stackoom
  简体   繁体   中英

AWS ubuntu instance can't reach the world

 原文  2015-01-02 08:04:50       linux/ amazon-web-services/ amazon-ec2/ amazon-vpc

Question

I created a new ubuntu instance in AWS, I can ssh connect to it successfully. However when I try to install packages using this command, it won't work : 

sudo apt-get install apache2  
...
...
0% [Connecting to ap-southeast-2.ec2.archive.ubuntu.com (91.189.91.23)]^Cubuntu@ip-10-1-0-99:/etc$

This never moves forward !

I tried ping google.com.au, also no response.

Here is the VPC config of AWS: 

Network ACL : 

Outbound:
Rule #  Type        Protocol    Port Range  Destination Allow / Deny
100 ALL Traffic ALL     ALL     0.0.0.0/0   ALLOW
*   ALL Traffic ALL     ALL     0.0.0.0/0   DENY

Inbound : 
Rule #  Type        Protocol    Port Range  Source  Allow / Deny
10  HTTP (80)   TCP (6) 80  0.0.0.0/0   ALLOW
120 HTTPS (443) TCP (6) 443 0.0.0.0/0   ALLOW
140 SSH (22)    TCP (6) 22  0.0.0.0/0   ALLOW
*   ALL Traffic ALL ALL 0.0.0.0/0   DENY

security Group outbound settings : 

Type    Protocol    Port Range  Destination 
ALL     Traffic     ALL     ALL     0.0.0.0/0

Routing table setting: 

Destination     Target      Status  Propagated
10.1.0.0/24 local       Active  No
0.0.0.0/0   igw-cfe30caa    Active  No

What could be wrong here ?

EDIT: nslookup & dig command works fine!

Thanks !

2 answers

solution1
 13 ACCPTED  2015-01-02 18:33:21

Your inbound network ACL is only allowing traffic addressed to inbound TCP ports 22, 80, and 443. It doesn't allow the responses for your outbound requests, on your ephemeral ports. 

$ cat /proc/sys/net/ipv4/ip_local_port_range
32768   61000

You need a rule in the network ACL to allow TCP 32768 through 61000... or, better, don't use the inbound network ACL at all -- set it back to the default, to allow all.

You almost certainly don't need to use network ACLs unless you have a particularly complex network configuration. The inbound rules in the security group are usually sufficient to control access to an instance. Inbound security group rules deny by default, and unlike Network ACLs, which are stateless packet filters, security groups are stateful, TCP session-aware.

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Security.html#VPC_Security_Comparison

Important: do not add the ephemeral port rule discussed above to the security group inbound rules. Since security groups are stateful, you only want to "allow" traffic in the direction where you want TCP sessions to be initiated. Responses to established TCP sessions are allowed automatically by security group rules, but not network ACL rules, because they're implemented differently.

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html

solution2
 2  2016-02-25 06:54:51

*   ALL Traffic ALL     ALL     0.0.0.0/0   DENY - Wrong

*   ALL Traffic ALL     ALL     0.0.0.0/0   Allow - Right

Please allow Outbound, if you want to connect to external servers like google.com or even want to update- sudo apt-get update

You can allow the outbound using AWS front-end goto Security Groups -> Outbound

Make sure you select the right group for your AWS instance

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AWS supervisor spawnerr: can't find command on Ubuntu Setting up SSL on Nginx on AWS Ubuntu instance Connecting to a MySQL db created in an Ubuntu AWS instance Can't compile GWT application on AWS instance (Linux) No space left on device on AWS ubuntu after migration to larger instance Not able to connect to my aws ec2 instance using ubuntu terminal Increasing AWS EC2 ubuntu instance disk space Cron jobs are not working on EC2 Aws Ubuntu 18.04 instance? Can't connect to EC2 instance over HTTP from outside AWS Can't connect to Firebird (Ubuntu)
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM