If you need to open up ports 80 and 443, on file /etc/iptables/rules.v4 just add
-A INPUT -p tcp -m state --state NEW -m multiport --dports 80,443 -j ACCEPT
directly below
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
And reboot OR run bellow
sudo /sbin/iptables-restore < /etc/iptables/rules.v4
Thanks for the suggestion @11k
See that some lines of the rules.v4 file are commented with # at the beginning
| # CLOUD_IMG: This file was created/modified by the Cloud Image build process | |
| # iptables configuration for Oracle Cloud Infrastructure | |
| # See the Oracle-Provided Images section in the Oracle Cloud Infrastructure | |
| # documentation for security impact of modifying or removing these rule | |
| *filter | |
| :INPUT ACCEPT [0:0] | |
| :FORWARD ACCEPT [0:0] | |
| :OUTPUT ACCEPT [463:49013] | |
| :InstanceServices - [0:0] | |
| -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |
| -A INPUT -p icmp -j ACCEPT | |
| -A INPUT -i lo -j ACCEPT | |
| -A INPUT -p udp --sport 123 -j ACCEPT | |
| -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT | |
| -A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
| -A OUTPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
| #-A INPUT -j REJECT --reject-with icmp-host-prohibited | |
| #-A FORWARD -j REJECT --reject-with icmp-host-prohibited | |
| -A OUTPUT -d 169.254.0.0/16 -j InstanceServices | |
| -A InstanceServices -d 169.254.0.2/32 -p tcp -m owner --uid-owner 0 -m tcp --dport 3260 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or re$ | |
| -A InstanceServices -d 169.254.2.0/24 -p tcp -m owner --uid-owner 0 -m tcp --dport 3260 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or re$ | |
| #-A InstanceServices -d 169.254.0.2/32 -p tcp -m tcp --dport 80 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACC$ | |
| -A InstanceServices -d 169.254.169.254/32 -p udp -m udp --dport 53 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j $ | |
| -A InstanceServices -d 169.254.169.254/32 -p tcp -m tcp --dport 53 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j $ | |
| #-A InstanceServices -d 169.254.0.3/32 -p tcp -m owner --uid-owner 0 -m tcp --dport 80 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or rem$ | |
| #-A InstanceServices -d 169.254.0.4/32 -p tcp -m tcp --dport 80 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACC$ | |
| #-A InstanceServices -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j$ | |
| -A InstanceServices -d 169.254.169.254/32 -p udp -m udp --dport 67 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j $ | |
| -A InstanceServices -d 169.254.169.254/32 -p udp -m udp --dport 69 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j $ | |
| -A InstanceServices -d 169.254.169.254/32 -p udp --dport 123 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT | |
| #-A InstanceServices -d 169.254.0.0/16 -p tcp -m tcp -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j REJECT --rejec$ | |
| #-A InstanceServices -d 169.254.0.0/16 -p udp -m udp -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j REJECT --rejec$ | |
| COMMIT |
I somehow stumbled across this old Gist and have some tips for future wanderers.
- By commenting out the rule on line 19, the server now accepts all incoming packets, rendering the
INPUTrules above it pointless.- The rule on line 17 should use the
statemodule with--state, notconntrackwith--ctstate. It also doesn't need to explicitly allowESTABLISHEDpackets because the rule on line 12 already takes care of that.- The rule on 18 is unnecessary because the server already allows all outgoing packets by default (except for the special rules applied to packets destined for
169.254.0.0/16).- Commenting out the rule on 20 activates the default
FORWARD ACCEPTpolicy on line 9. All packets will be forwarded indiscriminately.- The
InstanceServicesrules shouldn't be modified. The Oracle Cloud docs explicitly state rules having to do with port3260should be left alone, but I think you can extend that to all the rules in that chain unless you know what you're doing. Regardless, modifying them is unnecessary if the only goal is running a simple web server.If you need to open up ports
80and443, just add-A INPUT -p tcp -m state --state NEW -m multiport --dports 80,443 -j ACCEPTdirectly below
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPTand you're ready to go!
And remember to update the Security List for your Compute instance's VNC, too.you command not work sudo iptables -I INPUT -s 0.0.0.0/0 -p tcp --dport 80 -j ACCEPT sudo iptables -I INPUT -s 0.0.0.0/0 -p tcp --dport 443 -j ACCEPT
sudo iptables-save sudo apt-get update sudo apt-get install iptables-persistent -y sudo netfilter-persistent save sudo netfilter-persistent reloadYou can modify the rules under the file /etc/iptables/rules.v4
i did edit the file, but the ports yet don't up. is there anything else that I am supposed to do?
