet Traffic on Port

Edit the INGRES Rule Add CIDR 0.0.0.0/0 TCP Destination 9999 (N): Networking >Virtual Cloud Networks> Virtual Cloud Network Details>Security Lists> Security List Details

Access your application via web browser

Type http://<public IP address of the VM>:port

score 4 · Answer 6 · edited Jan 10 '21 at 17:44

4

I guess if you add the rule below to your iptables it should work; otherwise you'll be disturbing other rules which are related to block volume attachment that comes preconfigured on those Oracle images.

iptables -I INPUT 5 -i ens3 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

edited Jan 10 '21 at 17:44

Kamafeather

5,651
10
44
74

answered Aug 16 '19 at 10:02

vinodh

77
1
6

1

This command works. To make the changes persistent even after reboot, we need to additionally run: netfilter-persistent save – WebDev Nov 22 '19 at 12:36
I got: iptables: Index of insertion too big. – user2650501 Jun 09 '20 at 06:38
@user2650501 the index issue is because of specifying the position `5` for the rule, while if you run `sudo iptables -L` you'll see that your current rules are less than 4 (probably empty). – Kamafeather Jan 10 '21 at 19:05

score 0 · Answer 7 · answered Feb 21 '19 at 08:08

0

If you have not created Internet Gateway yet, that might be the reason. In order to connect the VCN with the public internet you need to have an Internet Gateway and a route table to direct the traffic through the gateway.

answered Feb 21 '19 at 08:08

lsarecz

318
1
9