4

My website (korrade.com) always shows up "Connection Timed Out" error, even though in my security group "Port 80" is shown open, and SSH works fine over Port 22(No Issues). I have only ALLOW rules in my security group.

Upon debugging, I found these Network ACL rules, out of which 1 seems strange as its getting automatically added by AWS.

NACL rules

I believe the inclusion of this rule is causing the website to not open. Or I think something else serious is there. As of now, this is the obs from my side..

  1. I have Security Group configured, with only ALLOW rules
  2. /sbin/iptables -L (showing nothing)
  3. Telnet status of Port 80 says CLOSED
  4. Firewall Status: not Loaded

Please help anyone... Much appreciated!

Post editing NACL & SG,

Security Group Screen

SSH over WinSCP

Genelia D'costa
  • 51
  • 1
  • 3
  • 1
    That's not a default ACL so you must have edited it (to add the #1 and #2 rule, and remove the default #100 ALLOW All traffic rule). Unless you need to use ACLs, don't use them. A security group is more than sufficient for most purposes. – jarmod Jul 27 '17 at 20:19
  • Please move your question to [su] (delete here, re-post there). It's [off-topic here](//stackoverflow.com/help/on-topic). – Martin Prikryl Jul 28 '17 at 06:04

1 Answers1

5

The * rule in a Network Access Control List (NACL) is a catch-all for any packets that do not meet any of the numbered rules.

The NACL in your picture will Allow any HTTP and SSH traffic. All other traffic will be Denied.

Security Groups default to Deny all inbound traffic and Allow all outbound traffic. You should then typically add rules to the Inbound traffic based upon the needs of your application and server.

NACLs default to Allow all inbound & outbound traffic. Traditionally, there is no need to edit a NACL because the Security Group is more appropriate. However, a NACL is Stateless, which means you need to specifically permit traffic in both directions -- inbound an outbound.

I would recommend:

  • Unless you have a good reason, reset your NACLs to default (100, All traffic, Allow) for both Inbound and Outbound
  • Try connecting to web server via its Public IP address rather than DNS Name (to test connectivity)

If problems persist, you can Edit your question to show your Security Group settings.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • Hi John, As per your suggestion I did reset all my NACL's and SG's. Now only in my SG I have set up a rule to allow HTTP & SSH. But surprisingly its only allowing SSH connections, where as HTTP is still not open. I have edited the question and added a screen of my SG now. Even tried with All Traffic option, still no luck – Genelia D'costa Jul 28 '17 at 02:17
  • Try logging into the instance via SSH then using `curl http://localhost` to confirm that your web server is running. If so, try connecting to the instance from your own computer by connecting to the **Public IP Address** of the instance (not its domain name). Could you please also include a picture of your Inbound Security Group that is associated with the instance. – John Rotenstein Jul 28 '17 at 02:19
  • Its says "0curl: (7) Failed to connect to localhost port 80: Connection refused"... Here is the snap of Inbound Security Group https://i.stack.imgur.com/Cx33G.jpg – Genelia D'costa Jul 28 '17 at 02:25
  • If you login to to the instance itself and run `curl http://localhost` and it returns an error, it means means that the web server (or whatever web application) you are running on that server is not responding. It is *not* a network/security problem -- your application itself is not responding as a web server. Get whoever installed it to fix it. – John Rotenstein Jul 28 '17 at 02:40
  • Mine is a static website, with just an index.html file. I am not using any complex code or self configured Apache. Just one last thing, Could you suggest if the Amazon Key Pair/ Certificate which its tells to install in your directory could be causing an issue ? Its because I restarted my instance, and it gave me new IP sets altogether – Genelia D'costa Jul 28 '17 at 02:53
  • Are you running a web server on the EC2 instance? If not, that explains your problem -- nothing is serving your web pages. If all you want is a static website, I would recommend using [Amazon S3 static website hosting](http://docs.aws.amazon.com/AmazonS3/latest/user-guide/static-website-hosting.html). – John Rotenstein Jul 28 '17 at 02:59
  • Sure thanks, I guess with your help I am much closer to finding a solution now. – Genelia D'costa Jul 28 '17 at 03:03
  • 1
    I don't understand what you mean by "closer to finding a solution"? If your intention is to serve web pages from that server, then your solution is to run a web server on the instance. If your goal is to have a static website, use Amazon S3 instead of Amazon EC2. It's cheaper and easier. – John Rotenstein Jul 28 '17 at 03:08