this is my VNC security rules. I am on ubuntu 20.04 version, Ampere A1 instance on OCI
My way is to change this file, then reboot, and then change the Ingress Rules in the Oracle console, the following is my configuration
-A INPUT -p tcp -m tcp -m multiport -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT --dports 80,443,10000 -A INPUT -p udp -m udp -m conntrack --dport 40700 --ctstate NEW,ESTABLISHED -j ACCEPT
this doesn't to work for me at all, can you help me out? i am checking these via a portchecker.co website doesn't seem to take any effect this is my config file changes
-A INPUT -p tcp -m tcp -m multiport -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT --dports 80,443,51820 -A INPUT -p udp -m udp -m conntrack --dport 51820 --ctstate NEW,ESTABLISHED -j ACCEPTmy ingress rules
my egress rules
i'm trying for a wireguard connection too :(, but can't seem to get any ports open at allTry using iptables -L to see if it works
iptables -Lwhat should i be looking for exactly? this my result after the command
target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT udp -- anywhere anywhere udp spt:ntp ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp multiport dports http,https,51820 ctstate NEW,ESTABLISHED REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibitedIt seems that tcp connections on ports 80, 443, and 51820 have been allowed. But the udp connection of port 51820 used by wireguard does not seem to be effective.
Yes, I didn't add the rule yet, put ports 443, 80 are closed via a port checker tool :(, is there anything wrong in my configuration?
I somehow stumbled across this old Gist and have some tips for future wanderers.
- By commenting out the rule on line 19, the server now accepts all incoming packets, rendering the
INPUTrules above it pointless.- The rule on line 17 should use the
statemodule with--state, notconntrackwith--ctstate. It also doesn't need to explicitly allowESTABLISHEDpackets because the rule on line 12 already takes care of that.- The rule on 18 is unnecessary because the server already allows all outgoing packets by default (except for the special rules applied to packets destined for
169.254.0.0/16).- Commenting out the rule on 20 activates the default
FORWARD ACCEPTpolicy on line 9. All packets will be forwarded indiscriminately.- The
InstanceServicesrules shouldn't be modified. The Oracle Cloud docs explicitly state rules having to do with port3260should be left alone, but I think you can extend that to all the rules in that chain unless you know what you're doing. Regardless, modifying them is unnecessary if the only goal is running a simple web server.If you need to open up ports
80and443, just add-A INPUT -p tcp -m state --state NEW -m multiport --dports 80,443 -j ACCEPTdirectly below
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPTand you're ready to go!
And remember to update the Security List for your Compute instance's VNC, too.you command not work sudo iptables -I INPUT -s 0.0.0.0/0 -p tcp --dport 80 -j ACCEPT sudo iptables -I INPUT -s 0.0.0.0/0 -p tcp --dport 443 -j ACCEPT
sudo iptables-save sudo apt-get update sudo apt-get install iptables-persistent -y sudo netfilter-persistent save sudo netfilter-persistent reloadYou can modify the rules under the file /etc/iptables/rules.v4
i did edit the file, but the ports yet don't up. is there anything else that I am supposed to do?
My way is to change this file, then reboot, and then change the Ingress Rules in the Oracle console, the following is my configuration
-A INPUT -p tcp -m tcp -m multiport -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT --dports 80,443,10000 -A INPUT -p udp -m udp -m conntrack --dport 40700 --ctstate NEW,ESTABLISHED -j ACCEPT
this doesn't to work for me at all, can you help me out? i am checking these via a portchecker.co website doesn't seem to take any effect this is my config file changes
-A INPUT -p tcp -m tcp -m multiport -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT --dports 80,443,51820 -A INPUT -p udp -m udp -m conntrack --dport 51820 --ctstate NEW,ESTABLISHED -j ACCEPTmy ingress rules
i'm trying for a wireguard connection too :(, but can't seem to get any ports open at allTry using iptables -L to see if it works
iptables -Lwhat should i be looking for exactly? this my result after the command
target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT udp -- anywhere anywhere udp spt:ntp ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp multiport dports http,https,51820 ctstate NEW,ESTABLISHED REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibitedIt seems that tcp connections on ports 80, 443, and 51820 have been allowed. But the udp connection of port 51820 used by wireguard does not seem to be effective.
Yes, I didn't add the rule yet, put ports 443, 80 are closed via a port checker tool :(, is there anything wrong in my configuration?
Do you have services on ports 80 and 443? Because I am sure that my two ports have been successfully opened. When there is no service listening to the port, your portchecker.co tool shows that my two ports are closed.
I somehow stumbled across this old Gist and have some tips for future wanderers.
- By commenting out the rule on line 19, the server now accepts all incoming packets, rendering the
INPUTrules above it pointless.- The rule on line 17 should use the
statemodule with--state, notconntrackwith--ctstate. It also doesn't need to explicitly allowESTABLISHEDpackets because the rule on line 12 already takes care of that.- The rule on 18 is unnecessary because the server already allows all outgoing packets by default (except for the special rules applied to packets destined for
169.254.0.0/16).- Commenting out the rule on 20 activates the default
FORWARD ACCEPTpolicy on line 9. All packets will be forwarded indiscriminately.- The
InstanceServicesrules shouldn't be modified. The Oracle Cloud docs explicitly state rules having to do with port3260should be left alone, but I think you can extend that to all the rules in that chain unless you know what you're doing. Regardless, modifying them is unnecessary if the only goal is running a simple web server.If you need to open up ports
80and443, just add-A INPUT -p tcp -m state --state NEW -m multiport --dports 80,443 -j ACCEPTdirectly below
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPTand you're ready to go!
