I created a new ubuntu instance in AWS, I can ssh connect to it successfully. However when I try to install packages using this command, it won't work :
sudo apt-get install apache2
...
...
0% [Connecting to ap-southeast-2.ec2.archive.ubuntu.com (91.189.91.23)]^Cubuntu@ip-10-1-0-99:/etc$
This never moves forward !
I tried ping google.com.au, also no response.
Here is the VPC config of AWS:
Network ACL :
Outbound:
Rule # Type Protocol Port Range Destination Allow / Deny
100 ALL Traffic ALL ALL 0.0.0.0/0 ALLOW
* ALL Traffic ALL ALL 0.0.0.0/0 DENY
Inbound :
Rule # Type Protocol Port Range Source Allow / Deny
10 HTTP (80) TCP (6) 80 0.0.0.0/0 ALLOW
120 HTTPS (443) TCP (6) 443 0.0.0.0/0 ALLOW
140 SSH (22) TCP (6) 22 0.0.0.0/0 ALLOW
* ALL Traffic ALL ALL 0.0.0.0/0 DENY
security Group outbound settings :
Type Protocol Port Range Destination
ALL Traffic ALL ALL 0.0.0.0/0
Routing table setting:
Destination Target Status Propagated
10.1.0.0/24 local Active No
0.0.0.0/0 igw-cfe30caa Active No
What could be wrong here ?
EDIT: nslookup & dig command works fine!
Thanks !
Your inbound network ACL is only allowing traffic addressed to inbound TCP ports 22, 80, and 443. It doesn't allow the responses for your outbound requests, on your ephemeral ports.
$ cat /proc/sys/net/ipv4/ip_local_port_range
32768 61000
You need a rule in the network ACL to allow TCP 32768 through 61000... or, better, don't use the inbound network ACL at all -- set it back to the default, to allow all.
You almost certainly don't need to use network ACLs unless you have a particularly complex network configuration. The inbound rules in the security group are usually sufficient to control access to an instance. Inbound security group rules deny by default, and unlike Network ACLs, which are stateless packet filters, security groups are stateful, TCP session-aware.
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Security.html#VPC_Security_Comparison
Important: do not add the ephemeral port rule discussed above to the security group inbound rules. Since security groups are stateful, you only want to "allow" traffic in the direction where you want TCP sessions to be initiated. Responses to established TCP sessions are allowed automatically by security group rules, but not network ACL rules, because they're implemented differently.
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html
* ALL Traffic ALL ALL 0.0.0.0/0 DENY - Wrong
* ALL Traffic ALL ALL 0.0.0.0/0 Allow - Right
Please allow Outbound, if you want to connect to external servers like google.com or even want to update- sudo apt-get update
You can allow the outbound using AWS front-end goto Security Groups -> Outbound
Make sure you select the right group for your AWS instance
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.