google compute platform firewall rules

Question

I have already opened the ports but its still not working.

From gcloud on my local machine:

C:\Program Files (x86)\Google\Cloud SDK>gcloud compute firewall-rules list
To show all fields of the firewall, please show in JSON format: --format=json
To show all fields in table format, please see the examples in --help.

NAME                    NETWORK  DIRECTION  PRIORITY  ALLOW                             DENY
default-allow-https     default  INGRESS    1000      tcp:443
default-allow-icmp      default  INGRESS    65534     icmp
default-allow-internal  default  INGRESS    65534     tcp:0-65535,udp:0-65535,icmp
default-allow-rdp       default  INGRESS    65534     tcp:3389
default-allow-ssh       default  INGRESS    65534     tcp:22
django                  default  EGRESS     1000      tcp:8000,tcp:80,tcp:8080,tcp:443
django-in               default  INGRESS    1000      tcp:8000,tcp:80,tcp:8080,tcp:443

From the instance on google cloud:

admin-u5214628@instance-1:~$ wget localhost:8080
--2017-11-22 01:23:56--  http://localhost:8080/
Resolving localhost (localhost)... 127.0.0.1
Connecting to localhost (localhost)|127.0.0.1|:8080... connected.
HTTP request sent, awaiting response... 302 FOUND
Location: http://localhost:8080/login/?next=/ [following]
--2017-11-22 01:23:56--  http://localhost:8080/login/?next=/
Connecting to localhost (localhost)|127.0.0.1|:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html’

index.html              [ <=>                ]   6.26K  --.-KB/s    in 0s

2017-11-22 01:23:56 (161 MB/s) - ‘index.html’ saved [6411]

But via the external ip, nothing is shown:

http://35.197.1.158:8080/

---

I checked the port by the following command:

root@instance-1:/etc# netstat -ntlp | grep LISTEN
tcp        0      0 127.0.0.1:6379          0.0.0.0:*               LISTEN      1539/redis-server 1
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      2138/python
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1735/sshd
tcp6       0      0 :::22                   :::*                    LISTEN      1735/sshd

I'm not sure if this is enough for the Ubuntu firewall setting? looks ok to me.

And on the instance, I checked everything I can think of.

And the UFW (uncomplicated firewall):

root@instance-1:~# ufw status
Status: inactive

From my understanding, this means it is off, so not blocking anything.

---

As suggested, I try to configure iptables:

iptables -P INPUT ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

Then I save it:

root@instance-1:~# iptables-save -c
# Generated by iptables-save v1.6.0 on Thu Nov 23 00:16:44 2017
*mangle
:PREROUTING ACCEPT [175:18493]
:INPUT ACCEPT [175:18493]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [154:15965]
:POSTROUTING ACCEPT [154:15965]
COMMIT
# Completed on Thu Nov 23 00:16:44 2017
# Generated by iptables-save v1.6.0 on Thu Nov 23 00:16:44 2017
*nat
:PREROUTING ACCEPT [6:300]
:INPUT ACCEPT [6:300]
:OUTPUT ACCEPT [6:360]
:POSTROUTING ACCEPT [6:360]
COMMIT
# Completed on Thu Nov 23 00:16:44 2017
# Generated by iptables-save v1.6.0 on Thu Nov 23 00:16:44 2017
*filter
:INPUT ACCEPT [169:18193]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [163:17013]
[6:300] -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
COMMIT
# Completed on Thu Nov 23 00:16:44 2017

It looks like this now:

root@instance-1:~# iptables -v -n -x -L
Chain INPUT (policy ACCEPT 80 packets, 5855 bytes)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8080
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 52 packets, 6047 bytes)
    pkts      bytes target     prot opt in     out     source               destination

To make sure the rules are applied and live:

iptables-save > /etc/iptables.rules
iptables-apply /etc/iptables.rules

I don't think I need to restart/reset the instance.

---

I think I need to forward traffic to local ip:

# sysctl net.ipv4.ip_forward=1
# iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination 127.0.0.1:8000
# iptables -t nat -A POSTROUTING -j MASQUERADE
# python manage.py runserver
Performing system checks...

System check identified no issues (0 silenced).
November 24, 2017 - 17:54:00
Django version 1.8.18, using settings 'codebench.settings'
Starting development server at http://127.0.0.1:8000/

This way did not work...

---

Tried:

python manage.py runserver 0.0.0.0:8080 &

This definitely worked on my local machine, just not on the google instance, I'm so puzzled.

Answer 1

In my experience, when I create an instance of a compute engine, I should explicitly flag that HTTP(S) access is allowed. That may be one thing to have a look at.

Another one - the OS you deploy/use in the compute engine instance might have its own firewall rules. They need to be amended accordingly.

Based on newly provided information about UFW and Ubuntu. I am not very confident with Ubuntu, but I understand that UFW is a wrapper around iptables. I may be wrong, but I guess it may be better if it is enabled. Then you might be able to get more details about the firewall configuration.

Answer 2

I believe the problem is the server only listening to 127.0.0.1:8080 not 0.0.0.0:8080, as it should be. That's the reason you are getting a reply with http://localhost:8080/ not with http://35.197.1.158:8080 For more details checkout this answer from stackoverflow What is the difference between 0.0.0.0, 127.0.0.1 and localhost?

To change configuration for Apache to listen to 0.0.0.0:8080 or to a specific IP and port follow this document https://httpd.apache.org/docs/2.4/bind.html