ufw firewall in GCP - linux

I've a VM in Google Cloud and I'm trying to connect to it over TCP port 8890.
I've already set the Firewall rules in GCP so the problem in on VM firewall.
I'm using Debian 10 as OS and I've installed ufw. The output of ufw status command is:
Status: active
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
2222 ALLOW Anywhere
21 ALLOW Anywhere
Nginx Full ALLOW Anywhere
21/tcp ALLOW Anywhere
49152:65535/tcp ALLOW Anywhere
5432 ALLOW Anywhere
8890 ALLOW Anywhere
8890/tcp ALLOW Anywhere
8890/udp ALLOW Anywhere
Anywhere ALLOW 127.0.0.1
22/tcp (v6) ALLOW Anywhere (v6)
2222 (v6) ALLOW Anywhere (v6)
21 (v6) ALLOW Anywhere (v6)
Nginx Full (v6) ALLOW Anywhere (v6)
21/tcp (v6) ALLOW Anywhere (v6)
49152:65535/tcp (v6) ALLOW Anywhere (v6)
5432 (v6) ALLOW Anywhere (v6)
8890 (v6) ALLOW Anywhere (v6)
8890/tcp (v6) ALLOW Anywhere (v6)
8890/udp (v6) ALLOW Anywhere (v6)
but if try to telnet localhost 8890 :
Trying ::1...
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused
the output of netstat -tulpn | grep LISTEN command is:
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 614/nginx: master p
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 607/sshd
tcp 0 0 0.0.0.0:5432 0.0.0.0:* LISTEN 561/postgres
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 614/nginx: master p
tcp6 0 0 :::80 :::* LISTEN 614/nginx: master p
tcp6 0 0 :::21 :::* LISTEN 433/vsftpd
tcp6 0 0 :::22 :::* LISTEN 607/sshd
tcp6 0 0 :::5432 :::* LISTEN 561/postgres
tcp6 0 0 :::443 :::* LISTEN 614/nginx: master p


That's the log JSON from Google Cloud:
{
insertId: "1m9sozhg3119gk8"
jsonPayload: {
connection: {
dest_ip: "10.132.0.2"
dest_port: 8890
protocol: 6
src_ip: "194.158.251.129"
src_port: 61330
}
disposition: "ALLOWED"
instance: {
project_id: "quokka-319212"
region: "europe-west1"
vm_name: "mkb-quokka"
zone: "europe-west1-b"
}
remote_location: {
continent: "Europe"
country: "che"
region: "Ticino"
}
rule_details: {
action: "ALLOW"
direction: "INGRESS"
ip_port_info: [
0: {
ip_protocol: "TCP"
port_range: [
0: "8890"
]
}
]
priority: 100
reference: "network:default/firewall:port-8890"
source_range: [
0: "0.0.0.0/0"
]
}
vpc: {
project_id: "quokka-319212"
subnetwork_name: "default"
vpc_name: "default"
}
}
logName: "projects/quokka-319212/logs/compute.googleapis.com%2Ffirewall"
receiveTimestamp: "2021-08-11T12:54:47.345480725Z"
resource: {
labels: {
location: "europe-west1-b"
project_id: "quokka-319212"
subnetwork_id: "4380110765229239135"
subnetwork_name: "default"
}
type: "gce_subnetwork"
}
timestamp: "2021-08-11T12:54:41.981790820Z"
}
And that confirm the problem is on the istance and not in Google Cloud firewall


This is expected behavior. In order to see
tcp 0 0 0.0.0.0:8890 0.0.0.0:*
Do the following
1 apt-get install python # install python
2 python -m SimpleHTTPServer 8890 # server listening on port 8890
3 Open a new window #wheel top right corner > new connection to instance
4 netstat -tulpn | grep LISTEN
Reason:
netstat will only show the port if a service or other program is actually listening for incoming connections on that port.

Related

NodeJS + Fedora 32 refused to connect

Simplest server (same result with '0.0.0.0' and removing this property)
const http = require('http');
function handleRequest(a,b) {
console.log('!');
}
var server = http.createServer(handleRequest);
server.listen(4000, '0.0.0.0', function(){
console.log("Server is listening");
});
Netstat:
sudo netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 669/sshd: /usr/sbin
tcp 0 0 0.0.0.0:4000 0.0.0.0:* LISTEN 5631/node
tcp6 0 0 :::22 :::* LISTEN 669/sshd: /usr/sbin
Result by accessing http://(server's IP):4000
This site can’t be reached
(server's IP) refused to connect.

