47

Yesterday, I was set up my first always free compute VM. I installed ubuntu 18.04 minimal on my VM. For my web service need, I installed Nginx. I'm confused because when I tried to access my public IP via a web browser, the Nginx welcome page didn't load. I think that is because port 80 didn't open. So, I tried to open that with set Ingress Rules in Security List Details menu as the picture below. Ingress Rule for port 80

But now, I still can't access the web server in my VM. May be there more experienced people in Oracle Cloud who can help me to solve this. Thank you

irham nur mahabbatullah i.
  • 571
  • 1
  • 4
  • 3
  • 1
    Do nginx started? Can you see access.log? – Belegnar Jun 11 '20 at 16:37
  • yes Nginx started and the error log is empty – irham nur mahabbatullah i. Jun 11 '20 at 23:19
  • In my case the Oracle maintenance caused a reboot, that did reset my custom port; and I don't know how to save the changes to prevent that (`chkconfig iptables on` requires a password I do not have)‍♂️. – I had to re-open the port via `sudo iptables -I INPUT 5 -m state --state NEW -p tcp --dport 80 -j ACCEPT -m comment --comment "CUSTOM: allow ingress (see OracleCloud SecurityList for instance's subnet), for Nginx"`. – Kamafeather Aug 24 '22 at 19:35

6 Answers6

159

I wasted a lot of time on this. I wish I had found this first: https://docs.cloud.oracle.com/en-us/iaas/developer-tutorials/tutorials/apache-on-ubuntu/01oci-ubuntu-apache-summary.htm

  1. configure ingress route for port 80

  2. install ubuntu.

  3. install apache/nginx

  4. curl localhost should bring back webpage in text format, however fails over internet.

  5. forget ufw firewall - this may cause issues with the Oracle firewall

  6. use

$ sudo iptables -I INPUT 6 -m state --state NEW -p tcp --dport 80 -j ACCEPT
$ sudo netfilter-persistent save
  1. test your web page over internet
JohnC
  • 2,687
  • 1
  • 22
  • 30
  • 13
    Great point! I used ufw and it never worked and wasted a ton of time. – Farshid Oct 05 '20 at 19:28
  • 17
    step 6 saved me! Did some docs-digging and for anyone curious about iptables command: "INPUT" is a "table/chain" of packet filtering rules for incoming packets. "-I" and "6" insert a new rule in the 6th slot in this table, which currently has a global reject rule for anything other than SSH and a few other things. "-m state --state NEW" matches for new connections. "-p tcp" matches the TCP protocols. "--dport 80" matches for a destination port of 80 (HTTP). And "-j ACCEPT" means "jump" straight to the action of accepting the packet – pearcemerritt Feb 01 '21 at 06:42
  • 1
    Thank you. I had been breaking my head over this since yesterday. It's now up and running. – gouravkr May 24 '21 at 08:02
  • It has solved my problem in ubuntu 20.04(Canonical-Ubuntu-20.04-Minimal-2021.06.14-0) installed on oracle cloud instance. `ufw` might cause the problem. I have disabled and uninstall ufw and step 6 has make port 80 nginx availabe on internet. – chmin.seo Jul 08 '21 at 04:16
  • @JohnC This finally solved my issue!! I thought I disabled the local firewall though. Any idea why `sudo ufw disable` wouldn't work? – Sam Liu Aug 10 '21 at 02:53
  • I had followed the official docs from Oracle but they didn't mention the `ufw` part. Thank you! – yusufmalikul Sep 08 '21 at 13:59
  • I'm trying to use this but my ubuntu returns: iptables: Index of insertion too big. – Arthur Dec 07 '21 at 16:33
  • thanks, it really worked. i have been contacting OCI support for 3 days but they didn't help – Hasan Elsherbiny Dec 14 '21 at 18:08
  • Thanks for this! iptable works! There are default INPUT and OUTPUT limits in place for Oracle Cloud. – MewX Jan 23 '22 at 05:24
  • the fastest route to open ports from the dashboard is: `Networking > Virtual Cloud Networks > vcn-20221234-1234 > Security List Details` – scavenger Feb 18 '22 at 01:08
  • still not working for me – Arjun Prakash Feb 18 '22 at 06:42
  • Worked for me as of 2022-08-24. – Jerry Aug 24 '22 at 14:08
  • https://blogs.oracle.com/developers/post/enabling-network-traffic-to-ubuntu-images-in-oracle-cloud-infrastructure according to this doc page under Host Firewall, ufw is problematic with Oracle dont use it with OC – Abbas Elmas Aug 30 '22 at 06:55
  • Thank you sir for this solution. Was stuck on this since yesterday and it now finally works! Throwing in some keywords for anybody else facing this issue in future - Oracle OCI Nginx HTTP 80 port localhost works internet not accessible – acidburn23 Dec 14 '22 at 16:34
  • it worked without adding the -6 flag, thanks – younes zeboudj Jun 08 '23 at 11:04
40

This is how I did it without directly meddling with iptables.

