If you need to open up ports 80 and 443, on file /etc/iptables/rules.v4 just add
-A INPUT -p tcp -m state --state NEW -m multiport --dports 80,443 -j ACCEPT
directly below
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
And reboot OR run bellow
sudo /sbin/iptables-restore < /etc/iptables/rules.v4
Thanks for the suggestion @11k
See that some lines of the rules.v4 file are commented with # at the beginning
| # CLOUD_IMG: This file was created/modified by the Cloud Image build process | |
| # iptables configuration for Oracle Cloud Infrastructure | |
| # See the Oracle-Provided Images section in the Oracle Cloud Infrastructure | |
| # documentation for security impact of modifying or removing these rule | |
| *filter | |
| :INPUT ACCEPT [0:0] | |
| :FORWARD ACCEPT [0:0] | |
| :OUTPUT ACCEPT [463:49013] | |
| :InstanceServices - [0:0] | |
| -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |
| -A INPUT -p icmp -j ACCEPT | |
| -A INPUT -i lo -j ACCEPT | |
| -A INPUT -p udp --sport 123 -j ACCEPT | |
| -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT | |
| -A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
| -A OUTPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
| #-A INPUT -j REJECT --reject-with icmp-host-prohibited | |
| #-A FORWARD -j REJECT --reject-with icmp-host-prohibited | |
| -A OUTPUT -d 169.254.0.0/16 -j InstanceServices | |
| -A InstanceServices -d 169.254.0.2/32 -p tcp -m owner --uid-owner 0 -m tcp --dport 3260 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or re$ | |
| -A InstanceServices -d 169.254.2.0/24 -p tcp -m owner --uid-owner 0 -m tcp --dport 3260 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or re$ | |
| #-A InstanceServices -d 169.254.0.2/32 -p tcp -m tcp --dport 80 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACC$ | |
| -A InstanceServices -d 169.254.169.254/32 -p udp -m udp --dport 53 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j $ | |
| -A InstanceServices -d 169.254.169.254/32 -p tcp -m tcp --dport 53 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j $ | |
| #-A InstanceServices -d 169.254.0.3/32 -p tcp -m owner --uid-owner 0 -m tcp --dport 80 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or rem$ | |
| #-A InstanceServices -d 169.254.0.4/32 -p tcp -m tcp --dport 80 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACC$ | |
| #-A InstanceServices -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j$ | |
| -A InstanceServices -d 169.254.169.254/32 -p udp -m udp --dport 67 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j $ | |
| -A InstanceServices -d 169.254.169.254/32 -p udp -m udp --dport 69 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j $ | |
| -A InstanceServices -d 169.254.169.254/32 -p udp --dport 123 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT | |
| #-A InstanceServices -d 169.254.0.0/16 -p tcp -m tcp -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j REJECT --rejec$ | |
| #-A InstanceServices -d 169.254.0.0/16 -p udp -m udp -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j REJECT --rejec$ | |
| COMMIT |
Thank you, you're a lifesaver! What are the odds you just commented on a 3 year note a few days ago lol
I somehow stumbled across this old Gist and have some tips for future wanderers.
- By commenting out the rule on line 19, the server now accepts all incoming packets, rendering the
INPUTrules above it pointless.- The rule on line 17 should use the
statemodule with--state, notconntrackwith--ctstate. It also doesn't need to explicitly allowESTABLISHEDpackets because the rule on line 12 already takes care of that.- The rule on 18 is unnecessary because the server already allows all outgoing packets by default (except for the special rules applied to packets destined for
169.254.0.0/16).- Commenting out the rule on 20 activates the default
FORWARD ACCEPTpolicy on line 9. All packets will be forwarded indiscriminately.- The
InstanceServicesrules shouldn't be modified. The Oracle Cloud docs explicitly state rules having to do with port3260should be left alone, but I think you can extend that to all the rules in that chain unless you know what you're doing. Regardless, modifying them is unnecessary if the only goal is running a simple web server.If you need to open up ports
80and443, just add-A INPUT -p tcp -m state --state NEW -m multiport --dports 80,443 -j ACCEPTdirectly below
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPTand you're ready to go!
