Cannot connect through external IP in Google cloud Compute engine instance - security

I created compute engine instance in GCP to deploy my web app.It works fine inside the instance (localhost:8080).
However, using the external Ip address, I'm unable to access it even though I have allowed for 0.0.0.0/0 for all instances by the firewall rule.I added both port tcp:8080 and tcp :8444 but It does not allow to connect even 'Telnet'.
Connecting To 35.185.98.244...Could not open connection to the host, on port 8444: Connect failed
Connecting To 35.185.98.244...Could not open connection to the host, on port 8080: Connect failed
Anybody can help me to solve this issue?
my git url: https://github.com/ChkBuk/myexamples/tree/master/SyneBiz

Take a look at the Firewall Rule in the GCP. Make sure that you allow ingress traffic for the port 80 (since you are accessing it from the browser). The ports 8080 and 8444 are local ports accessed internally. These ports are not exposed to the public. You have to make sure that there is a forwarding rule that redirects the traffic from port 8080/8444 to port 80.
Eventually, try to test the URL connection and the ports within the compute engine instance, or outside the GCP. Below are some examples:
$ curl http://[external-IP-vm-address]:80
$ telnet localhost 80
$ nmap <external-ip-vm-address>
$ netstat -plant
There are other network tests that you could perform. You may consult this discussion thread from Stackexchange.
Lastly, it could be that the ports 8080 and 8444 are already being used by other processes. For this reason, you are unable to connect to them.
Try the following troubleshooting steps.Type:
$ netstat -tulpn
This command above will display a list of all processes running on their respective ports. If the port 8080/8444 are there, take a look at the existing process running on it. You may then kill that process. For more information on troubleshooting the processes running on port 8444 and 8080, you may consult this article.

Related

"Unable to connect to remote host: Connection refused" error when trying to get two Azure VMs to communicate on different ports

I have two Azure VMs I set up to test a program I made. The program is to be run on both VMs, where synchronous operations are performed, requiring the VMs to communicate with eachother on different ports using TCP protocols. To access my Azure VMs, I SSH'd into them on port 22 using Putty on my local machine. The VMs are on the same subnet, and I am trying to get them to communicate with eachother via their public IP. I have set up both VMs inbound rules to accept messages from eachother on any port, using any protocol here is an example of this.
During the execution of my program, I encounter the following error "Unable to connect to remote host: Connection refused". After this, I did some investigating. First, I had both VMs ping eachother, which they successfully did. Then, on both VMs, I ran the command "telnet other.ip 22", where other.ip is the other VMs public IP. This seems to work, as seen in this image. When I run "telnet other.ip 6000", or any other port besides 22 for that matter, I get the same error of "Unable to connect to remote host: Connection refused". My rational is that if I can get the "telnet" command running on any port, that my program will likely work too.
I am not too sure what my issue could be at this point, and my internet searches have not helped me. I doubt there is an issue of a port being backlogged with communication requests given my current inbound rules. Also, I did try to change my inbound rules so that my VMs would receive messages on any port, using any protocol, from any source, which resulted in the same error (I then changed it back from 'any source' to only my other VMs public IP for security purposes).
According to your description, you may check two points:
If there is any firewall inside the VM that is blocking the connection from the external network with port 6000. For example, if you are using Ubuntu VM, you can refer to How to Set Up a Firewall with UFW on Ubuntu 18.04. Then disable the firewall with the command sudo ufw disable or add a firewall rule to verify this.
Run the command on Linux to see open ports. sudo netstat -tulpn | grep LISTEN. You should see port 6000 in the output. If not, it might mean that your program is not started well.
Let me know if you have any concerns.
Check your firewall rules. If your organization tent to use firewall then add port 6000 in inbound and outbound chain.
you can connect the remote host with port number only when it is in listening state.
sudo netstat -tulpn | grep LISTEN.

Why can't this port be accessed outside of the local machine?

I have a node.js server running on an EC2 instance. I can connect to my index.html page by visiting 12.345.678.900:2112 (not the actual site, just an example). Later on, I open a socket connection that is listening on port 3113. When I'm on the machine itself, I can access the webpage through the localhost (localhost:3113/foo). When I try to access it outside the local machine through 12.345.678.900:3113/foo, I can't access it. The socket connection is successful and the server is listening on 3113 when I run netstat, but it just doesn't allow me to access the page. I have a feeling my ports may be blocked, but from what I tell it shouldn't be. I don't have this problem when I run this server on my local machine however.
Incoming Connections
Solution:
Since curl was telling me port 3113 wasn't open, but it wasn't being blocked on AWS I looked through my code and realized that I opened port 3113 but then closed it soon after, which meant that while I was getting a log statement telling me the port was open since it was closed almost immediately I wasn't able to access the port.
When you setup TCP listening port, you had to specify IP address and port number. If your server is listening on 127.0.0.1:3113, then it won't be accessible from its external IP address. You can also specify the special 0.0.0.0 as the IP address, which indicates that you want to listen on that port in "all" IP addresses (for some definition of "all").
If your machine have multiple network interfaces (e.g. multiple network cards, or virtualised network interface), then it's possible to have the same ip address actually being on different networks and you'll have to specify the specific network interface when you listen to them. But if you did set up something unusual like that, you probably already know about these networking stuffs already. Note that if you have Docker or virtual machines, they may also creates virtual network interface for each containers/VM.
On AWS/EC2, your machine may also have internal IP address that's only accessible from your VPC and an Elastic IP which can be accessed directly from the outside world. You didn't say which "external" IP address you were using.
Finally, you may have firewall installed on the server. ipfw or iptable may have rules blocking external listening port.

