I have an EC2 micro instance running with the Amazon linux. I installed bind and set up an entry for a certain domain, and it works fine if you are on that server and type:
nslookup the-domain.com localhost
but I can't get to it from external servers by typing
nslookup the-domain.com 10-10-10-10.compute-1.amazonaws.com
In my security group, I set it to allow incoming traffic on port 53 (both TCP and UDP) but still, nothing. Anyone know what I am missing?
Make sure you have this line in your named.conf global options. "any" in these refer to any IP address, you could restrict access to specific clients by listing those IP addresses -
listen-on { any; };
For IPv6:
listen-on-v6 port 53 { any; };
The zones may also have restrictions placed using
allow-query { i.p.ad.rr; }
Related
I Setup a AWS VPC
There are different subnet such as publics subnet and private subnet
My target is created a demo that Windows Server from private subnet access public internet through third party's EC2-Firewall in AWS-VPC
I create a EC2-Firewall with different interface into different subnet (with Allow all policy and allow interface ping)
I also create a EC2-windows server into private subnet, but it cannot access outside network
The issue observed:
EC2-windows can ping local network (/24) include firewall's interface
EC2-windows cannot access (web-browsing/ping) outside network
EC2-windows tracert 8.8.8.8, all response "* * * * request timeout" (default gateway cannot be shown too)
EC2-windows's Ethernet changed to DHCP or changed to static with firewall's interface IP as a default gateway, issue also occurred
Background Information:
Network ACLs is default setting (Allow All)
Security groups is allow all traffic in both direction
AWS subnet - Routing table with two record: Destination: VPC subnet, Target: Firewall's interface & Destination: 0.0.0.0/0, Target: Firewall's interface
Firewall's interface (same subnet) can ping & RDP to EC2-Windows
Firewall has no traffic record "source with EC2-windows, destination: outside network"
EC2-Windows's internal firewall is turn off
Any setting am I missing to check? what should I check to found the root cause related to AWS or Windows setting?
More information after Wireshark on Windows and package capture on firewall:
EC2-Windows sent the "ping 8.8.8.8" & "ping firewall's interface IP" to Firewall's Interface MAC address (shown in Wireshark)
Firewall's interface packet capture only "ping firewall's interface IP" be shown
Is it mean that AWS-VPC drop my outside traffic? How can I fix it?
I found the answer. The root cause is "source/destination checks" of interface.
Since firewall will be able to send and receive traffic the source or destination is not itself when EC-Windows access outside network, AWS "source/destination checks" drop the packet of it.
After Disable source/destination checks, the issue is solved.
I have a basic web application running on a port in an EC2 instance. I have also created an A record in Route53 which points a domain name that I own towards the ip address of the EC2 instance.
When I directly access ip-address:port, it works fine, but because the a record does not point towards that specific port, the website cannot be accessed through the domain name.
How do I specify a port that all requests to that ip address should be routed to?
port is referenced by protocol you are using.
if you use http you will connect to port 80. https uses 443, ftp 21, smtp 25 and there are many others (they are called default ports for service but they may use every other defined).
You are probably running application, listening on some different port (but using protocol http) and that's why you can reach it by entering http://ip-address:port
what you can do to reach it by entering only http://ip-address is to set it to listen on port 80 (you will need root privileges to do this) or set redirect from port 80 to your applications port (you can use pure port redirection using iptables or (better) reverse proxy software. It can be apache as mentioned in comment above, or nginx or haproxy or something else (you haven't specified operating system anyway - those are mainly for linux).
Hope that helps
I have a strange problem wherein I am able to connect to an EC2 instance in a public subnet in AWS VPC using RDP and HTTP. However after successfully connecting to the instance through RDP, i am not able to connect to Internet (from the instance).
a) I created a non-default AWS VPC and associated an IGW to it. The address range of VPC is 10.0.0.0/16. A subnet with the address space 10.0.5.0/24 was created
c) In order to make the subnet public, i decided to retain the Main Route Table as it is and created an additional Route table with the following entries
10.0.0.0/16 local
0.0.0.0/0 igw
d) This route table was associated with the subnet 10.0.5.0/24. This makes it a public subnet
e) The NACL is set to allow:
INBOUND traffic HTTP(80),HTTPS(80),SSH(22), RDP(3389) for IPV4 and NACL
outbound traffic ALL TRAFFIC ALL PROTOCOL ALL PORT Range Destination 0.0.0.0/0
f) The security group settings are:
Inbound All traffic All All 0.0.0.0/0
Outbound All traffic All All 0.0.0.0/0
g) I created a single EC2 instance in the public subnet and assigned a Elastic EIP to it. I am able to connect to this using RDP and able to access the IIS Welcome page by typing the public DNS name of the EC2 in my local browser. However, from the instance when i open IE and try accessing any popular websites i am not able to access the Internet. I always get a 'Can't reach this page'
h) I disabled Windows Firewall and tried accessing Internet. But still it didnt work.
i) The tracert output just shows Request timed Out in all the lines.