And remember to update the Security List for your Compute instance's VNC, too.
you command not work
sudo iptables -I INPUT -s 0.0.0.0/0 -p tcp --dport 80 -j ACCEPT
sudo iptables -I INPUT -s 0.0.0.0/0 -p tcp --dport 443 -j ACCEPT
sudo iptables-save
sudo apt-get update
sudo apt-get install iptables-persistent -y
sudo netfilter-persistent save
sudo netfilter-persistent reload
I somehow stumbled across this old Gist and have some tips for future wanderers.
- By commenting out the rule on line 19, the server now accepts all incoming packets, rendering the
INPUTrules above it pointless.- The rule on line 17 should use the
statemodule with--state, notconntrackwith--ctstate. It also doesn't need to explicitly allowESTABLISHEDpackets because the rule on line 12 already takes care of that.- The rule on 18 is unnecessary because the server already allows all outgoing packets by default (except for the special rules applied to packets destined for
169.254.0.0/16).- Commenting out the rule on 20 activates the default
FORWARD ACCEPTpolicy on line 9. All packets will be forwarded indiscriminately.- The
InstanceServicesrules shouldn't be modified. The Oracle Cloud docs explicitly state rules having to do with port3260should be left alone, but I think you can extend that to all the rules in that chain unless you know what you're doing. Regardless, modifying them is unnecessary if the only goal is running a simple web server.If you need to open up ports
80and443, just add-A INPUT -p tcp -m state --state NEW -m multiport --dports 80,443 -j ACCEPTdirectly below
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPTand you're ready to go!
And remember to update the Security List for your Compute instance's VNC, too.you command not work sudo iptables -I INPUT -s 0.0.0.0/0 -p tcp --dport 80 -j ACCEPT sudo iptables -I INPUT -s 0.0.0.0/0 -p tcp --dport 443 -j ACCEPT
sudo iptables-save sudo apt-get update sudo apt-get install iptables-persistent -y sudo netfilter-persistent save sudo netfilter-persistent reload
You can modify the rules under the file /etc/iptables/rules.v4
this is not working.. getting following error:
iptables-restore v1.8.7 (legacy): Couldn't load target `$':No such file or directory
I somehow stumbled across this old Gist and have some tips for future wanderers.
- By commenting out the rule on line 19, the server now accepts all incoming packets, rendering the
INPUTrules above it pointless.- The rule on line 17 should use the
statemodule with--state, notconntrackwith--ctstate. It also doesn't need to explicitly allowESTABLISHEDpackets because the rule on line 12 already takes care of that.- The rule on 18 is unnecessary because the server already allows all outgoing packets by default (except for the special rules applied to packets destined for
169.254.0.0/16).- Commenting out the rule on 20 activates the default
FORWARD ACCEPTpolicy on line 9. All packets will be forwarded indiscriminately.- The
InstanceServicesrules shouldn't be modified. The Oracle Cloud docs explicitly state rules having to do with port3260should be left alone, but I think you can extend that to all the rules in that chain unless you know what you're doing. Regardless, modifying them is unnecessary if the only goal is running a simple web server.If you need to open up ports
80and443, just add-A INPUT -p tcp -m state --state NEW -m multiport --dports 80,443 -j ACCEPTdirectly below
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPTand you're ready to go!
And remember to update the Security List for your Compute instance's VNC, too.you command not work sudo iptables -I INPUT -s 0.0.0.0/0 -p tcp --dport 80 -j ACCEPT sudo iptables -I INPUT -s 0.0.0.0/0 -p tcp --dport 443 -j ACCEPT
sudo iptables-save sudo apt-get update sudo apt-get install iptables-persistent -y sudo netfilter-persistent save sudo netfilter-persistent reloadYou can modify the rules under the file /etc/iptables/rules.v4
i did edit the file, but the ports yet don't up. is there anything else that I am supposed to do?
this is my VNC security rules. I am on ubuntu 20.04 version, Ampere A1 instance on OCI
I somehow stumbled across this old Gist and have some tips for future wanderers.
