I have two instances running in AWS in the same subnet.
VM1 - 10.10.2.208
VM2 - 10.10.2.136
I have configured route in VM1 as follows:
20.20.20.0 10.10.2.136 255.255.255.0 UG 0 0 0 eth0
When I ping 20.20.20.3 from VM1, I can't see any ping request tcpdump in VM2. Could you please let me know any thing additionally to be done in AWS.
my tcpdump command as follows:
tcpdump -i eth0 -n host 10.10.2.208
Verify Below things
In the route table of VM1 make sure there is local entry like vpc range is routed to local.
Ping is a ICMP protocol so in VM2 security group VM1 IP/Security should be whitelisted for ICMP protocol
Check for any deny rules in outbound of VM1 and inbound VM2 subnet's ACL.
Check Rules of firewalls like iptables.
Related
I have installed elasticsearch in one instance and kibana in another instance.
Both the services are running and I can connect elasticsearch using curl and its instance public ip with port 9200
version: 7.9.2 both
Assume: Public ips
elasticsearch - x.x.x.x
kibana - y.y.y.y
Issue:
Cant connect kibana instance with its curl and public ip with port 5601
Error: Failed to connect to y.y.y.y port 5601: connection refused
Query:
Correct config for elasticsearch.yml and kibana.yml
` kibana.yml:
port: 5601
server.host: "y.y.y.y"
elasticsearch.hosts: ["http://x.x.x.x:9200"]
elasticsearch.yml:
network.host: 0.0.0.0
http.port: 9200 `
It is extremely likely you have not configured the correct security group rules on the kibana instance to permit you to access the service. You need an ingress rule permitting tcp to port 5601 from whatever your ingress range is.
Likewise, it is extremely likely you have not granted access to elasticsearch (x.x.x.x:9200) from y.y.y.y
Check your security group rules.
Also, please ensure your elasticsearch public ip does not permit access from 0.0.0.0 - publically accessible elasticsearch clusters are a prime target for naughty people.
I've got an EC2 instance with the standard Amazon Linux 2 AMI. It's in a security group with the following inbound rules:
SSH TCP 22 0.0.0.0/0 -
Custom ICMP - IPv4 Echo Request N/A 0.0.0.0/0 -
outbound rules:
All traffic All All 0.0.0.0/0 -
I can SSH into the instance from my MacOS command line, but ping fails with:
PING 152.87.216.125 (152.87.216.125): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
Request timeout for icmp_seq 4
Request timeout for icmp_seq 5
Of course, it has a public IP assigned and it is in a subnet in a VPC with an internet gateway and the NACL associated with it looks like:
100
ALL Traffic
ALL
ALL
0.0.0.0/0
ALLOW
*
ALL Traffic
ALL
ALL
0.0.0.0/0
DENY
outbound rules:
100
ALL Traffic
ALL
ALL
0.0.0.0/0
ALLOW
*
ALL Traffic
ALL
ALL
0.0.0.0/0
DENY
I am able to ping google.com successfully.
I don't understand enough about ping and network layers to know where to look next for why this isn't working. Any ideas?
Disabling my MacOS firewall did not fix the issue but connecting to my mobile hotspot did. My ISP must be blocking certain incoming ICMP requests. Interestingly, pinging google.com works, as well as pinging other hosts which are much less known (like spysmiles.com).
I am stuck with the seemingly simple configuration on AWS - spin up VMs with 2 interfaces each, but each interface is in a different subnet and I can't communicate over secondary interfaces. Important piece: inside a VM I can communicate to all interfaces, between VMs in public/private zones - only over eth0.
Overview:
VPC 10.20.0.0/16
public zone:
management interface in subnet 10.20.0.0/20
production interface in subnet 10.20.48.0/20
private zone:
management interface in subnet 10.20.16.0/20
production interface in subnet 10.20.64.0/20
Network ACLs are open/default, all interfaces have a security group which allows ping from 0.0.0.0/0
When I spin up VMs with RHEL7.5, I have this ec2-user-data script to bring up the secondary interface:
cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-eth1
BOOTPROTO=dhcp
DEVICE=eth1
ONBOOT=yes
TYPE=Ethernet
USERCTL=no
EOF
ifup eth1e
Ping over the eth0 works without any issues, ping over eth1 hangs.
