All geek questions in one place

AWS ubuntu instance cannot reach the world

I created a new ubuntu instance in AWS, I can ssh connect to it successfully. However, when I try to install packages using this command, this will not work:

sudo apt-get install apache2 ... ... 0% [Connecting to ap-southeast-2.ec2.archive.ubuntu.com (91.189.91.23)]^ Cubuntu@ip-10-1-0-99 :/etc$

It never moves forward!

I tried ping google.com.au, also did not answer.

Here is the AWS VPC configuration:

 Network ACL : Outbound: Rule # Type Protocol Port Range Destination Allow / Deny 100 ALL Traffic ALL ALL 0.0.0.0/0 ALLOW * ALL Traffic ALL ALL 0.0.0.0/0 DENY Inbound : Rule # Type Protocol Port Range Source Allow / Deny 10 HTTP (80) TCP (6) 80 0.0.0.0/0 ALLOW 120 HTTPS (443) TCP (6) 443 0.0.0.0/0 ALLOW 140 SSH (22) TCP (6) 22 0.0.0.0/0 ALLOW * ALL Traffic ALL ALL 0.0.0.0/0 DENY

Outbound Security Group Settings:

 Type Protocol Port Range Destination ALL Traffic ALL ALL 0.0.0.0/0

Setting up the routing table:

 Destination Target Status Propagated 10.1.0.0/24 local Active No 0.0.0.0/0 igw-cfe30caa Active No

What could be wrong here?

EDIT: The nslookup and dig command works great!

Thanks!

+5
source share
2 answers

An incoming network ACL only allows traffic addressed to incoming TCP ports 22, 80, and 443. It does not allow you to respond to your outgoing requests on your ephemeral ports.

 $ cat /proc/sys/net/ipv4/ip_local_port_range 32768 61000

You need a rule in the network ACL to allow TCP 32768 through 61000 ... or, better, not to use the ACL of the incoming network at all - return it to default to allow everything.

You almost certainly don't need to use network ACLs unless you have a particularly complex network configuration. Incoming rules in a security group are usually sufficient to control access to an instance. Incoming security group rules prohibit by default, and unlike network ACLs, which are stateless packet filters, security groups have a high degree of readiness, the TCP protocol.

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Security.html#VPC_Security_Comparison

Important: Do not add the ephemeral port rule discussed above to the inbound security group rules. Because security groups have a status of "state", you want to "allow" traffic in the direction in which you want to initiate TCP sessions. Responses to established TCP sessions are automatically resolved by the rules of the security group, but not by the rules of the network ACL, because they are implemented in different ways.

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html

+12
source 
 * ALL Traffic ALL ALL 0.0.0.0/0 DENY - Wrong * ALL Traffic ALL ALL 0.0.0.0/0 Allow - Right

Please allow Outbound if you want to connect to external servers, for example google.com or even want to update sudo apt-get update

You can enable outgoing using AWS goto security interfaces -> Outgoing

Make sure you select the correct group for your AWS instance.

+1
source

Source: https://habr.com/ru/post/1210245/

More articles:


All Articles