I have following Security Group attached to AWS instance.
I installed Apache When I try to access it from browser I see This site can’t be reached
following is some useful info to debug what is issue.
root#ip-172-31-31-29:~# netstat -atn |grep :80
tcp6 0 0 :::80 :::* LISTEN
EDIT
Here is updated screenshot of the Security Group.
It looks like you're allowing IPv6 traffic. Is this what you desire? I would change your security group to allow 0.0.0.0/0 for http.
If you do desire IPv6 I would start with running curl locally and see what it tells you
curl -k localhost
From there you then should ensure IPTables is properly configured and that SELinux is properly configured.
Related
I have installed gitlab on lxc container in a proxmox.
It works like gitlab<->proxy<->cloudflare.
Everything works fine except SSH clone/push/pull, BUT, if I'll add an entry to the /ets/hosts (on the local machine or any other server where im using gitlab) line my public IP of the proxy and domain name of my gitlab - its OK.
proxy VM is lxc container too. There im just redirecting 22 port to gitlab VM with a rule
-A PREROUTING -d AAA.AAA.AAA.AAA/32 -p tcp -m tcp --dport 22 -j DNAT --to-destination 192.168.10.150:22
ssh -T git#git.MYHOST
this works with entry in hosts file. But if remove - its not working.
ERRORS:
# git pull
ssh: connect to host git.peacedata.su port 22: Network is unreachable
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
UPD on 24.04.2020
I found out, that Cloudflare blocks 22port.
I have some workaround, but I need most "beautiful" solution)).
So, I just added direct IP address to /etc/hosts and all works as a charm.
More explained about cloudflare opened ports and why so on link: https://blog.cloudflare.com/cloudflare-now-supporting-more-ports/
I have a container setup with LXD running several wordpress webpages (apache2)
All is working fine.
I added portforwarding by:
lxc config device add CONTAINER lxd_proxy_port80 proxy listen=tcp:0.0.0.0:80 connect=tcp:INTERNALIP:80
…and same for port 443. Thats all working correctly.
Unfortunately I cannot see originating IP’s in my apache2 logs (var/log/apache2/access.log) but only see the local IP.
By using iptables I wanted to change this. I did:
iptables -A FORWARD -p tcp -d LOCALIP --dport 443 -j ACCEPT
iptables -A FORWARD -p tcp -d LOCALIP --dport 80 -j ACCEPT
and deleting my proxy device with
lxc config device remove CONTAINER lxd_proxy_port80
lxc config device remove CONTAINER lxd_proxy_port443
I can actually access files on my server correctly and I also see now my external IP in the apache2 access logs.
However, wordpress does not reach update-servers anymore (external) and seems to have problems reaching the outside world and one of my wordpress pages cannot access the index.php file anymore (it hangs loading). I suppose the latter effect is due to some external content not being loaded correctly.
Could you help me understand what is going on?
This conversation answers the questions:
https://discuss.linuxcontainers.org/t/iptables-apache-in-lxd-container/6143
A good video on this:
https://www.youtube.com/watch?v=1p-fbS_OYTg
My solution did end up working by adding a -d MYIP/32 in the iptables rule to only make it apply for incoming traffic.
I am trying to connect to tensorboard on my google compute engine instance but it is not working.
I have an anacondo distribution and use:
tensorboard --logdir=/logs
to create my tensorboard at default port 6006.
I also allowed HTTP/HTTPS traffic at my instance and also edited my firewall rules to allow traffic at:
IP ranges: 0.0.0.0/0
tcp:6006
udp:6006
But, when I try to acess my tensorboard at
http://EXTERNAL_IP:6006
I get a timeout loading.
Can anybody help me?
Normally this type of configuration is related to port communication issues. Go ahead and get all the available ports with nmap, and you should see something as following:
$ nmap -Pn [YOUR IP ADDRESS]
PORT STATE SERVICE
22/tcp open ssh
80/tcp closed http
443/tcp closed https
3389/tcp closed ms-wbt-server
Once, you confirm if the port "6006" is open, check if it can connect to your server with a telnet:
$ telnet [YOUR IP ADDRESS] [YOUR PORT]
telnet: Unable to connect to remote host: Connection refused
If you get "connection refused" make sure not only that this port is "open" but that it's "listening" as well (remember this needs to be configured on your application in your web server). You can check that with a netstat as following:
$ netstat -an | egrep -w “6006”
And you should see something like this (example for port 22):
$ netstat -an | grep 22
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
If it says 127.0.0.1 on the Local Address column, it means that port is ONLY listening for connections from your PC itself, not from the Internet or network. If it says 0.0.0.0, it means that port is listening on all 'network interfaces' (i.e. your computer, your modem(s) and your network card(s)).
Thus, the IP you need is the one as the example (0.0.0.0), since this means all IPs can reach that specific port. Plus, you must see the “Listen” status.
In addition, make sure to set up properly the Firewall rules in GCP and your software running on the instance itself to allow traffic to/from this port “6006” in specific, either to any instance or to a specific one using network tags.