AWS - Security Groups not opening ports

I created a Linux t3a.nano EC2 on AWS, I haven't done anything on the instance other than starting it and connect to it through SSH.
I would like to open 2 ports, port 80, and 3000, for that, I created a Security Group and added both ports to the inbound rules.
Based on AWS documentation that is all you need to do in other to open the ports, but if I connect to the instance and list the ports open none of the ports on my Security Group are listening, only 22, but that is open by default.
I am running this command to list the ports:
sudo netstat -antp | fgrep LISTEN
Other Steps I tried:
Check my ACL, will attach a picture of the configuration below, didn't change anything it looks to be fine.
Checked that the instance is using the correct security group.
Stoped and started the instance.
Created an Elastic IP and associated it to the instance to have a permanent public IP address.
Any suggestions about which steps could I am missing?
You are checking the ports from inside the instance. Security Groups (SGs) work outside of your instance.
You can imagine them as a bubble around your instance. Subsequently, the instance is not aware of their existence. This can be visualized like on the below image, where the SG is a barrier outside of the instance. Only if SG allow traffic in, then your instance can further limit it by using regular software level firewalls.
To open/block ports on the instance itself you have to use a regular a firewall such as ufw. By default all ports on the instance will be opened, at least when using Amazon Linux 2 or Ubuntu.
Therefore, with your setup, inbound traffic for pots 22, 3000 and 80 will be allowed to the instance.
Update - Response
I got to this point thanks to the comments above!
I wanted to open port 3000 to host a web service, so I did all the steps on my original question, the step that I was missing was to run a server to do something on port 3000. After I ran node I was able to see the port open internally and was able to make requests to that port.
The Security Group remains the same, but now if I list the ports this is what I get: sudo netstat -antp | fgrep LISTEN

node.js is listening on port, but cant connect from the outside on Ubuntu Server

I have a Node.js server listening on port 9000
Internally I can run "curl localhost:9000"
And it can retrieve the GET request.
But when I try and connect to the IP from the outside on port 9000, it doesnt work.
Do I need to open the port publicly?
Its an Amazon EC2 instance.
What do I need to do?
SOLVED:
had to add tcp inbound into security groups. Thank you very much
VALUES:
Custom TCP Rule
TCP
0 - 9000
0.0.0.0/0
Sounds like a firewall issue. There are two things to look for, first is IPTABLES, which will show you the firewall rules on the local server. https://help.ubuntu.com/community/IptablesHowTo
With AWS instances, they also belong to Security Groups, and you will have to edit this security group to allow traffic on port 9000 as well. http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html

Opening port 3000 EC2 Amazon web services

I am trying to use nodejs and socket.io to deliver a webapp, which use websocket on port 3000.
I have opened port 3000 on my EC2 instance in my management console by adding the inbound TCP rule to the relevant security group, however I still can't access it via public dns on my browser.
sudo netstat -tulpn doesn't show it as an open port.
What am I missing? Is there some service I need to restart or a command line I need to push to get it running?
Thanks
sudo netstat -tulpn doesn't show it as an open port.
netstat command will show what all ports that are being listened by "some" process. So in this case as you have mentioned, It seems like you application is not listening on port 3000.
First, fix your application and ensure that it is listening on port 3000.
Also, netstat has nothing to do with whether a port is opend/closed from firewall perspective. It will tell you whether a given port is in LISTENING mode by some process.
Follow these steps:
Make sure your application is listening on port 3000:
netstat -anp | grep 3000
also telnet 127.0.0.1 3000
Then make sure that local firewall is configured to allow incoming access to port 3000
OR disable local firewall to do a quick test (service iptables stop). for linux, its usually iptables
Allow incoming access to port 3000 in your AWS security group.
Please follow above 3 points and let us know if you still face the same issue.
in addition to all the steps above, check if you have ufw (uncomplicated firewall) set up.
to check if you have ufw running do:
sudo ufw status
if it is running,
to allow port 3000 simply do the command
sudo ufw allow 3000
this solved the problem for me. i forgot that i had setup ufw a while back, and recently starting using my aws instance again.
I guess you made your changes using the AWS Management console.
But this just means that Amazon's system will allow message on port 3000 through their own security systems to your server.
Your EC2 server (you don't say whether it's Windows or Linux) may have its own firewall system that you have to open port 3000 on. You will have to look at the documentation for your server to what settings you need to change.
I assume you've tried opening a browser on your EC2 instance and you can access the webapp from there.
Also, thinking laterally, if there are no other web servers running on your EC2 server why not change your node.js webapp to use port 80?
Had similar problem, but I was using socketio with SSL
var https = require('https').Server({
key: fs.readFileSync(path.join(__dirname + '../) + 'ssl.key', 'utf8'),
cert: fs.readFileSync(path.join(__dirname + '../') + 'ssl.crt', 'utf8')
}, app);
But the keys were wrong, so even though my AWS security was done, iptables clear and nginx providing with client js file, the request kept closing. So in Firefox I got net::ERR_CONNECTION_CLOSED and finally figured out that it might be the SSL failure.
I hope this helps somebody. I had followed an online tutorial that said I should add a security rule for 3000 TCP and link back to the security group identifier in the source.
That's wrong. Remove that line and just set up two custom TCP for port 3000 for IPv4 and IPv6. That fixed it for me.
Let me put my couple cents here.
Resolved issue by adding 3000 port to Secure groups with IPv4 and IPv6 and setting host in nuxt.config.js to '0.0.0.0'. This value makes Nuxt automatically find "real" ip listen to.
Here is how I was able to fix the problem:
Go to the EC2 instance page
In the "Security" tab, click on the link of the security group associated with the instance
In the Actions menu click "Edit inbound rules"
Add rule with custom tcp
And click "Save rules"

Resources