X

Best Practices from Oracle Development's A‑Team

Opening Ports in Linux 7 Firewalls for Oracle Analytics Cloud Access to Database and Remote Data Connectivity Listeners

Introduction

This post describes using Linux 7 firewall commands to view and open ports in a compute instance running on Oracle Cloud Infrastructure (OCI). This is one of the steps to allow access from client applications such as Oracle Analytics Cloud (OAC).

This may be useful when setting up Opening Ports in Linux 7 Firewalls for Oracle Analytics Cloud Access to Databases using Remote Data Gateway (RDG) and Remote Data Connector (RDC) or accessing a database contained within a compute instance.  This does not apply to database cloud services provisioned in OCI.

Access to a database, RDG or RDC listener requires both an ingress rule in a security list of the Virtual Cloud Network (VCN) and an open port in a Linux firewall.

Updates

Published on June 26, 2019

Versions

Linux  7.2

Topics

  • Before you Begin

  • Viewing and Creating Ingress Rules

  • Viewing and Opening Ports in the Firewall

 Before you Begin

In this post, the term "instance" refers to the Linux instance hosting a database, RDC, or RDG.

Overview

Requests from OAC are routed first to the VCN hosting the instance and then to the Linux instance hosting the listener.

The following diagram depicts successful and unsuccessful requests using two compute instances in a VCN. It assumes an ingress rules exists and that the listener ports are 1521.

 

 

 

 

 

 

 

 

Port Defaults

Compute instance firewalls by default are created without listener ports opened. Only the Secure Shell (SSH) port 22 is open.

In contrast, the firewalls in linux instances hosting database cloud services have the default listener port (1521) open.

Prerequisites

Opening a port in a compute instance firewall requires the following:

  • Oracle Cloud Account URL, credentials and privileges to view the VCN hosting the database.

  • The IP address or host name of the compute instance.

  • The port number(s) used by the listener.

  • The SSH private key associated with the instance's public key.

  • A SSH utility to access the instance.

 Viewing and Creating Ingress Rules

Viewing and creating ingress rules are not covered in this post. Refer to Security Lists for detailed instructions on viewing and creating ingress rules.

An ingress rule for port 1521 should look similar to this:

NOTE. The above example allows access from anywhere and should never be used in a production setting.

 Viewing and Opening Ports in the Firewall

To view and open linux firewall settings, use an SSH utility to connect to the linux instance as the opc user. This require the IP address / host name of the instance and the private key.  A native ssh command may look like:

ssh -i < private key path >  opc@< IP address or host name >

Switch to the root user:

sudo su -

Viewing the Open Firewall Ports and Services

Note: This post does not cover the topic of firewall zones. The default zone is assumed for all commands.

To view the open ports use:

firewall-cmd --list-ports

If a port is not listed, it may be open via service. To view open services use:

firewall-cmd --list-services

Example Result: ssh dhcpv6-client

To find a port associated with a service:

cat /etc/services | grep ssh

Example Result: ssh             22/tcp                          # The Secure Shell (SSH) Protocol

To find if a port is associated with a service

cat /etc/services | grep 1521

Example Result: ncube-lm        1521/tcp                # nCube License Manager

Opening a Port in the Firewall

To open a port in the currently running instance use:

firewall-cmd --add-port=<port>/<protocol>  e.g. firewall-cmd --add-port=1521/tcp

To specify that the port be opened in future restarts of the instance, add the --permanent option

firewall-cmd  --permanent --add-port=1521/tcp 

Summary

This post described using Linux 7 firewall commands to view and open ports in a compute instance running on Oracle Cloud Infrastructure (OCI).

For more information on the firewall-cmd visit firewall-cmd

For other posts relating to analytics and data integration visit http://www.ateam-oracle.com/dayne-carley

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha