Oracle Cloud: как отладить фаерволл, который режет HTTPS?

Question

[Vindicar]

Ситуация: есть always free instance на Oracle Cloud. Настроен apache с SSL сертификатом.
В настройках инстанса прописаны идентичные правила фаерволла для портов 80 и 443.
Но при этом web-сервер отвечает только по HTTP.
netstat показывает, что apache слушает порты 80 и 443 на всех интерфейсах.
Проверка через wget показала следующее:
"Снаружи":
wget http://instance.address работает нормально
wget https://instance.address отвечает "No route to host" (sic!)
"Изнутри", т.е. подключившись к серверу по ssh:
wget http://localhost работает нормально
wget https://localhost даёт ошибку сертификата, что логично. Т.е. само TCP соединение устанавливается.
wget http://instance.address работает нормально
wget https://instance.address тоже отвечает "No route to host" (sic!)
Увы, я не настолько хорошо владею iptables, чтобы разрулить это самому.

uname -a

Linux nextcloud-instance 5.11.0-1023-oracle #24~20.04.1-Ubuntu SMP Fri Dec 3 15:02:59 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

netstat -nlp

ubuntu@nextcloud-instance:~$ sudo netstat -nlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      913/mysqld
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      1/init
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      11127/apache2
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      694/systemd-resolve
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      814/sshd: /usr/sbin
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      11127/apache2
tcp6       0      0 :::111                  :::*                    LISTEN      1/init
tcp6       0      0 :::22                   :::*                    LISTEN      814/sshd: /usr/sbin
udp        0      0 0.0.0.0:111             0.0.0.0:*                           1/init
udp        0      0 127.0.0.53:53           0.0.0.0:*                           694/systemd-resolve
udp        0      0 10.0.0.97:68            0.0.0.0:*                           692/systemd-network
udp6       0      0 :::111                  :::*                                1/init
raw6       0      0 :::58                   :::*                    7           692/systemd-network

iptables -L

ubuntu@nextcloud-instance:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere             udp spt:ntp
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     tcp  --  anywhere             169.254.169.254      tcp dpt:https

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
InstanceServices  all  --  anywhere             link-local/16

Chain InstanceServices (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             169.254.0.2          owner UID match root tcp dpt:iscsi-target /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
ACCEPT     tcp  --  anywhere             169.254.2.0/24       owner UID match root tcp dpt:iscsi-target /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
ACCEPT     tcp  --  anywhere             169.254.4.0/24       owner UID match root tcp dpt:iscsi-target /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
ACCEPT     tcp  --  anywhere             169.254.5.0/24       owner UID match root tcp dpt:iscsi-target /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
ACCEPT     tcp  --  anywhere             169.254.0.2          tcp dpt:http /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
ACCEPT     udp  --  anywhere             169.254.169.254      udp dpt:domain /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
ACCEPT     tcp  --  anywhere             169.254.169.254      tcp dpt:domain /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
ACCEPT     tcp  --  anywhere             169.254.0.3          owner UID match root tcp dpt:http /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
ACCEPT     tcp  --  anywhere             169.254.0.4          tcp dpt:http /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
ACCEPT     tcp  --  anywhere             169.254.169.254      tcp dpt:http /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
ACCEPT     udp  --  anywhere             169.254.169.254      udp dpt:bootps /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
ACCEPT     udp  --  anywhere             169.254.169.254      udp dpt:tftp /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
ACCEPT     udp  --  anywhere             169.254.169.254      udp dpt:ntp /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
REJECT     tcp  --  anywhere             link-local/16        tcp /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */ reject-with tcp-reset
REJECT     udp  --  anywhere             link-local/16        udp /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */ reject-with icmp-port-unreachable

Я подозреваю, что проблема вызвана следующим - при начальной настройке убунты iptables запросила сохранение в файл текущих правил. На тот момент HTTP уже был открыт, а HTTPS еще нет, так что может правила iptables просто "отвязались" от настроек Oracle Cloud? Не уверен, как "привязать" их обратно, не снося инстанс целиком и не перенастраивая его заново.

Comments

[Lynn «Кофеман»]

Подозреваю, что на самом деле у вас кривой редирект. Покажите curl -vk https://instance.address/

[Vindicar]

Lynn «Кофеман»,

curl -vk https://instance.address
* Rebuilt URL to: https://instance.address/
* Hostname was NOT found in DNS cache
*   Trying [instance IPv4]...
* connect to [instance IPv4] port 443 failed: No route to host
* Failed to connect to istance.address port 443: No route to host
* Closing connection 0
curl: (7) Failed to connect to istance.address port 443: No route to host

[Lynn «Кофеман»]

Vindicar, эм, а по http?

