Skip to content

Instantly share code, notes, and snippets.

@mrladeia
Last active May 27, 2024 11:22
Show Gist options
  • Save mrladeia/da43fc783610758c6dbcaba22b4f7acd to your computer and use it in GitHub Desktop.
Save mrladeia/da43fc783610758c6dbcaba22b4f7acd to your computer and use it in GitHub Desktop.
Iptables to Oracle Cloud port 80 and 443 open

IPTABLES to Oracle Cloud port 80 and 443 open

If you need to open up ports 80 and 443, on file /etc/iptables/rules.v4 just add

-A INPUT -p tcp -m state --state NEW -m multiport --dports 80,443 -j ACCEPT

directly below

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

And reboot OR run bellow

sudo /sbin/iptables-restore < /etc/iptables/rules.v4

Thanks for the suggestion @11k

Another way

See that some lines of the rules.v4 file are commented with # at the beginning

# CLOUD_IMG: This file was created/modified by the Cloud Image build process
# iptables configuration for Oracle Cloud Infrastructure
# See the Oracle-Provided Images section in the Oracle Cloud Infrastructure
# documentation for security impact of modifying or removing these rule
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [463:49013]
:InstanceServices - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp --sport 123 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
#-A INPUT -j REJECT --reject-with icmp-host-prohibited
#-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -d 169.254.0.0/16 -j InstanceServices
-A InstanceServices -d 169.254.0.2/32 -p tcp -m owner --uid-owner 0 -m tcp --dport 3260 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or re$
-A InstanceServices -d 169.254.2.0/24 -p tcp -m owner --uid-owner 0 -m tcp --dport 3260 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or re$
#-A InstanceServices -d 169.254.0.2/32 -p tcp -m tcp --dport 80 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACC$
-A InstanceServices -d 169.254.169.254/32 -p udp -m udp --dport 53 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j $
-A InstanceServices -d 169.254.169.254/32 -p tcp -m tcp --dport 53 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j $
#-A InstanceServices -d 169.254.0.3/32 -p tcp -m owner --uid-owner 0 -m tcp --dport 80 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or rem$
#-A InstanceServices -d 169.254.0.4/32 -p tcp -m tcp --dport 80 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACC$
#-A InstanceServices -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j$
-A InstanceServices -d 169.254.169.254/32 -p udp -m udp --dport 67 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j $
-A InstanceServices -d 169.254.169.254/32 -p udp -m udp --dport 69 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j $
-A InstanceServices -d 169.254.169.254/32 -p udp --dport 123 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
#-A InstanceServices -d 169.254.0.0/16 -p tcp -m tcp -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j REJECT --rejec$
#-A InstanceServices -d 169.254.0.0/16 -p udp -m udp -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j REJECT --rejec$
COMMIT
@selcarpa
Copy link

I somehow stumbled across this old Gist and have some tips for future wanderers.

  • By commenting out the rule on line 19, the server now accepts all incoming packets, rendering the INPUT rules above it pointless.
  • The rule on line 17 should use the state module with --state, not conntrack with --ctstate. It also doesn't need to explicitly allow ESTABLISHED packets because the rule on line 12 already takes care of that.
  • The rule on 18 is unnecessary because the server already allows all outgoing packets by default (except for the special rules applied to packets destined for 169.254.0.0/16).
  • Commenting out the rule on 20 activates the default FORWARD ACCEPT policy on line 9. All packets will be forwarded indiscriminately.
  • The InstanceServices rules shouldn't be modified. The Oracle Cloud docs explicitly state rules having to do with port 3260 should be left alone, but I think you can extend that to all the rules in that chain unless you know what you're doing. Regardless, modifying them is unnecessary if the only goal is running a simple web server.

If you need to open up ports 80 and 443, just add

-A INPUT -p tcp -m state --state NEW -m multiport --dports 80,443 -j ACCEPT

directly below

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

and you're ready to go!
And remember to update the Security List for your Compute instance's VNC, too.

you command not work sudo iptables -I INPUT -s 0.0.0.0/0 -p tcp --dport 80 -j ACCEPT sudo iptables -I INPUT -s 0.0.0.0/0 -p tcp --dport 443 -j ACCEPT
sudo iptables-save sudo apt-get update sudo apt-get install iptables-persistent -y sudo netfilter-persistent save sudo netfilter-persistent reload

You can modify the rules under the file /etc/iptables/rules.v4

i did edit the file, but the ports yet don't up. is there anything else that I am supposed to do? image this is my VNC security rules. I am on ubuntu 20.04 version, Ampere A1 instance on OCI

My way is to change this file, then reboot, and then change the Ingress Rules in the Oracle console, the following is my configuration

-A INPUT -p tcp -m tcp -m multiport -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT --dports 80,443,10000
-A INPUT -p udp -m udp -m conntrack --dport 40700 --ctstate NEW,ESTABLISHED -j ACCEPT

image

this doesn't to work for me at all, can you help me out? i am checking these via a portchecker.co website doesn't seem to take any effect this is my config file changes

-A INPUT -p tcp -m tcp -m multiport -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT --dports 80,443,51820
-A INPUT -p udp -m udp -m conntrack --dport 51820 --ctstate NEW,ESTABLISHED -j ACCEPT

my ingress rules image my egress rules image
i'm trying for a wireguard connection too :(, but can't seem to get any ports open at all

Try using iptables -L to see if it works

iptables -L

what should i be looking for exactly? this my result after the command

target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere             udp spt:ntp
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp multiport dports http,https,51820 ctstate NEW,ESTABLISHED
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

It seems that tcp connections on ports 80, 443, and 51820 have been allowed. But the udp connection of port 51820 used by wireguard does not seem to be effective.

Yes, I didn't add the rule yet, put ports 443, 80 are closed via a port checker tool :(, is there anything wrong in my configuration?