Here is routing on VM in private zone:
[ec2-user#ip-10-20-8-62 ~]$ ifconfig eth0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 9001
inet 10.20.8.62 netmask 255.255.240.0 broadcast 10.20.15.255
[ec2-user#ip-10-20-8-62 ~]$ ifconfig eth1
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 9001
inet 10.20.53.116 netmask 255.255.240.0 broadcast 10.20.63.255
[ec2-user#ip-10-20-8-62 ~]$ ip route
default via 10.20.0.1 dev eth0 proto dhcp metric 100
default via 10.20.48.1 dev eth1 proto dhcp metric 101
10.20.0.0/20 dev eth0 proto kernel scope link src 10.20.8.62 metric 100
10.20.48.0/20 dev eth1 proto kernel scope link src 10.20.53.116 metric 101
[ec2-user#ip-10-20-8-62 ~]$ ip rule
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
And the same for the VM in private zone:
[ec2-user#ip-10-20-19-55 ~]$ ifconfig eth0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 9001
inet 10.20.19.55 netmask 255.255.240.0 broadcast 10.20.31.255
[ec2-user#ip-10-20-19-55 ~]$ ifconfig eth1
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 9001
inet 10.20.68.48 netmask 255.255.240.0 broadcast 10.20.79.255
[ec2-user#ip-10-20-19-55 ~]$ ip route
default via 10.20.16.1 dev eth0 proto dhcp metric 100
default via 10.20.64.1 dev eth1 proto dhcp metric 101
10.20.16.0/20 dev eth0 proto kernel scope link src 10.20.19.55 metric 100
10.20.64.0/20 dev eth1 proto kernel scope link src 10.20.68.48 metric 101
[ec2-user#ip-10-20-19-55 ~]$ ip rule
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
Please let me know if I can provide some additional info, I spent too much time already trying to make it work. The reason for such a setup is our internal policies at the company. And I will need to make it work with 3 interfaces later on as well, so trying to understand what am I doing wrong here.
As I've seen in AWS docummentation you need to add a different route table for your secondary network interface becasue in some way, AWS traffic from your secondary interface leaves with MAC from primary interface and this is not allowed.
Both the primary and the secondary network interfaces are in different subnets, and by default there is only one routing table. Only one of the network interfaces is used to manage non-local subnet traffic. Any non-local subnet traffic that comes into the network interface that isn't configured with the default gateway tries to leave the instance using the interface that has the default gateway. This isn't allowed, because the secondary IP address doesn't belong to the Media Access Control (MAC) address of the primary network interface.
Please follow this guide to solve this issue.
I've tested it in CentOS 7 and it works.
Since I don't need to reserve an IP address with Elastic IP (I'm testing for now), I'm just using the Public IP randomly assigned at every startup.
After setting up a game server via SSH and opening the related ports on the Security Group, said server is not reachable.
Testing further I've noticed that the instance is not even answering ping request (yes, I've added relative rules in the Security Group).
So the instance is working only on port 22, can anyone explain why?
Here are the Security Group rules:
Ports Protocol Source
0--1 icmp 0.0.0.0/0, ::/0
22 tcp 0.0.0.0/0, ::/0
7787-7788 udp 0.0.0.0/0, ::/0
27166 tcp 0.0.0.0/0, ::/0
27165-27166 udp 0.0.0.0/0, ::/0
EDIT2 adding ACL inbound rules:
Rule # Type Protocol Port Range Source Allow / Deny
100 ALL Traffic ALL ALL 0.0.0.0/0 ALLOW
If you are able to SSH to the instance, then the problem is not related to the network configuration.
The NACL configuration you show permits all traffic.
That leaves the instance as the guilty party, so you should concentrate your efforts on-instance rather than elsewhere.
So i found what was wrong: the icmp rule I was setting inbound was for icmp echo reply, i had to use icmp echo request, it took me 8 hours to realize it. no need to configure iptaples, ACL or else.
I'm sorry for the useless thread!
I'm configuring a NAT instance that should redirect all incoming requests on port 2222 to port 22 of a server in a private subnet on my virtual private cloud, so I can connect with SSH straight to my private instance. I have opened port 2222 on the NAT Instance's security group and 22 on my private instance's security group, as well as added on
/etc/ssh/sshd_config
the following lines:
Port 22
Port 2222
nmap on NAT instance shows that port 2222 is open:
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
111/tcp open rpcbind
2222/tcp open EtherNet/IP-1
I also added this following iptables rule on my NAT instance, hence any packages that comes on port 2222 should be redirected to 10.0.2.18:22 (10.0.2.18 is the private instance IP):
sudo iptables -t nat -A PREROUTING -p tcp --dport 2222 -j DNAT --to-destination 10.0.2.18:22
The problem is that I can't reach port 2222 of my NAT instance, if I try this:
ssh -p 2222 -i mykey.pem ec2-user#my_nat_ip
or this:
nc -zv my_nat_ip 2222
I get a connection time out.
Thanks in advance any help.
A few things for you to check out (assuming you have already ruled out Security Groups):
Check if you haven't denied traffic on your Network ACLs (NACL).
Check if the Route Table for your private subnet is sending traffic to the NAT instance.
Check if you have disabled the Source/Destination Check on your NAT instance.
Also, you might want to enable VPC Flow Logs on your VPC to help you find where those packets might be getting dropped.
And then, another suggestion: you might want to consider an alternative to port forwarding, as this is basically exposing your instance in the private subnet to the dangerous internet. A common approach is to have what is commonly referred to as a Bastion Host. Or a Jump Host. Some people use a NAT instance for this purpose. A few ways to do this would include: (1) use SSH local port forwarding; (2) use SSH dynamic proxy; (3) use the ProxyCommand option on your SSH client. There are plenty of answered questions about all these subjects on StackOverflow and other StackExchange sites, you'll definitely find many ways to do it!