- By commenting out the rule on line 19, the server now accepts all incoming packets, rendering the
INPUTrules above it pointless.- The rule on line 17 should use the
statemodule with--state, notconntrackwith--ctstate. It also doesn't need to explicitly allowESTABLISHEDpackets because the rule on line 12 already takes care of that.- The rule on 18 is unnecessary because the server already allows all outgoing packets by default (except for the special rules applied to packets destined for
169.254.0.0/16).- Commenting out the rule on 20 activates the default
FORWARD ACCEPTpolicy on line 9. All packets will be forwarded indiscriminately.- The
InstanceServicesrules shouldn't be modified. The Oracle Cloud docs explicitly state rules having to do with port3260should be left alone, but I think you can extend that to all the rules in that chain unless you know what you're doing. Regardless, modifying them is unnecessary if the only goal is running a simple web server.If you need to open up ports
80and443, just add-A INPUT -p tcp -m state --state NEW -m multiport --dports 80,443 -j ACCEPTdirectly below
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPTand you're ready to go!
And remember to update the Security List for your Compute instance's VNC, too.you command not work sudo iptables -I INPUT -s 0.0.0.0/0 -p tcp --dport 80 -j ACCEPT sudo iptables -I INPUT -s 0.0.0.0/0 -p tcp --dport 443 -j ACCEPT
sudo iptables-save sudo apt-get update sudo apt-get install iptables-persistent -y sudo netfilter-persistent save sudo netfilter-persistent reloadYou can modify the rules under the file /etc/iptables/rules.v4
i did edit the file, but the ports yet don't up. is there anything else that I am supposed to do?
My way is to change this file, then reboot, and then change the Ingress Rules in the Oracle console, the following is my configuration
-A INPUT -p tcp -m tcp -m multiport -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT --dports 80,443,10000
-A INPUT -p udp -m udp -m conntrack --dport 40700 --ctstate NEW,ESTABLISHED -j ACCEPT
I somehow stumbled across this old Gist and have some tips for future wanderers.
- By commenting out the rule on line 19, the server now accepts all incoming packets, rendering the
INPUTrules above it pointless.- The rule on line 17 should use the
statemodule with--state, notconntrackwith--ctstate. It also doesn't need to explicitly allowESTABLISHEDpackets because the rule on line 12 already takes care of that.- The rule on 18 is unnecessary because the server already allows all outgoing packets by default (except for the special rules applied to packets destined for
169.254.0.0/16).- Commenting out the rule on 20 activates the default
FORWARD ACCEPTpolicy on line 9. All packets will be forwarded indiscriminately.- The
InstanceServicesrules shouldn't be modified. The Oracle Cloud docs explicitly state rules having to do with port3260should be left alone, but I think you can extend that to all the rules in that chain unless you know what you're doing. Regardless, modifying them is unnecessary if the only goal is running a simple web server.If you need to open up ports
80and443, just add-A INPUT -p tcp -m state --state NEW -m multiport --dports 80,443 -j ACCEPTdirectly below
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPTand you're ready to go!
And remember to update the Security List for your Compute instance's VNC, too.you command not work sudo iptables -I INPUT -s 0.0.0.0/0 -p tcp --dport 80 -j ACCEPT sudo iptables -I INPUT -s 0.0.0.0/0 -p tcp --dport 443 -j ACCEPT
sudo iptables-save sudo apt-get update sudo apt-get install iptables-persistent -y sudo netfilter-persistent save sudo netfilter-persistent reloadYou can modify the rules under the file /etc/iptables/rules.v4
i did edit the file, but the ports yet don't up. is there anything else that I am supposed to do?
My way is to change this file, then reboot, and then change the Ingress Rules in the Oracle console, the following is my configuration
-A INPUT -p tcp -m tcp -m multiport -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT --dports 80,443,10000 -A INPUT -p udp -m udp -m conntrack --dport 40700 --ctstate NEW,ESTABLISHED -j ACCEPT
this doesn't to work for me at all, can you help me out? i am checking these via a portchecker.co website
doesn't seem to take any effect
this is my config file changes
-A INPUT -p tcp -m tcp -m multiport -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT --dports 80,443,51820
-A INPUT -p udp -m udp -m conntrack --dport 51820 --ctstate NEW,ESTABLISHED -j ACCEPT
my ingress rules
my egress rules
i'm trying for a wireguard connection too :(, but can't seem to get any ports open at all
I somehow stumbled across this old Gist and have some tips for future wanderers.