Do you have services on ports 80 and 443? Because I am sure that my two ports have been successfully opened. When there is no service listening to the port, your portchecker.co tool shows that my two ports are closed.

@theinhumaneme
Copy link

I somehow stumbled across this old Gist and have some tips for future wanderers.

  • By commenting out the rule on line 19, the server now accepts all incoming packets, rendering the INPUT rules above it pointless.
  • The rule on line 17 should use the state module with --state, not conntrack with --ctstate. It also doesn't need to explicitly allow ESTABLISHED packets because the rule on line 12 already takes care of that.
  • The rule on 18 is unnecessary because the server already allows all outgoing packets by default (except for the special rules applied to packets destined for 169.254.0.0/16).
  • Commenting out the rule on 20 activates the default FORWARD ACCEPT policy on line 9. All packets will be forwarded indiscriminately.
  • The InstanceServices rules shouldn't be modified. The Oracle Cloud docs explicitly state rules having to do with port 3260 should be left alone, but I think you can extend that to all the rules in that chain unless you know what you're doing. Regardless, modifying them is unnecessary if the only goal is running a simple web server.

If you need to open up ports 80 and 443, just add

-A INPUT -p tcp -m state --state NEW -m multiport --dports 80,443 -j ACCEPT

directly below

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

and you're ready to go!
And remember to update the Security List for your Compute instance's VNC, too.

you command not work sudo iptables -I INPUT -s 0.0.0.0/0 -p tcp --dport 80 -j ACCEPT sudo iptables -I INPUT -s 0.0.0.0/0 -p tcp --dport 443 -j ACCEPT
sudo iptables-save sudo apt-get update sudo apt-get install iptables-persistent -y sudo netfilter-persistent save sudo netfilter-persistent reload

You can modify the rules under the file /etc/iptables/rules.v4

i did edit the file, but the ports yet don't up. is there anything else that I am supposed to do? image this is my VNC security rules. I am on ubuntu 20.04 version, Ampere A1 instance on OCI

My way is to change this file, then reboot, and then change the Ingress Rules in the Oracle console, the following is my configuration

-A INPUT -p tcp -m tcp -m multiport -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT --dports 80,443,10000
-A INPUT -p udp -m udp -m conntrack --dport 40700 --ctstate NEW,ESTABLISHED -j ACCEPT

image

this doesn't to work for me at all, can you help me out? i am checking these via a portchecker.co website doesn't seem to take any effect this is my config file changes

-A INPUT -p tcp -m tcp -m multiport -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT --dports 80,443,51820
-A INPUT -p udp -m udp -m conntrack --dport 51820 --ctstate NEW,ESTABLISHED -j ACCEPT

my ingress rules image my egress rules image
i'm trying for a wireguard connection too :(, but can't seem to get any ports open at all

Try using iptables -L to see if it works

iptables -L

what should i be looking for exactly? this my result after the command

target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere             udp spt:ntp
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp multiport dports http,https,51820 ctstate NEW,ESTABLISHED
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

It seems that tcp connections on ports 80, 443, and 51820 have been allowed. But the udp connection of port 51820 used by wireguard does not seem to be effective.

Yes, I didn't add the rule yet, put ports 443, 80 are closed via a port checker tool :(, is there anything wrong in my configuration?

Do you have services on ports 80 and 443? Because I am sure that my two ports have been successfully opened. When there is no service listening to the port, your portchecker.co tool shows that my two ports are closed.

no services are running on the ports, as of now, lemme just check with the services running on them, and get back to you

@theinhumaneme
Copy link

Thank you for the help, my services started working, after I setup a service to the ports, thank you for your help 😄 , much appreciated and thank you for your time 😄

@cantalupo555
Copy link

cantalupo555 commented Jan 23, 2023

@theinhumaneme @AethLi @11k
Is there any way for IPv4 to work in FTP (VSFTPD) with Ubuntu 22.04?
IPv6 works perfectly well, there are currently no restrictions concerning IPv6.

-A INPUT -p tcp --dport 20 -j ACCEPT
-A INPUT -p tcp --dport 21 -j ACCEPT
-A INPUT -p tcp --dport 12000:12100 -j ACCEPT

This made it work smoothly on IPv4 using Fileziila.
However, I have an application that needs to connect to FTP. The login succeeds, but I couldn't do anything but connect.

It shows this error.
"227 entering passive mode ftp error"

I tried everything, so I came to the conclusion that the problem is the Firewall blocking IPv4.

@charles-leal
Copy link

portchecker.co

Obrigado pela ajuda, meus serviços começaram a funcionar, depois que configurei um serviço para as portas, obrigado pela ajuda😄, muito apreciado e obrigado pelo seu tempo😄

@theinhumaneme @AethLi @11k Is there any way for IPv4 to work in FTP (VSFTPD) with Ubuntu 22.04? IPv6 works perfectly well, there are currently no restrictions concerning IPv6.

-A INPUT -p tcp --dport 20 -j ACCEPT
-A INPUT -p tcp --dport 21 -j ACCEPT
-A INPUT -p tcp --dport 12000:12100 -j ACCEPT

This made it work smoothly on IPv4 using Fileziila. However, I have an application that needs to connect to FTP. The login succeeds, but I couldn't do anything but connect.

It shows this error. "227 entering passive mode ftp error"

I tried everything, so I came to the conclusion that the problem is the Firewall blocking IPv4.

Hello goodnight!
I'm facing the same problem you had, I've done everything and I can't access port 80 or 443.
Could you help me by showing how you did it?

Thank you very much!

@abdulsaheel
Copy link

this is not working.. getting following error:

iptables-restore v1.8.7 (legacy): Couldn't load target `$':No such file or directory

Have you found the solution?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment