I bought a VPS and built a shadowsocks server on it. It runs well for like 2 months and suddenly failed to work, i.e. I cannot use it overcome the GFW. So I check the server, reinstall everything, check the firewall, but still couldn't solve the problem. Please help me out this puzzle!
First, I can ssh to the server. I'm using a mac and the server OS is CentOS7.
I tried to ping the server from mac, it connects.
PING vultr (108.61.215.163): 56 data bytes
64 bytes from 108.61.215.163: icmp_seq=0 ttl=50 time=485.473 ms
64 bytes from 108.61.215.163: icmp_seq=1 ttl=50 time=407.054 ms
64 bytes from 108.61.215.163: icmp_seq=2 ttl=50 time=429.089 ms
64 bytes from 108.61.215.163: icmp_seq=3 ttl=50 time=552.046 ms
^C
--- vultr ping statistics ---
5 packets transmitted, 4 packets received, 20.0% packet loss
round-trip min/avg/max/stddev = 407.054/468.416/552.046/56.118 ms
Then I telnet it with the specific port that I define in the shadowsocks, but it failed to connect.
# telnet 108.61.216.163 8754
Trying 108.61.215.163...
telnet: connect to address 108.61.215.163: Operation timed out
telnet: Unable to connect to remote host
So from the server I check netstat:
# netstat -anltp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 3253/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 3498/master
tcp 0 0 108.61.215.163:8754 0.0.0.0:* LISTEN 3652/python
tcp 0 0 108.61.215.163:22 218.92.1.158:45819 SYN_RECV -
tcp 0 21 108.61.215.163:22 150.162.11.207:43510 ESTABLISHED 3847/sshd: [accepte
tcp 0 0 108.61.215.163:22 58.49.194.24:55529 ESTABLISHED 3793/sshd: root#pts
tcp 0 1281 108.61.215.163:22 218.92.1.158:19746 FIN_WAIT1 -
tcp 0 1280 108.61.215.163:22 36.156.24.99:50400 ESTABLISHED 3843/sshd: [accepte
tcp 0 0 108.61.215.163:8754 58.49.194.24:56578 SYN_RECV -
tcp6 0 0 :::22 :::* LISTEN 3253/sshd
tcp6 0 0 ::1:25 :::* LISTEN 3498/master
The port is 8754 and the PID3652 is my shadowsocks service.
I also checked my firewall settings, and the port 8754 is open,
# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client ssh http https
ports: 8754/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" port port="8754" protocol="tcp" accept
I also checked the iptables and here is what's returned:
# iptables -xvn -L
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
349 31354 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
63 2928 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
63 2928 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
63 2928 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
1 44 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
47 1972 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_IN_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_IN_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_OUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_OUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 408 packets, 71561 bytes)
pkts bytes target prot opt in out source destination
410 71641 OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD_IN_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 FWDI_public all -- eth0 * 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 FWDI_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_OUT_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 FWDO_public all -- * eth0 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 FWDO_public all -- * + 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_direct (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public (2 references)
pkts bytes target prot opt in out source destination
0 0 FWDI_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDI_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDI_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDI_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public (2 references)
pkts bytes target prot opt in out source destination
0 0 FWDO_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDO_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDO_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDO_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain INPUT_ZONES (1 references)
pkts bytes target prot opt in out source destination
61 2800 IN_public all -- eth0 * 0.0.0.0/0 0.0.0.0/0 [goto]
2 128 IN_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain INPUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain INPUT_direct (1 references)
pkts bytes target prot opt in out source destination
Chain IN_public (2 references)
pkts bytes target prot opt in out source destination
63 2928 IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
63 2928 IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
63 2928 IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain IN_public_allow (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8754 ctstate NEW
15 912 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ctstate NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ctstate NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8754 ctstate NEW
Chain IN_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain IN_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain OUTPUT_direct (1 references)
pkts bytes target prot opt in out source destination
I don't know what to check or what to do now... Please advise... Thank you very much!
It looks like the SYN packet (new connection) was received, but the connection remained there.
tcp 0 0 108.61.215.163:8754 58.49.194.24:56578 SYN_RECV -
I think that means the firewalld allowed the new connection (SYN). Another way to verify is to temporarily disable firewalld and try the connection/proxy. If it still does not work, then you should check the shadowsocks service.