- By commenting out the rule on line 19, the server now accepts all incoming packets, rendering the
INPUTrules above it pointless.- The rule on line 17 should use the
statemodule with--state, notconntrackwith--ctstate. It also doesn't need to explicitly allowESTABLISHEDpackets because the rule on line 12 already takes care of that.- The rule on 18 is unnecessary because the server already allows all outgoing packets by default (except for the special rules applied to packets destined for
169.254.0.0/16).- Commenting out the rule on 20 activates the default
FORWARD ACCEPTpolicy on line 9. All packets will be forwarded indiscriminately.- The
InstanceServicesrules shouldn't be modified. The Oracle Cloud docs explicitly state rules having to do with port3260should be left alone, but I think you can extend that to all the rules in that chain unless you know what you're doing. Regardless, modifying them is unnecessary if the only goal is running a simple web server.If you need to open up ports
80and443, just add-A INPUT -p tcp -m state --state NEW -m multiport --dports 80,443 -j ACCEPTdirectly below
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPTand you're ready to go!
And remember to update the Security List for your Compute instance's VNC, too.you command not work sudo iptables -I INPUT -s 0.0.0.0/0 -p tcp --dport 80 -j ACCEPT sudo iptables -I INPUT -s 0.0.0.0/0 -p tcp --dport 443 -j ACCEPT
sudo iptables-save sudo apt-get update sudo apt-get install iptables-persistent -y sudo netfilter-persistent save sudo netfilter-persistent reloadYou can modify the rules under the file /etc/iptables/rules.v4
i did edit the file, but the ports yet don't up. is there anything else that I am supposed to do?
My way is to change this file, then reboot, and then change the Ingress Rules in the Oracle console, the following is my configuration
-A INPUT -p tcp -m tcp -m multiport -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT --dports 80,443,10000 -A INPUT -p udp -m udp -m conntrack --dport 40700 --ctstate NEW,ESTABLISHED -j ACCEPT
this doesn't to work for me at all, can you help me out? i am checking these via a portchecker.co website doesn't seem to take any effect this is my config file changes
-A INPUT -p tcp -m tcp -m multiport -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT --dports 80,443,51820 -A INPUT -p udp -m udp -m conntrack --dport 51820 --ctstate NEW,ESTABLISHED -j ACCEPTmy ingress rules
i'm trying for a wireguard connection too :(, but can't seem to get any ports open at all
Try using iptables -L to see if it works
iptables -L
I somehow stumbled across this old Gist and have some tips for future wanderers.
- By commenting out the rule on line 19, the server now accepts all incoming packets, rendering the
INPUTrules above it pointless.- The rule on line 17 should use the
statemodule with--state, notconntrackwith--ctstate. It also doesn't need to explicitly allowESTABLISHEDpackets because the rule on line 12 already takes care of that.- The rule on 18 is unnecessary because the server already allows all outgoing packets by default (except for the special rules applied to packets destined for
169.254.0.0/16).- Commenting out the rule on 20 activates the default
FORWARD ACCEPTpolicy on line 9. All packets will be forwarded indiscriminately.- The
InstanceServicesrules shouldn't be modified. The Oracle Cloud docs explicitly state rules having to do with port3260should be left alone, but I think you can extend that to all the rules in that chain unless you know what you're doing. Regardless, modifying them is unnecessary if the only goal is running a simple web server.If you need to open up ports
80and443, just add-A INPUT -p tcp -m state --state NEW -m multiport --dports 80,443 -j ACCEPTdirectly below
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPTand you're ready to go!
