GCE Allows Connects from Internal Network Only After Reboot

2
votes

I have been using the GCE for about a year now, and have not run into this problem before. The VM is CentOS, has services running on http, smpt, pop3, pop3s, a few others. It has a static IP address assigned as well.

This morning, the VM was rebooted and when it came back up, no external connections were getting through. The GCE firewall rules have not changed:

Ubuntu:~$ gcloud compute firewall-rules list
NAME                   NETWORK SRC_RANGES RULES                        SRC_TAGS TARGET_TAGS
default-allow-http     default 0.0.0.0/0  tcp:80                                http-server
default-allow-https    default 0.0.0.0/0  tcp:443                               https-server
default-allow-internal default 10.0.0.0/8 tcp:1-65535,udp:1-65535,icmp
default-ssh            default 0.0.0.0/0  tcp:22
http2                  default 0.0.0.0/0  tcp:80
https                  default 0.0.0.0/0  tcp:443
msa                    default 0.0.0.0/0  tcp:587
pop3                   default 0.0.0.0/0  tcp:110
pop3s                  default 0.0.0.0/0  tcp:995
smtp                   default 0.0.0.0/0  tcp:25
smtps                  default 0.0.0.0/0  tcp:465

I shut down the VM, created a new temporary VM and mounted the boot disk from the VM into the temporary VM to read through the log files, but didn't find any errors, it appeared everything was starting up correctly.

I read somewhere that there was an issue at one time with iptables creating some restrictive rules on accident, and I noticed that iptables was indeed running (though it might have been running all this time, not sure), so I disabled it.

Local services appear to be listening:

[root@]# netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State      
tcp        0      0 0.0.0.0:465                 0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:25                  0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:993                 0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:995                 0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:587                 0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:110                 0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:143                 0.0.0.0:*                   LISTEN

And I can connect from the temporary VM via the internal network:

[repair ~]$ telnet 10.240.26.51 995
Trying 10.240.26.51...
Connected to 10.240.26.51.
Escape character is '^]'.
^]

So, connecting via the internal network works fine, but connecting from anywhere outside via the static IP does not work. Any ideas of what I might have missed? 1) Services appear to be listening on the server, 2) Server firewall should (now) be off, though was on before, 3) GCE firewall rules should be allowing external traffic, 4) But no dice on getting a connection in, not even using: gcloud compute ssh

1
google-compute-engine
Interestingly: In the temporary VM I created, which uses the same GCE firewall rules, I installed and started up apache, and I could access it from the external IP. I then wondered if it had something to do with my static IP I had with my VM (though I've been using this static IP for a year now with no problems). I restarted my VM with a new static IP, and now everything works fine, I can connect to all services from the outside world. Why in the world does my old static IP not work anymore??J_Hopper
Having a similar problem I can ping the instance from the outside at the static IP, but cannot connect, e.g. via "nc". Can login via Browser-SSH from console.Dr. Max Völkel
Switching back to using an ephemeral IP did not solve the problem.Dr. Max Völkel

1 Answers

1
votes

Well, very odd, but it turns out that the IP I've been using from Google as a static IP for my VM, simply doesn't work (or route?) anymore. Hope this helps somebody else that may come across this issue, that if you have checked everything and you still can't get connections from outside, try checking that your static IP actually works.