Ok, so I had to open port in firewall like this:
firewall-cmd --zone=public --add-port=4000/tcp

Why can't I talk to a service on tcp/3000 on my CentOS VPS

I'm trying to run a second web service on my VPS at port 3000.
On the VPS I run:
# php -S myhost.com:3000
and then in a browser, navigate to http://myhost.com:3000 but the browser times out and the service logs/outputs nothing.
If I run the service on port 80 (i.e., php -S myhost.com:80 and navigate to http://myhost.com), it works.
So firewall. Except that:
[root#spinal ~]# firewall-cmd --list-ports
3887/tcp 3000/tcp
(the 3887 is another service, which is working correctly.) And I rebooted the VPS after setting up port 3000 in the firewall. I reckon the service is listening correctly because:
[root#spinal ~]# netstat -tupl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:imap 0.0.0.0:* LISTEN 1907/dovecot
tcp 0 0 0.0.0.0:ciphire-data 0.0.0.0:* LISTEN 1876/sshd
tcp 0 0 0.0.0.0:http 0.0.0.0:* LISTEN 1903/nginx: master
tcp 0 0 0.0.0.0:urd 0.0.0.0:* LISTEN 2004/master
tcp 0 0 myhost.com:hbci 0.0.0.0:* LISTEN 2206/php
tcp 0 0 localhost.loca:postgres 0.0.0.0:* LISTEN 1908/postgres
tcp 0 0 0.0.0.0:smtp 0.0.0.0:* LISTEN 2004/master
tcp 0 0 0.0.0.0:https 0.0.0.0:* LISTEN 1903/nginx: master
tcp 0 0 0.0.0.0:imaps 0.0.0.0:* LISTEN 1907/dovecot
tcp 0 0 localhost.lo:cslistener 0.0.0.0:* LISTEN 1878/php-fpm: maste
tcp6 0 0 [::]:imap [::]:* LISTEN 1907/dovecot
tcp6 0 0 [::]:ciphire-data [::]:* LISTEN 1876/sshd
tcp6 0 0 [::]:urd [::]:* LISTEN 2004/master
tcp6 0 0 [::]:smtp [::]:* LISTEN 2004/master
tcp6 0 0 [::]:imaps [::]:* LISTEN 1907/dovecot
I can however connect locally. This works, when run on the VPS:
$ curl http://myhost.com:3000
so that again points at the firewall. But disabling the firewall doesn't help:
# systemctl stop firewalld
so it could be a DNS problem: my browser and the VPS differ on what myhost.com resolves-to. Except that, as mentioned above, switching to port 80 solves the problem. So it's something to do with coming-in on port 3000, from outside. But not firewalld.
The question at Can't reach nodejs on port 3000 from external on CentOS 7 is close to mine, but isn't conclusively answered.

I feel pretty stupid. It was a firewall; not on the VPS, but on my local network. When I tried it on a machine that doesn't go through my local network, it worked. I hope my public confession helps someone else.

Node.js not accepting connections on port 80

I am running my node server on ubuntu with sudo node index.js
Running curl http://localhost/health-check gives a response but if I use the public IP, it does not get any response
Running sudo netstat -ntlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
59739/node
Running nmap -A -T4 myDomainName
Starting Nmap 7.01 ( https://nmap.org ) at 2017-11-22 12:32 UTC
Nmap scan report for myDomainName (IP address)
Host is up (0.0011s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
...
80/tcp closed http
443/tcp closed https
Running nmap localhost
Starting Nmap 7.01 ( https://nmap.org ) at 2017-11-22 12:28 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000062s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Lastly sudo ufw status
To Action From
-- ------ ----
22 ALLOW Anywhere
80 ALLOW Anywhere
443 ALLOW Anywhere
80/tcp ALLOW Anywhere
22 (v6) ALLOW Anywhere (v6)
80 (v6) ALLOW Anywhere (v6)
443 (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)
Port 80 is open on localhost but not open on the domain name/ public ip

Unable to access apache page on Linux Azure VM

I've setup a linux VM in Azure. I've added incoming port access to the current listening port on Apache. I've also done a curl localhost on the VM and see the apache html text. I hit the public IP of the VM and get nothing. Any ideas?