And remember to update the Security List for your Compute instance's VNC, too.you command not work sudo iptables -I INPUT -s 0.0.0.0/0 -p tcp --dport 80 -j ACCEPT sudo iptables -I INPUT -s 0.0.0.0/0 -p tcp --dport 443 -j ACCEPT
sudo iptables-save sudo apt-get update sudo apt-get install iptables-persistent -y sudo netfilter-persistent save sudo netfilter-persistent reloadYou can modify the rules under the file /etc/iptables/rules.v4
i did edit the file, but the ports yet don't up. is there anything else that I am supposed to do?
My way is to change this file, then reboot, and then change the Ingress Rules in the Oracle console, the following is my configuration
-A INPUT -p tcp -m tcp -m multiport -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT --dports 80,443,10000 -A INPUT -p udp -m udp -m conntrack --dport 40700 --ctstate NEW,ESTABLISHED -j ACCEPT
this doesn't to work for me at all, can you help me out? i am checking these via a portchecker.co website doesn't seem to take any effect this is my config file changes
-A INPUT -p tcp -m tcp -m multiport -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT --dports 80,443,51820 -A INPUT -p udp -m udp -m conntrack --dport 51820 --ctstate NEW,ESTABLISHED -j ACCEPTmy ingress rules
i'm trying for a wireguard connection too :(, but can't seem to get any ports open at allTry using iptables -L to see if it works
iptables -L
what should i be looking for exactly? this my result after the command
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp spt:ntp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp multiport dports http,https,51820 ctstate NEW,ESTABLISHED
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
I somehow stumbled across this old Gist and have some tips for future wanderers.
- By commenting out the rule on line 19, the server now accepts all incoming packets, rendering the
INPUTrules above it pointless.- The rule on line 17 should use the
statemodule with--state, notconntrackwith--ctstate. It also doesn't need to explicitly allowESTABLISHEDpackets because the rule on line 12 already takes care of that.- The rule on 18 is unnecessary because the server already allows all outgoing packets by default (except for the special rules applied to packets destined for
169.254.0.0/16).- Commenting out the rule on 20 activates the default
FORWARD ACCEPTpolicy on line 9. All packets will be forwarded indiscriminately.- The
InstanceServicesrules shouldn't be modified. The Oracle Cloud docs explicitly state rules having to do with port3260should be left alone, but I think you can extend that to all the rules in that chain unless you know what you're doing. Regardless, modifying them is unnecessary if the only goal is running a simple web server.If you need to open up ports
80and443, just add-A INPUT -p tcp -m state --state NEW -m multiport --dports 80,443 -j ACCEPTdirectly below
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPTand you're ready to go!
And remember to update the Security List for your Compute instance's VNC, too.you command not work sudo iptables -I INPUT -s 0.0.0.0/0 -p tcp --dport 80 -j ACCEPT sudo iptables -I INPUT -s 0.0.0.0/0 -p tcp --dport 443 -j ACCEPT
sudo iptables-save sudo apt-get update sudo apt-get install iptables-persistent -y sudo netfilter-persistent save sudo netfilter-persistent reloadYou can modify the rules under the file /etc/iptables/rules.v4
i did edit the file, but the ports yet don't up. is there anything else that I am supposed to do?
My way is to change this file, then reboot, and then change the Ingress Rules in the Oracle console, the following is my configuration
-A INPUT -p tcp -m tcp -m multiport -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT --dports 80,443,10000 -A INPUT -p udp -m udp -m conntrack --dport 40700 --ctstate NEW,ESTABLISHED -j ACCEPT
this doesn't to work for me at all, can you help me out? i am checking these via a portchecker.co website doesn't seem to take any effect this is my config file changes
-A INPUT -p tcp -m tcp -m multiport -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT --dports 80,443,51820 -A INPUT -p udp -m udp -m conntrack --dport 51820 --ctstate NEW,ESTABLISHED -j ACCEPTmy ingress rules
i'm trying for a wireguard connection too :(, but can't seem to get any ports open at allTry using iptables -L to see if it works
iptables -Lwhat should i be looking for exactly? this my result after the command
target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT udp -- anywhere anywhere udp spt:ntp ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp multiport dports http,https,51820 ctstate NEW,ESTABLISHED REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
It seems that tcp connections on ports 80, 443, and 51820 have been allowed. But the udp connection of port 51820 used by wireguard does not seem to be effective.
I somehow stumbled across this old Gist and have some tips for future wanderers.
- By commenting out the rule on line 19, the server now accepts all incoming packets, rendering the
INPUTrules above it pointless.- The rule on line 17 should use the
statemodule with--state, notconntrackwith--ctstate. It also doesn't need to explicitly allowESTABLISHEDpackets because the rule on line 12 already takes care of that.- The rule on 18 is unnecessary because the server already allows all outgoing packets by default (except for the special rules applied to packets destined for
169.254.0.0/16).- Commenting out the rule on 20 activates the default
FORWARD ACCEPTpolicy on line 9. All packets will be forwarded indiscriminately.- The
InstanceServicesrules shouldn't be modified. The Oracle Cloud docs explicitly state rules having to do with port3260should be left alone, but I think you can extend that to all the rules in that chain unless you know what you're doing. Regardless, modifying them is unnecessary if the only goal is running a simple web server.If you need to open up ports
80and443, just add-A INPUT -p tcp -m state --state NEW -m multiport --dports 80,443 -j ACCEPTdirectly below
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPTand you're ready to go!
And remember to update the Security List for your Compute instance's VNC, too.you command not work sudo iptables -I INPUT -s 0.0.0.0/0 -p tcp --dport 80 -j ACCEPT sudo iptables -I INPUT -s 0.0.0.0/0 -p tcp --dport 443 -j ACCEPT
sudo iptables-save sudo apt-get update sudo apt-get install iptables-persistent -y sudo netfilter-persistent save sudo netfilter-persistent reloadYou can modify the rules under the file /etc/iptables/rules.v4
i did edit the file, but the ports yet don't up. is there anything else that I am supposed to do?
My way is to change this file, then reboot, and then change the Ingress Rules in the Oracle console, the following is my configuration
-A INPUT -p tcp -m tcp -m multiport -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT --dports 80,443,10000 -A INPUT -p udp -m udp -m conntrack --dport 40700 --ctstate NEW,ESTABLISHED -j ACCEPT
this doesn't to work for me at all, can you help me out? i am checking these via a portchecker.co website doesn't seem to take any effect this is my config file changes
-A INPUT -p tcp -m tcp -m multiport -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT --dports 80,443,51820 -A INPUT -p udp -m udp -m conntrack --dport 51820 --ctstate NEW,ESTABLISHED -j ACCEPTmy ingress rules
i'm trying for a wireguard connection too :(, but can't seem to get any ports open at allTry using iptables -L to see if it works
iptables -Lwhat should i be looking for exactly? this my result after the command
target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT udp -- anywhere anywhere udp spt:ntp ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp multiport dports http,https,51820 ctstate NEW,ESTABLISHED REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibitedIt seems that tcp connections on ports 80, 443, and 51820 have been allowed. But the udp connection of port 51820 used by wireguard does not seem to be effective.
Yes, I didn't add the rule yet, put ports 443, 80 are closed via a port checker tool :(, is there anything wrong in my configuration?
I somehow stumbled across this old Gist and have some tips for future wanderers.
- By commenting out the rule on line 19, the server now accepts all incoming packets, rendering the
INPUTrules above it pointless.- The rule on line 17 should use the
statemodule with--state, notconntrackwith--ctstate. It also doesn't need to explicitly allowESTABLISHEDpackets because the rule on line 12 already takes care of that.- The rule on 18 is unnecessary because the server already allows all outgoing packets by default (except for the special rules applied to packets destined for
169.254.0.0/16).- Commenting out the rule on 20 activates the default
FORWARD ACCEPTpolicy on line 9. All packets will be forwarded indiscriminately.- The
InstanceServicesrules shouldn't be modified. The Oracle Cloud docs explicitly state rules having to do with port3260should be left alone, but I think you can extend that to all the rules in that chain unless you know what you're doing. Regardless, modifying them is unnecessary if the only goal is running a simple web server.If you need to open up ports
80and443, just add-A INPUT -p tcp -m state --state NEW -m multiport --dports 80,443 -j ACCEPTdirectly below
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPTand you're ready to go!