I have a GCE Instance a Debian 1v CPU & 1.7GB. Then I followed the below tutorial and installed webmin on it.
https://www.howtoforge.com/tutorial/how-to-install-webmin-on-ubuntu-15-04/
The installation went successfully. Then I Created a Firewall exception on using the UFW and allowed port 10000.
sudo ufw allow 10000/tcp
But I was not able to access Webmin through the browser.
https://my-gce-instance-ip-address:10000.
Then i created firewall exception using the Google Cloud Console. Again tried the url it didnt work.
Then i thought this might be because of webmin is https mode. So i open the /etc/webmin/miniserv.conf and changed ssl=0. After that i restarted the webmin.
/etc/init.d/webmin restart
Then I tried the the url with Http, still I can't access.
I tried below command and checked the output. Accordingly Webmin is correctly running and listening on port 10000.
netstat -tulpn | grep :10000.
I can't seem to think what I am doing wrong. I have now spent several days on this without and solution in sight. Hope someone can kindly help me?
try this ... it's working for me
iptables -I INPUT 1 -p tcp --dport 10000 -j ACCEPT
service iptables save
/etc/init.d/iptables restart
open both link in Browser
https://your-IP:10000
and
http://your-IP:10000
you need to allow port 10000 from iptables
sudo iptables -A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
this work for me
i'm using ubuntu 16.04
You don't need to do any firewall configuration in the instance itself. All firewall configuration is done in the Google Cloud console.
The steps I typically follow, as you show to have figured out in your comment, are:
Create the firewall rule, in it opening the particular port you need (10000 in the case of Webmin) for ingress TCP traffic, accepting connections from some IP range (e.g. 0.0.0.0/0), and specifying target tags to be later assigned to instances to which that rule shall apply.
Add one of those tags to the "network tags" section of some particular instance.
This alone should work, opening the port for your instance in the firewall.
I was almost creating another question here on SO when yours was suggested as a possible duplicate. I had followed the steps above on my Webmin machine, and yet the machine refused to connect on port 10000. As I kept writing the question, I figured out my particular problem: in the firewall rule, in the source IP range filter, I set the single meta-address 0.0.0.0 instead of the range 0.0.0.0/0. So, to anyone who has followed the steps above and still can't connect to their webmin installation, do check if your source range filter is correctly set.
I am not able to access Amazon EC2 instance via ssh as i am behind a firewall.
So, i thought of running ssh on port other than 22, like 80 or 443.
I tried starting Amazon EC2 instance via Web Management Console with following 'user data':
#!/bin/bash -ex
perl -pi -e 's/^#?Port 22$/Port 80/' /etc/ssh/sshd_config
service sshd restart || service ssh restart
The idea being that the above script would execute on instance startup and switch ssh from port 22 to port 80. (Ref: http://alestic.com/2010/12/ec2-ssh-port-80)
But ssh is still not accessible on port 80.
Apparently 'user data' script is not being executed on start up?
I can 'only' start stop instances via Web Management Console, not from command-line (being behind firewall)
Any ideas?
To connect to an AWS instance through ssh from a port different than default 22:
Open the security group of your instance so that it allows connections to that port from the source that you choose (0.0.0.0/0 for any source).
In your instance:
It is a new instance you could use an user-data script like this one:
#!/bin/bash -ex
perl -pi -e 's/^#?Port 22$/Port 443/' /etc/ssh/sshd_config
service sshd restart || service ssh restart
Please note that this only works if you are launching a new instance:
User data scripts and cloud-init directives only run during the first boot cycle when an instance is launched.
If it is not a new Instance, edit the /etc/ssh/sshd_config file adding/changing Port 22 to the port that you want (i.e: Port 443) to connect through ssh and then do service ssh restart and you should be done.
Note: I did this with an Ubuntu instance, with another Linux instances may be slightly different.
The amazon firewall blocks all ports other than 22. You first have to enable port 80/443/whatever.
HOWTO:
Go to "security groups" -> click on the group you chose for your instance, then on the "Inbound" tab.
There you can add your ports.
EDIT: If by chance you also installed apache or some other webserver, port 80 will be used and cannot be used by sshd. I do not know which operating system is installed on your server, but maybe some webserver is already included?
EDIT 2: As per the last comment, it seems nowadays all ports are blocked by default. So you will have to open port 22 if you need it. Wasn't the case eight years ago, but configurations change ;)
Here is what I came up with to run sshd on 443 and 22 having rhel8 on ec2
make sure your security groups allow connection from your network/ip to the desired ports (in my case 22 and 443)
tcp 443 1.2.3.4/32 #allow access to 443 from IP 1.2.3.4
tcp 22 1.2.3.4/32 #allow access to 22 from IP 1.2.3.4
Login to the EC2 and
#install semanage with
sudo yum install -y policycoreutils-python-utils
#delete 443 from http ports
sudo semanage port -d -t http_port_t -p tcp 443
#add 443 to ssh ports
sudo semanage port -m -t ssh_port_t -p tcp 443
Edit /etc/ssh/sshd_config
Port 22
Port 443
Restart sshd
sudo service sshd restart