According to your description, please check those settings:
1. Please check Azure VM's NSG settings, make sure we have add port to inbound rules:
2. Vnet-->subnet's security group settings:
3. Check which port apache listening on:
netstat -ant
root#ubuntu:~# netstat -ant
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 10.1.0.4:55870 191.237.32.134:443 TIME_WAIT
tcp 0 0 10.1.0.4:55874 191.237.32.134:443 TIME_WAIT
tcp 0 0 10.1.0.4:55876 191.237.32.134:443 TIME_WAIT
tcp 0 0 10.1.0.4:55868 191.237.32.134:443 TIME_WAIT
tcp 0 0 10.1.0.4:57772 168.63.129.16:80 TIME_WAIT
tcp 0 0 10.1.0.4:57766 168.63.129.16:80 TIME_WAIT
tcp 0 36 10.1.0.4:22 167.220.255.8:53651 ESTABLISHED
tcp6 0 0 :::80 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
By the way, for test please disable ufw with this command ufw disable, then try to access the public IP address.
Update:
I follow those steps to modify apache default port:
1.Modify ports.conf, change port 80 to 80:
root#ubuntu:/etc/apache2# vi ports.conf
Listen 90
<IfModule ssl_module>
Listen 443
2.Add ServerName localhost to /etc/apache2/apache2.conf
root#ubuntu:/etc/apache2# vi /etc/apache2/apache2.conf
# Global configuration
#
ServerName localhost
3.Modify default port in /etc/apache2/sites-enabled/000-default.conf
root#ubuntu:/etc/apache2# vi /etc/apache2/sites-enabled/000-default.conf
<VirtualHost *:90>
4.Add inbound rule to Network Security Group:
By the way, to troubleshoot this issue, we can follow those steps:
1.Login this VM and use curl to test apache2:
curl localhost:90
2.Use your PC to telnet this VM's public IP and port 90
telnet xx.xx.xx.xx 90
If you can't telnet this port, please check your NSG settings and subnet's security group settings.
Here is my result, it works for me:
root#ubuntu:/etc/apache2# netstat -ant | grep 90
tcp6 0 0 :::90 :::* LISTEN

can't get http from tomcat on guest vm (nat connection)

I have running centos on guest machine (using virtualbox, connection over nat).
And there's tomcat running on this machine on port 8080.
<Connector port="8080" protocol="HTTP/1.1" address="0.0.0.0"
connectionTimeout="20000"
redirectPort="8443" />
There's port forwarding from host to guest
host 2222, guest 22 (ssh)
host 40001, guest 8080
I try to get page from http://localhost:8080
If I connect from host via ssh and do curl localhost:8080 I get an html page.
But if try to get http://localhost:40001 via browser, it becomes infinitely loading.
netstat -an | find "40001" on host machine shows
C:\Users\user>netstat -an | find "40001"
TCP 0.0.0.0:40001 0.0.0.0:0 LISTENING
TCP 127.0.0.1:30279 127.0.0.1:40001 FIN_WAIT_2
TCP 127.0.0.1:40001 127.0.0.1:30279 CLOSE_WAIT
If I try to telnet on host machine (telnet localhost 40001) the connection is ok.
If I try to get a netstat on guest, I get this
[aegis#localhost ~]$ netstat -an | grep LISTEN | grep tcp
tcp 0 0 127.0.0.1:8005 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:8009 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 ::1:25 :::* LISTEN
I can't figure out why telnet from host is working, but I can't get a page via browser. Could you help me, where I've made a mistake in configuration?

At first, I was discaraged because of working "telnet localhost 40001 from host machine".
But there's difference between 22 and 8080 ports.
22 port is opened by default.
8080 port is not.
If you'll have such a problem, you should allow the firewall connection over 8080 port.
E.g., you can execute this statement:
iptables -I INPUT 1 -i eth0 -p tcp --dport 8080 -j ACCEPT

Resources