Всё таки no route to host не должно зависить от порта

[Vindicar]

Lynn «Кофеман», пардон, протупил.

curl -vk http://istance.address
* Rebuilt URL to: http://istance.address/
* Hostname was NOT found in DNS cache
*   Trying [instance IPv4]...
* Connected to istance.address ([instance IPv4]) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.35.0
> Host: istance.address
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Sat, 08 Jan 2022 12:24:56 GMT
* Server Apache/2.4.41 (Ubuntu) is not blacklisted
< Server: Apache/2.4.41 (Ubuntu)
< Vary: Accept-Encoding
< Content-Length: 765
< Content-Type: text/html;charset=UTF-8
<
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
  <title>Index of /</title>
 </head>
 <body>
<h1>Index of /</h1>
  <table>
   <tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr>
   <tr><th colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/folder.gif" alt="[DIR]"></td><td><a href="nextcloud/">nextcloud/</a></td><td align="right">2021-11-26 20:51  </td><td align="right">  - </td><td>&nbsp;</td></tr>
   <tr><th colspan="5"><hr></th></tr>
</table>
<address>Apache/2.4.41 (Ubuntu) Server at istance.address Port 80</address>
</body></html>
* Connection #0 to host istance.address left intact

[Lynn «Кофеман»]

Хотя по ходу я ошибаюсь

[Vindicar]

Lynn «Кофеман», я думаю, может зависеть от порта если фаервол режет.
Я даже так сделал:
traceroute --tcp -p 80 instance.address
и так
traceroute --tcp -p 443 instance.address
В первом случае трейс проходит, во втором - доходит до узла инстанса, но выдаёт вот такое

[instance IPv4] ([instance IPv4])  28.441 ms !X  28.440 ms !X  28.406 ms !X

В мане написано,

!X (communication administratively prohibited)

.

[Lynn «Кофеман»]

Так у вас REJECT all стоит выше двух последних ACCEPT. А он должен быть последним

Answer 1

[Александр Карабанов]

Проверь в настройках виртуальной сети, разрешено ли прохождение трафика на 443 порт.

Comments

[Vindicar]

Насколько я понял - да. Эти правила были актуальны на момент написания вопроса и остаются актуальными сейчас. Пробовал также делать только Stateful Ingress правила (в доках оракла написано, что так тоже сработает) - не пашет с теми же симптомами.

[Александр Карабанов]

Vindicar, выглядит хорошо. Посмотри вывод iptables -S

[Vindicar]

Александр Карабанов,

iptables -S

ubuntu@nextcloud-instance:~$ sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N InstanceServices
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp -m udp --sport 123 -j ACCEPT
-A INPUT -i ens3 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -d 169.254.169.254/32 -p tcp -m tcp --dport 443 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -d 169.254.0.0/16 -j InstanceServices
-A InstanceServices -d 169.254.0.2/32 -p tcp -m owner --uid-owner 0 -m tcp --dport 3260 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.2.0/24 -p tcp -m owner --uid-owner 0 -m tcp --dport 3260 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.4.0/24 -p tcp -m owner --uid-owner 0 -m tcp --dport 3260 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.5.0/24 -p tcp -m owner --uid-owner 0 -m tcp --dport 3260 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.0.2/32 -p tcp -m tcp --dport 80 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.169.254/32 -p udp -m udp --dport 53 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.169.254/32 -p tcp -m tcp --dport 53 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.0.3/32 -p tcp -m owner --uid-owner 0 -m tcp --dport 80 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.0.4/32 -p tcp -m tcp --dport 80 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.169.254/32 -p udp -m udp --dport 67 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.169.254/32 -p udp -m udp --dport 69 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.169.254/32 -p udp -m udp --dport 123 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.0.0/16 -p tcp -m tcp -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j REJECT --reject-with tcp-reset
-A InstanceServices -d 169.254.0.0/16 -p udp -m udp -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j REJECT --reject-with icmp-port-unreachable

Хмм, видна разница между правилами для 80 и 443...

[Александр Карабанов]

Vindicar, правила разрешающее прохождение трафика на 443 порт находятся ниже правила запрещающего прохождение любого трафика, таким образом до них никогда не доходит очередь.
Надо либо эти правила поднять выше, либо в правило, которое разрешает прохождение трафика на 80 порт, добавить ещё и 443 порт как-то так:

-A INPUT -i ens3 -p tcp -m multiport --dports 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT

[Vindicar]

Александр Карабанов, о! Сработало! Спасибо огромное!
Использовал iptables-save и iptables-restore для этой цели.