Note: Private Access Channel is now available in Oracle Analytics and is recommended by Oracle for new connections to private data sources. For more information on the feature and the data sources it supports refer to:
Connect to Private Data Sources Through a Private Access Channel
Supported Data Sources
A-Team Chronicles Private Access Channel Series
This post describes using Linux 7 firewall commands to view and open ports in a compute instance running on Oracle Cloud Infrastructure (OCI). This is one of the steps to allow access from client applications such as Oracle Analytics Cloud (OAC).
This may be useful when setting up Opening Ports in Linux 7 Firewalls for Oracle Analytics Cloud Access to Databases using Remote Data Gateway (RDG) and Remote Data Connector (RDC) or accessing a database contained within a compute instance. This does not apply to database cloud services provisioned in OCI.
Access to a database, RDG or RDC listener requires both an ingress rule in a security list of the Virtual Cloud Network (VCN) and an open port in a Linux firewall.
Published on June 26, 2019
Linux 7.2 / 7.7
Before you Begin
Viewing and Creating Ingress Rules
Viewing and Opening Ports in the Firewall
In this post, the term "instance" refers to the Linux instance hosting a database, RDC, or RDG.
Requests from OAC are routed first to the VCN hosting the instance and then to the Linux instance hosting the listener.
The following diagram depicts successful and unsuccessful requests using two compute instances in a VCN. It assumes an ingress rules exists and that the listener ports are 1521.
Port Defaults
Compute instance firewalls by default are created without listener ports opened. Only the Secure Shell (SSH) port 22 is open.
In contrast, the firewalls in linux instances hosting database cloud services have the default listener port (1521) open.
Prerequisites
Opening a port in a compute instance firewall requires the following:
Oracle Cloud Account URL, credentials and privileges to view the VCN hosting the database.
The IP address or host name of the compute instance.
The port number(s) used by the listener.
The SSH private key associated with the instance's public key.
A SSH utility to access the instance.
Viewing and creating ingress rules are not covered in this post. Refer to Security Lists for detailed instructions on viewing and creating ingress rules.
An ingress rule for port 1521 should look similar to this:
NOTE. The above example allows access from anywhere and should never be used in a production setting.
To view and open linux firewall settings, use an SSH utility to connect to the linux instance as the opc user. This require the IP address / host name of the instance and the private key. A native ssh command may look like:
ssh -i < private key path > opc@< IP address or host name >
Switch to the root user:
sudo su -
Note: This post does not cover the topic of firewall zones. The default zone is assumed for all commands.
To view the open ports use:
firewall-cmd --list-ports
If a port is not listed, it may be open via service. To view open services use:
firewall-cmd --list-services
Example Result: ssh dhcpv6-client
To find a port associated with a service:
cat /etc/services | grep ssh
Example Result: ssh 22/tcp # The Secure Shell (SSH) Protocol
To find if a port is associated with a service
cat /etc/services | grep 1521
Example Result: ncube-lm 1521/tcp # nCube License Manager
To open a port in the currently running instance use:
firewall-cmd --add-port=<port>/<protocol> e.g. firewall-cmd --add-port=1521/tcp
To specify that the port be opened in future restarts of the instance, add the --permanent option
firewall-cmd --permanent --add-port=1521/tcp
This post described using Linux 7 firewall commands to view and open ports in a compute instance running on Oracle Cloud Infrastructure (OCI).
For more information on the firewall-cmd visit firewall-cmd
For other posts relating to analytics and data integration visit http://www.ateam-oracle.com/dayne-carley
Previous Post