And remember to update the Security List for your Compute instance's VNC, too.you command not work sudo iptables -I INPUT -s 0.0.0.0/0 -p tcp --dport 80 -j ACCEPT sudo iptables -I INPUT -s 0.0.0.0/0 -p tcp --dport 443 -j ACCEPT
sudo iptables-save sudo apt-get update sudo apt-get install iptables-persistent -y sudo netfilter-persistent save sudo netfilter-persistent reloadYou can modify the rules under the file /etc/iptables/rules.v4
i did edit the file, but the ports yet don't up. is there anything else that I am supposed to do?
My way is to change this file, then reboot, and then change the Ingress Rules in the Oracle console, the following is my configuration
-A INPUT -p tcp -m tcp -m multiport -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT --dports 80,443,10000 -A INPUT -p udp -m udp -m conntrack --dport 40700 --ctstate NEW,ESTABLISHED -j ACCEPT
this doesn't to work for me at all, can you help me out? i am checking these via a portchecker.co website doesn't seem to take any effect this is my config file changes
-A INPUT -p tcp -m tcp -m multiport -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT --dports 80,443,51820 -A INPUT -p udp -m udp -m conntrack --dport 51820 --ctstate NEW,ESTABLISHED -j ACCEPTmy ingress rules
i'm trying for a wireguard connection too :(, but can't seem to get any ports open at allTry using iptables -L to see if it works
iptables -Lwhat should i be looking for exactly? this my result after the command
target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT udp -- anywhere anywhere udp spt:ntp ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp multiport dports http,https,51820 ctstate NEW,ESTABLISHED REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibitedIt seems that tcp connections on ports 80, 443, and 51820 have been allowed. But the udp connection of port 51820 used by wireguard does not seem to be effective.
Yes, I didn't add the rule yet, put ports 443, 80 are closed via a port checker tool :(, is there anything wrong in my configuration?
Do you have services on ports 80 and 443? Because I am sure that my two ports have been successfully opened. When there is no service listening to the port, your portchecker.co tool shows that my two ports are closed.
I somehow stumbled across this old Gist and have some tips for future wanderers.
- By commenting out the rule on line 19, the server now accepts all incoming packets, rendering the
INPUTrules above it pointless.- The rule on line 17 should use the
statemodule with--state, notconntrackwith--ctstate. It also doesn't need to explicitly allowESTABLISHEDpackets because the rule on line 12 already takes care of that.- The rule on 18 is unnecessary because the server already allows all outgoing packets by default (except for the special rules applied to packets destined for
169.254.0.0/16).- Commenting out the rule on 20 activates the default
FORWARD ACCEPTpolicy on line 9. All packets will be forwarded indiscriminately.- The
InstanceServicesrules shouldn't be modified. The Oracle Cloud docs explicitly state rules having to do with port3260should be left alone, but I think you can extend that to all the rules in that chain unless you know what you're doing. Regardless, modifying them is unnecessary if the only goal is running a simple web server.If you need to open up ports
80and443, just add-A INPUT -p tcp -m state --state NEW -m multiport --dports 80,443 -j ACCEPTdirectly below
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPTand you're ready to go!
And remember to update the Security List for your Compute instance's VNC, too.you command not work sudo iptables -I INPUT -s 0.0.0.0/0 -p tcp --dport 80 -j ACCEPT sudo iptables -I INPUT -s 0.0.0.0/0 -p tcp --dport 443 -j ACCEPT
sudo iptables-save sudo apt-get update sudo apt-get install iptables-persistent -y sudo netfilter-persistent save sudo netfilter-persistent reloadYou can modify the rules under the file /etc/iptables/rules.v4
i did edit the file, but the ports yet don't up. is there anything else that I am supposed to do?
