0

I just created a new "SSH key with a pass phrase" for github private repo access from my AWS EC2 instance. Now I clone my repos fine. But the issue started that I can not access any https. It is giving me connection refused. Even the sudo apt-get update command stopped working and neither can I access AWS S3 resources from my code. It is giving me same type of error.

Can someone suggest me a solution for this problem?

Error when I am testing https site (Not sure if I am suppose to test like this)

ubuntu@ip-10-0-1-126:~$ curl -k https://www.facebook.com/ curl: (7)
Failed to connect to www.facebook.com port 443: Connection refused

Another error when I try to install a golang package.

ubuntu@ip-10-0-1-126:~$ go get -u -v  github.com/Jeffail/tunny
github.com/Jeffail/tunny (download)
cd /home/ubuntu/go/src/github.com/Jeffail/tunny
git pull --ff-only fatal: unable to access 'https://github.com/Jeffail/tunny/': Failed to connect to github.com port 443: Connection refused 
package github.com/Jeffail/tunny: exit status 1

ubuntu@ip-10-0-1-126:~$ go get -v gopkg.in/yaml.v2
Fetching https://gopkg.in/yaml.v2?go-get=1 https fetch failed: 
Get https://gopkg.in/yaml.v2?go-get=1: dial tcp 35.196.143.184:443: connect: connection refused package gopkg.in/yaml.v2: unrecognized import path "gopkg.in/yaml.v2" (https fetch: Get https://gopkg.in/yaml.v2?go-get=1: dial tcp 35.196.143.184:443: connect: connection refused)

Output of my sudo apt-get update command:

ubuntu@ip-10-0-1-126:~$ sudo apt-get update
Err:1 http://security.ubuntu.com/ubuntu bionic-security InRelease   Could not connect to security.ubuntu.com:80 (91.189.88.149). - connect (111: Connection refused)
Cannot initiate the connection to security.ubuntu.com:80 (2001:67c:1562::19). - connect (101: Network is unreachable) Could not connect to security.ubuntu.com:80 (91.189.91.26). - connect (111: Connection refused)
...
W: Failed to fetch http://ap-south-1.ec2.archive.ubuntu.com/ubuntu/dists/bionic-updates/InRelease
Unable to connect to ap-south-1.ec2.archive.ubuntu.com
...
MLu
  • 24,849
  • 5
  • 59
  • 86
Debasish Mitra
  • 115
  • 1
  • 4

2 Answers2

2

That looks like you've got either:

  • Local firewall (iptables) that prohibits outbound traffic to HTTPS. Run iptables -L OUTPUT to see what rules you've got.

  • Security Group of your instance prohibits Outbound access to HTTPS. Check it in the AWS Console.

Adding a SSH key to your instance won't have an impact like this unless you have also changed something else at the same time.

Hope that helps :)

MLu
  • 24,849
  • 5
  • 59
  • 86
  • I found the underlying issue. My AWS architecture has a public subnet having a NAT instance. It forwards the traffic on certain ports to my EC2 instance hosted in a separate private subnet. sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.0.1.126:80 But I also need to provide outgoing internet access to my private EC2 instances. sudo iptables -t nat -A POSTROUTING -o eth0 -s 10.0.1.0/24 -j MASQUERADE This results in all the request generated by my private EC2 to loop by to themselves. Which rule needs to be modified to prevent this behaviour? – Debasish Mitra Mar 03 '19 at 13:29
  • @DebasishMitra Why don’t you use **NAT Gateway** instead of *EC2 based NAT Instance*? – MLu Mar 03 '19 at 18:35
  • It is such a basic thing that I believe NAT instance should be able to solve this basic requirement and given that this is development environment. I want to limit my AWS infra cost by using NAT instance instead. I have raised a separate question for this and have explained the problem a little better there. https://serverfault.com/questions/956522/need-correct-iptable-rules-for-nat-instance-to-prevent-loop-back-for-private-sub – Debasish Mitra Mar 03 '19 at 18:58
0

Based on the comments - your PREROUTING must exclude the local traffic, i.e.

iptables -t nat -A PREROUTING -p tcp ! --source 10.0.1.0/24 --dport 80 -j DNAT --to-destination 10.0.1.126:80

The exclamation mark before source (! --source 10.0.1.0/24) ensures that the rule is only evaluated for traffic coming from outside, not for traffic originating in the VPC.

Hope that helps :)

MLu
  • 24,849
  • 5
  • 59
  • 86