HTTP access on GCE instance after firewall rule added

0
votes

I'm trying to get Apache working on a GCE instance.

Following GCE's Quickstart guide, I did the following:

  1. Created instance "my-instance" in "my-project" (CentOS image)
  2. Installed httpd, verified it's running

  3. Added the following firewall rule:

    gcutil addfirewall http2 --description="Incoming http allowed." --allowed="tcp:http"

    and did the same for HTTPS and ICMP

  4. Verified through gce gui that these rules were added to default network

I can ping my instance's IP address but I can't get an HTTP response. I've tried through the browser, from a curl command - no dice. And it works fine when on localhost so I know Apache is returning the index.html page.

When I use curl from a remote host, the error is:

curl: (7) Failed connect to (instance ip addr):80; Connection refused

Thoughts?

1
apachefirewallgoogle-compute-engine
If you go to the Cloud Console (cloud.google.com/console), navigate to your project, Compute Engine, Networks and then click on the "default" network, is your http2 rule listed?IanGSY
Yes - I can see it through the console for default network. I can also verify it via the command line.spinsf
I have also tried deleting the rule and recreating it. Same problem - can see it on the console but cannot get it to respond to HTTP requests.spinsf
Are you definately connecting to the correct IP, are you using the IP shown at the bottom of the output from the command: gcutil getinstance instancenameIanGSY
Is httpd listening only on 127.0.0.1? Have a look with "sudo netstat -tpln"Benson

1 Answers

1
votes

I did some experiments to replicate this. In short, I believe HTTP port 80 may be blocked by iptables firewall rules on the local Centos instance. This appears to be the default behavior.

I have a GCE firewall rule setup to allow port 80 traffic to all instances. I created a centos based image via the Cloud Console (which is indeed using the v1 API). Logged in via SSH and started a web server on port 80. I was not able to hit the web server from my laptop. However I was also not able to hit it from another instance in my project. This lead me to suspect a firewall local to the instance rather than Compute Engine's firewall.

I ran this command (which drops the default reject of all ports for testing - this is unsafe to do for machines which are directly exposed to the internet):

$ sudo iptables -D  INPUT -j REJECT --reject-with icmp-host-prohibited

After running that, I was able to hit my webserver from both another instance and my laptop. Note that this change is lost after restarting the instance. I don't know the correct procedure for changing the default firewall rules on Centos.

Please try a similar experiment on your instances, especially try to hit the web server from another Compute Engine instance, since service level firewalls do not block traffic between instances on the same network.