Any help would be appreciated.
Thanks and Regards
Govind
First, verify that the following conditions are met:
The route table in the instance’s subnet has a default route to an
internet gateway. The security group attached to the instance’s
elastic network interface must allow outbound traffic on the following
ports: Port 80 for HTTP traffic Port 443 for HTTPs traffic Identify
the network access control lists (ACLs) that are associated with the
subnet that the instance is located on. These network ACLs must have
rules to allow inbound and outbound traffic on ports 80 and 443.
You don't need to open all the ports to enable outgoing web traffic.
https://aws.amazon.com/premiumsupport/knowledge-center/ec2-connect-internet-gateway/
Finally i was able to fix this issue. I added
ALL TCP TCP (6) 0 - 65535 0.0.0.0/0 ALLOW
as an INBOUND rule in NACL. Immediately i was able to access the Internet from the browser in Ec2 instance.
However i am not convinced that all the ports should be opened to use browser on an EC2 instance in the public subnet. Is there a better way to do this ?
Can i consider setting up a Forward Proxy server as a solution for browser based outgoing traffic as in this case ? Please suggest
I have a REST service running on Mac OS X, which im currently accessing using "localhost:8888" and "10.0.2.2:8888"
I want to access the same service from another computer which is in the same network.
I disabled the firewall also and I typed
nc -v 192.168.1.3 8888
and got the result as
nc: connectx to 192.168.1.3 port 8888 (tcp) failed: Connection refused
currently i use localhost (to access using java application) and 10.0.2.2 (to access using android application runs in the simulator) which both runs on the same machine which the server runs too.
I want to put the android application to my phone and give the machine ip addess ( because if i connect to internet via wifi, it'll be in the same local area network) i should be able to access my service runs on my machine.
can some one please tell me what im doing wrong here? Thank you
You can't access localhost from your front end code. It needs to refer to the server's name or address.
The localhost address should be 127.0.0.1, which is in the loopback range of addresses. Any address in the 127.0.0.0/8 block can never appear anywhere on any network, nor can any address in that block be used as a source or destination address outside a host. It is not possible for one host to access anything in that address range on another host.
The goes back at least as far as RFC 990, ASSIGNED NUMBERS:
The class A network number 127 is assigned the "loopback" function,
that is, a datagram sent by a higher level protocol to a network 127
address should loop back inside the host. No datagram "sent" to a
network 127 address should ever appear on any network anywhere.
RFC 1122, Requirements for Internet Hosts -- Communication Layers:
(g) { 127, }
Internal host loopback address. Addresses of this form MUST NOT
appear outside a host.
Also RFC 3330, Special-Use IPv4 Addresses:
127.0.0.0/8 - This block is assigned for use as the Internet host loopback address. A datagram sent by a higher level protocol to an
address anywhere within this block should loop back inside the host.
This is ordinarily implemented using only 127.0.0.1/32 for loopback,
but no addresses within this block should ever appear on any network
anywhere [RFC1700, page 5].
The title says almost everything. I want to use apache under windows and then redirect one or more domains to my computer using a service like No-IP. Is it possible?
Yes you just need to set port forwarding to your local machine (PORT 80 for HTTP, 443 for SSL, 21 for FTP ( if you want to run a ftp server aswell)) on your router, and set a dynamic dns there that points to NO-IP. Most likely you can add one DynDNS entry.
Yes.
You don't even need a Dynamic DNS service (like no-ip) if you have a static IP address. In that case, just register a domain name and create two DNS records -
NAME TYPE VALUE
example.com. A public.ip.address.here
www.example.com. CNAME example.com.
Most ISPs now assign static IPs (even if they claim otherwise), and if not, you can get one for a small fee ($5/month extra). Or upgrade your account to business class.
This way you don't have to introduce another layer (Dynamic DNS) into your set up.
Then install a WAMP such as - xampp (really popular here) - UniformServer -
Wamp-Developer Pro (the one I use) -
WampServer (another good one)
You'll also need to port-forward your router (ports 80 and 443) to the LAN IP, and create two rules in the Windows Firewall to unblock incoming port 80 and 443 requests.
The only thing that can go wrong is if your ISP blocks incoming port 80 (http) and 443 (https) requests. You can call and get them to unblock that, or again, update the account to business class to remove all the headaches.