Related
My setting is quite simple: a raspberry pi (tun0 IP is 172.32.0.130) is connected to aan AWS VPC (172.31.0.0/16) through AWS Client VPN, with an attachment to a public subnet (172.31.32.0/20). There’s an EC2 instance (172.31.37.157) up and running in this subnet. The raspberry pi can access all resources of the subnet and I can SSH into the EC2 instance, from the Raspberry PI, using the private IP address. This makes me believe that the VPN is working just fine.
The problem is when I try the opposite direction. If I try to SSH from the EC2 instance into the raspberry pi, I can’t reach the host. I’m assuming that I need to add some sort of routing configuration so the OpenVPN client running on the raspberry PI allows me to SSH into it, but I can’t figure out exactly how.
Here's the RBP routing table:
Destination
Gateway
Genmask
Flags
Metric
Ref
Use
Iface
0.0.0.0
192.168.86.1
0.0.0.0
UG
303
0
0
wlan0
172.31.0.0
172.32.0.129
255.255.0.0
UG
0
0
0
tun0
172.32.0.128
0.0.0.0
255.255.255.224
U
0
0
0
tun0
192.168.0.0
0.0.0.0
255.255.255.0
U
202
0
0
eth0
192.168.1.0
0.0.0.0
255.255.255.0
U
304
0
0
wlan1
192.168.86.0
0.0.0.0
255.255.255.0
U
303
0
0
wlan0
Here's the EC2 instance routing table:
Destination
Gateway
Genmask
Flags
Metric
Ref
Use
Iface
0.0.0.0
172.31.32.1
0.0.0.0
UG
100
0
0
eth0
172.31.0.2
172.31.32.1
255.255.255.255
UGH
100
0
0
eth0
172.31.32.0
0.0.0.0
255.255.240.0
U
100
0
0
eth0
172.31.32.1
0.0.0.0
255.255.255.255
UH
100
0
0
eth0
This is the Raspberry's PI OpenVPN client config:
client
dev tun
proto udp
remote xxx.clientvpn.eu-west-1.amazonaws.com 443
remote-random-hostname
resolv-retry infinite
nobind
cert client1.domain.tld.crt
key client1.domain.tld.key
remote-cert-tls server
cipher AES-256-GCM
verb 3
Finally, because my Raspberry PI sits in front of several devices, I'm routing the internet coming from wlan0 to eth0 and wlan1 by adding an entry to iptables:
iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
I'm not a network specialist and I can't figure out what's going on, but the asymmetrical nature of this behaviour makes me believe that the problem is on the Raspberry PI. What do you think?
I have multiple websites on one EC2 instance, which were working perfectly on both HTTP and HTTPS until this morning. I have jenkins installed as well, on port 8080.
Strangely, no changes were made, but now all HTTP ports are blocked, 80, 443 and 8080.
I've allowed all traffic from all sources currently, and it still blocks those ports.
SSH port is working, and when I ssh and test using wget such as
wget -O - http://localhost - works
wget -O - http://private-ip - works
wget -O - http://public-ip - no requests
wget -O - http://my-domain - no requests
More over, if I run nginx or some other http server on some port other than 80, 443, 8080, I'm receiving requests from both public-ip and my-domain.
ufw is disabled and iptables are empty
sudo ufw status
Status: inactive
sudo iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
wget -O - http://localhost
--2020-11-11 16:08:54-- http://localhost/
Resolving localhost (localhost)... 127.0.0.1
Connecting to localhost (localhost)|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 200 OK
wget -O - http://private-ip
--2020-11-11 16:09:19-- http://private-ip/
Connecting to private-ip:80... connected.
HTTP request sent, awaiting response... 200 OK
wget -O - http://public-ip
--2020-11-11 16:10:11-- http://public-ip/
Connecting to public-ip:80...
HTTP Server on port 81 works.
I managed to solve the issue. Since WP was hosted on instance, it got some malicious scripts, and some other sites have reported us to ec2-abuse, so AWS has blocked those ports.
Not sure how it was not stated somewhere on AWS Console? Seems like that info is available only if client has paid support.
I am connected to an AWS server, where I want to host an Elasticsearch application. For that to work, I need to open a set of ports. In my AWS security group, I have opened the ones, which I consider as necessary. In order to check, whether that worked, I tried the following:
While connected to AWS via ssh, I typed curl localhost:3002, which outputs:
<html><body>You are being redirected.</body></html>
When I try the same over my local machine, i.e. curl http://ec2-xxxxx.eu-central-1.compute.amazonaws.com:3002, I receive:
curl: (7) Failed to connect to ec2-xxxxx.eu-central-1.compute.amazonaws.com port 3002: Connection refused
Does that mean, that the port 3002 is not open, or could there be another explanation?
Thank you for your help!
Edit:
The configuration in the security group looks as follows:
Ingoing:
80 TCP 0.0.0.0/0 launch-wizard-7
80 TCP ::/0 launch-wizard-7
22 TCP 0.0.0.0/0 launch-wizard-7
5000 TCP 0.0.0.0/0 launch-wizard-7
5000 TCP ::/0 launch-wizard-7
3002 TCP 0.0.0.0/0 launch-wizard-7
3002 TCP ::/0 launch-wizard-7
3000 TCP 0.0.0.0/0 launch-wizard-7
3000 TCP ::/0 launch-wizard-7
443 TCP 0.0.0.0/0 launch-wizard-7
443 TCP ::/0 launch-wizard-7
Outgoing:
All All 0.0.0.0/0 launch-wizard-7
I have setup an EC2 instance at AWS and I have Java and Tomcat 9 installed on the EC2 instance Ubuntu Server 18.04 LTS (HVM). I am able to connect to my EC2 instance using SSH(elastic IP)[ssh -i "path/to/.pem-file" ubuntu#XX.XX.XX.XX] but unable to access the Tomcat default page from a browser outside EC2 using AWS Public DNS address or Elastic IP.
I have added a Security Group and set up an inbound rule as below.
This is the output of iptables -nL on EC2.
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
I have gone through simlar posts here and followed the same steps mentioned on this
article but still
http://ec2-XXX-XXX-XXX-XXX.us-east-2.compute.amazonaws.com does not load the Tomcat default page.
Need some help.
Edit:
netstat -na | grep 80
displays
tcp6 0 0 :::8080 :::* LISTEN
suggests it is listening to only for IPv6 addresses and as per official docs, it does not support Elastic IP addresses for IPv6
I would like to allow only specific Public IP to use pem file (SSH) .
I have added my ip only for SSH but I am able to connect with the same SSH in different public ip or lets say different computer with different internet.
Edit inbound rules
Type
Protocol
Port range
Source
Description - optional
HTTP TCP 80 0.0.0.0/0 -
HTTP TCP 80 ::/0 -
POP3 TCP 110 0.0.0.0/0 -
POP3 TCP 110 ::/0 -
All traffic All All 0.0.0.0/0 -
All traffic All All ::/0 -
POP3S TCP 995 0.0.0.0/0 -
POP3S TCP 995 ::/0 -
IMAPS TCP 993 0.0.0.0/0 -
IMAPS TCP 993 ::/0 -
SSH TCP 22 42.109.252.7/32 - //This is what I have added to allow myself only to use SSH
SMTP TCP 25 0.0.0.0/0 -
SMTP TCP 25 ::/0 -
IMAP TCP 143 0.0.0.0/0 -
IMAP TCP 143 ::/0 -
DNS (TCP) TCP 53 0.0.0.0/0 -
DNS (TCP) TCP 53 ::/0 -
HTTPS TCP 443 0.0.0.0/0 -
HTTPS TCP 443 ::/0 -
Actually I have a pem file available which I want that it should be accessible others only when I add their ip's from the AWS panel config of security group in inbound rules.
You also have a rule of all traffic from any IP in your security group list.
There is no specific ordering for security group rule evaluations so when this rule is the first evaluated you will find that a target IP is able to access any port on the EC2 host.
If you want to restrict IP addresses who can SSH to the host you will need to remove the following rules:
All traffic All All 0.0.0.0/0 -
All traffic All All ::/0 -