My way is to change this file, then reboot, and then change the Ingress Rules in the Oracle console, the following is my configuration
-A INPUT -p tcp -m tcp -m multiport -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT --dports 80,443,10000 -A INPUT -p udp -m udp -m conntrack --dport 40700 --ctstate NEW,ESTABLISHED -j ACCEPT
this doesn't to work for me at all, can you help me out? i am checking these via a portchecker.co website doesn't seem to take any effect this is my config file changes
-A INPUT -p tcp -m tcp -m multiport -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT --dports 80,443,51820 -A INPUT -p udp -m udp -m conntrack --dport 51820 --ctstate NEW,ESTABLISHED -j ACCEPTmy ingress rules
i'm trying for a wireguard connection too :(, but can't seem to get any ports open at allTry using iptables -L to see if it works
iptables -Lwhat should i be looking for exactly? this my result after the command
target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT udp -- anywhere anywhere udp spt:ntp ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp multiport dports http,https,51820 ctstate NEW,ESTABLISHED REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibitedIt seems that tcp connections on ports 80, 443, and 51820 have been allowed. But the udp connection of port 51820 used by wireguard does not seem to be effective.
Yes, I didn't add the rule yet, put ports 443, 80 are closed via a port checker tool :(, is there anything wrong in my configuration?
Do you have services on ports 80 and 443? Because I am sure that my two ports have been successfully opened. When there is no service listening to the port, your portchecker.co tool shows that my two ports are closed.
no services are running on the ports, as of now, lemme just check with the services running on them, and get back to you
Thank you for the help, my services started working, after I setup a service to the ports, thank you for your help 😄 , much appreciated and thank you for your time 😄
@theinhumaneme @AethLi @11k
Is there any way for IPv4 to work in FTP (VSFTPD) with Ubuntu 22.04?
IPv6 works perfectly well, there are currently no restrictions concerning IPv6.
-A INPUT -p tcp --dport 20 -j ACCEPT
-A INPUT -p tcp --dport 21 -j ACCEPT
-A INPUT -p tcp --dport 12000:12100 -j ACCEPT
This made it work smoothly on IPv4 using Fileziila.
However, I have an application that needs to connect to FTP. The login succeeds, but I couldn't do anything but connect.
It shows this error.
"227 entering passive mode ftp error"
I tried everything, so I came to the conclusion that the problem is the Firewall blocking IPv4.
portchecker.co
Obrigado pela ajuda, meus serviços começaram a funcionar, depois que configurei um serviço para as portas, obrigado pela ajuda😄, muito apreciado e obrigado pelo seu tempo😄
@theinhumaneme @AethLi @11k Is there any way for IPv4 to work in FTP (VSFTPD) with Ubuntu 22.04? IPv6 works perfectly well, there are currently no restrictions concerning IPv6.
-A INPUT -p tcp --dport 20 -j ACCEPT -A INPUT -p tcp --dport 21 -j ACCEPT -A INPUT -p tcp --dport 12000:12100 -j ACCEPTThis made it work smoothly on IPv4 using Fileziila. However, I have an application that needs to connect to FTP. The login succeeds, but I couldn't do anything but connect.
It shows this error. "227 entering passive mode ftp error"
I tried everything, so I came to the conclusion that the problem is the Firewall blocking IPv4.
Hello goodnight!
I'm facing the same problem you had, I've done everything and I can't access port 80 or 443.
Could you help me by showing how you did it?
Thank you very much!
I somehow stumbled across this old Gist and have some tips for future wanderers.
INPUTrules above it pointless.statemodule with--state, notconntrackwith--ctstate. It also doesn't need to explicitly allowESTABLISHEDpackets because the rule on line 12 already takes care of that.169.254.0.0/16).FORWARD ACCEPTpolicy on line 9. All packets will be forwarded indiscriminately.InstanceServicesrules shouldn't be modified. The Oracle Cloud docs explicitly state rules having to do with port3260should be left alone, but I think you can extend that to all the rules in that chain unless you know what you're doing. Regardless, modifying them is unnecessary if the only goal is running a simple web server.If you need to open up ports
80and443, just adddirectly below
and you're ready to go!
And remember to update the Security List for your Compute instance's VNC, too.