First create an Ingress Rule in Oracle Cloud vps's dashboard/Networking/Virtual Cloud Networks, for example, for port range 23-90 Ingress Rule port range 23-90

Next, install firewalld in ubuntu (firewalld is available in centos I think)

sudo apt-get install firewalld
sudo systemctl enable firewalld
sudo systemctl start firewalld

You only need to do this one time. It will still be there after a reboot.

Then, to open port 80:

sudo firewall-cmd --zone=public --add-port=80/tcp --permanent  #  or --add-service=http 
sudo firewall-cmd --reload

To verify:

sudo firewall-cmd --list-all

Output:

public
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: dhcpv6-client ssh
  ports: 80/tcp
  ...

The same applies to opening other port(s). You can easily remove the port (--remove-port=80/tcp + a --reload), refer to firewalld docs.

To test from a remote computer

  1. run a web server at port 80 in Oracle Cloud vps if one is not already running, for example: 
    python3 -m http.server 80
  2. In a remote computer 
    curl ip-of-oc-vps:80

I also wasted a lot of time on Oracle Cloud Always Free vps' firewall. I hope this can save other people some time.

mikey
  • 2,158
  • 1
  • 19
  • 24
  • 4
    To locate Ingress Rules (rather obscure I'd say, took me a while even for my second run after a while. I detailed it here for future reference): from Oracle Cloud vps's dashboard/Networking/Virtual Cloud Networks/, click the name of NCN (e.g. VirtualCloudNetwork-2019), click Security Lists, click the name of a list (e.g. Default Security List for VirtualCloudNetwork-2019). Two Ingress Rules will be shown. (The default Ingress Rules are very strict.) These can be modified. – mikey Apr 01 '21 at 06:19
  • I followed these instructions on an "almost-free" Oracle ARM instance running Ubuntu 20.04.3. `sudo apt-get install firewalld` enables and starts `firewalld`, no need for telling `systemctl` to do so. OTOH I could enable HTTP(S) only with the "long commands", e.g. `sudo firewall-cmd --zone=public --add-port=80/tcp --permanent`, the short `sudo firewall-cmd --add-service=http` didn't seem to have an effect. YMMV of course. – András Aszódi Sep 11 '21 at 07:31
  • Okay this actually works for me, i don't know how important the `--reload` part is, but the `--permanent` part is actually important, otherwise it won't shown on `--list-all`. Also making thing a bit clearer, the interchangeable part is the `--add-port` with `--add-service` part – Tommy Aria Pradana Mar 20 '22 at 02:09
  • 3
    WARNING: if you have docker installed before firewalld, **it will break Docker's networking**. You have to re-install docker after firewalld to have the networking configured for firewalld. – abdusco Apr 30 '22 at 03:34
  • 2
    ANOTHER WARNING: After I updated my Ubuntu 20.04 instance on OCI to 22.04, `firewalld` stopped without a warning. Had to enable/start it again. Also had to restart Docker. – András Aszódi Nov 03 '22 at 10:57
2
$ sudo iptables -I INPUT 6 -m state --state NEW -p tcp --dport 80 -j ACCEPT

$ sudo iptables -I INPUT 6 -m state --state NEW -p tcp --dport 443 -j ACCEPT

$ sudo netfilter-persistent save
xpredo
  • 1,282
  • 17
  • 27
1

If you have an Internet Gateway and Route Table is also configured, you might still need to check the OS level firewall. If that is not configured, you might need to execute this command: sudo ufw allow http For more details please see: How to Open/Allow incoming firewall port on Ubuntu

lsarecz
  • 408
  • 2
  • 11
1

In my case - CentOS 8 Image, firewall-cmd saved rules, but the ports didn't work. The reason is that the system uses iptables and not nftables. So, change this /etc/firewalld/firewalld.conf file

# FirewallBackend=nftables
FirewallBackend=iptables

and

#firewall-cmd restart

did the trick.

LennyLip
  • 1,683
  • 19
  • 19
  • to clarify: nftables did partially work, but I suppose it didn't create states, I could tcpdump ingress traffic after opening the port, but absolutely no egress and netcat couldn't establish the connection – Eugene Petrov Aug 21 '21 at 21:04
1

You need to allow Firewall for the port you want

Suppose you want the HTTP and HTTPS ports on your instance up, then following commands would suffice.

sudo iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT
sudo iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT

Then save the iptable rules even after reboot next time by

sudo service iptables save

Also make sure you have kept the ingress rules for the ports on Oracle Cloud console.

dhanushreddy29
  • 61
  • 3