And remember to update the Security List for your Compute instance's VNC, too.you command not work sudo iptables -I INPUT -s 0.0.0.0/0 -p tcp --dport 80 -j ACCEPT sudo iptables -I INPUT -s 0.0.0.0/0 -p tcp --dport 443 -j ACCEPT
sudo iptables-save sudo apt-get update sudo apt-get install iptables-persistent -y sudo netfilter-persistent save sudo netfilter-persistent reloadYou can modify the rules under the file /etc/iptables/rules.v4
i did edit the file, but the ports yet don't up. is there anything else that I am supposed to do?
My way is to change this file, then reboot, and then change the Ingress Rules in the Oracle console, the following is my configuration
-A INPUT -p tcp -m tcp -m multiport -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT --dports 80,443,10000 -A INPUT -p udp -m udp -m conntrack --dport 40700 --ctstate NEW,ESTABLISHED -j ACCEPT
this doesn't to work for me at all, can you help me out? i am checking these via a portchecker.co website doesn't seem to take any effect this is my config file changes
-A INPUT -p tcp -m tcp -m multiport -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT --dports 80,443,51820 -A INPUT -p udp -m udp -m conntrack --dport 51820 --ctstate NEW,ESTABLISHED -j ACCEPTmy ingress rules
i'm trying for a wireguard connection too :(, but can't seem to get any ports open at allTry using iptables -L to see if it works
iptables -Lwhat should i be looking for exactly? this my result after the command
target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT udp -- anywhere anywhere udp spt:ntp ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp multiport dports http,https,51820 ctstate NEW,ESTABLISHED REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibitedIt seems that tcp connections on ports 80, 443, and 51820 have been allowed. But the udp connection of port 51820 used by wireguard does not seem to be effective.
Yes, I didn't add the rule yet, put ports 443, 80 are closed via a port checker tool :(, is there anything wrong in my configuration?
Do you have services on ports 80 and 443? Because I am sure that my two ports have been successfully opened. When there is no service listening to the port, your portchecker.co tool shows that my two ports are closed.
no services are running on the ports, as of now, lemme just check with the services running on them, and get back to you
Thank you for the help, my services started working, after I setup a service to the ports, thank you for your help 😄 , much appreciated and thank you for your time 😄
@theinhumaneme @AethLi @11k
Is there any way for IPv4 to work in FTP (VSFTPD) with Ubuntu 22.04?
IPv6 works perfectly well, there are currently no restrictions concerning IPv6.
-A INPUT -p tcp --dport 20 -j ACCEPT
-A INPUT -p tcp --dport 21 -j ACCEPT
-A INPUT -p tcp --dport 12000:12100 -j ACCEPT
This made it work smoothly on IPv4 using Fileziila.
However, I have an application that needs to connect to FTP. The login succeeds, but I couldn't do anything but connect.
It shows this error.
"227 entering passive mode ftp error"
I tried everything, so I came to the conclusion that the problem is the Firewall blocking IPv4.
portchecker.co
Obrigado pela ajuda, meus serviços começaram a funcionar, depois que configurei um serviço para as portas, obrigado pela ajuda😄, muito apreciado e obrigado pelo seu tempo😄
@theinhumaneme @AethLi @11k Is there any way for IPv4 to work in FTP (VSFTPD) with Ubuntu 22.04? IPv6 works perfectly well, there are currently no restrictions concerning IPv6.
-A INPUT -p tcp --dport 20 -j ACCEPT -A INPUT -p tcp --dport 21 -j ACCEPT -A INPUT -p tcp --dport 12000:12100 -j ACCEPTThis made it work smoothly on IPv4 using Fileziila. However, I have an application that needs to connect to FTP. The login succeeds, but I couldn't do anything but connect.
It shows this error. "227 entering passive mode ftp error"
I tried everything, so I came to the conclusion that the problem is the Firewall blocking IPv4.
Hello goodnight!
I'm facing the same problem you had, I've done everything and I can't access port 80 or 443.
Could you help me by showing how you did it?
Thank you very much!
this is not working.. getting following error:
iptables-restore v1.8.7 (legacy): Couldn't load target `$':No such file or directory
Have you found the solution?
I am trying to open my port 2333. I have tried everything even flushing my IP table to make sure that nothing is being blocked.
I do have a service running on this port but somehow unable to open ports.
I do a have a backup of IP table rules. If someone could figure out why it's not working?
I just had to do was restart server 💀
Thank you.
It seems that tcp connections on ports 80, 443, and 51820 have been allowed. But the udp connection of port 51820 used by wireguard does not seem to be effective.