Opening Ports in Linux 7 Firewalls for Oracle Analytics Cloud Access to Database and Remote Data Connectivity Listeners

June 26, 2019 | 4 minute read
Text Size 100%:

 

Note: Private Access Channel is now available in Oracle Analytics and is recommended by Oracle for new connections to private data sources. For more information on the feature and the data sources it supports refer to:
    Connect to Private Data Sources Through a Private Access Channel
    Supported Data Sources
    A-Team Chronicles Private Access Channel Series

Introduction

This post describes using Linux 7 firewall commands to view and open ports in a compute instance running on Oracle Cloud Infrastructure (OCI). This is one of the steps to allow access from client applications such as Oracle Analytics Cloud (OAC).

This may be useful when setting up Opening Ports in Linux 7 Firewalls for Oracle Analytics Cloud Access to Databases using Remote Data Gateway (RDG) and Remote Data Connector (RDC) or accessing a database contained within a compute instance.  This does not apply to database cloud services provisioned in OCI.

Access to a database, RDG or RDC listener requires both an ingress rule in a security list of the Virtual Cloud Network (VCN) and an open port in a Linux firewall.

Updates

Published on June 26, 2019

Versions

Linux  7.2 / 7.7

Topics

  • Before you Begin

  • Viewing and Creating Ingress Rules

  • Viewing and Opening Ports in the Firewall

 Before you Begin

In this post, the term "instance" refers to the Linux instance hosting a database, RDC, or RDG.

Overview

Requests from OAC are routed first to the VCN hosting the instance and then to the Linux instance hosting the listener.

The following diagram depicts successful and unsuccessful requests using two compute instances in a VCN. It assumes an ingress rules exists and that the listener ports are 1521.

 

 

 

 

 

 

 

 

Port Defaults

Compute instance firewalls by default are created without listener ports opened. Only the Secure Shell (SSH) port 22 is open.

In contrast, the firewalls in linux instances hosting database cloud services have the default listener port (1521) open.

Prerequisites

Opening a port in a compute instance firewall requires the following:

  • Oracle Cloud Account URL, credentials and privileges to view the VCN hosting the database.

  • The IP address or host name of the compute instance.

  • The port number(s) used by the listener.

  • The SSH private key associated with the instance's public key.

  • A SSH utility to access the instance.

 Viewing and Creating Ingress Rules

Viewing and creating ingress rules are not covered in this post. Refer to Security Lists for detailed instructions on viewing and creating ingress rules.

An ingress rule for port 1521 should look similar to this:

NOTE. The above example allows access from anywhere and should never be used in a production setting.

 Viewing and Opening Ports in the Firewall

To view and open linux firewall settings, use an SSH utility to connect to the linux instance as the opc user. This require the IP address / host name of the instance and the private key.  A native ssh command may look like:

ssh -i < private key path >  opc@< IP address or host name >

Switch to the root user:

sudo su -

Viewing the Open Firewall Ports and Services

Note: This post does not cover the topic of firewall zones. The default zone is assumed for all commands.

To view the open ports use:

firewall-cmd --list-ports

If a port is not listed, it may be open via service. To view open services use:

firewall-cmd --list-services

Example Result: ssh dhcpv6-client

To find a port associated with a service:

cat /etc/services | grep ssh

Example Result: ssh             22/tcp                          # The Secure Shell (SSH) Protocol

To find if a port is associated with a service

cat /etc/services | grep 1521

Example Result: ncube-lm        1521/tcp                # nCube License Manager

Opening a Port in the Firewall

To open a port in the currently running instance use:

firewall-cmd --add-port=<port>/<protocol>  e.g. firewall-cmd --add-port=1521/tcp

To specify that the port be opened in future restarts of the instance, add the --permanent option

firewall-cmd  --permanent --add-port=1521/tcp 

Summary

This post described using Linux 7 firewall commands to view and open ports in a compute instance running on Oracle Cloud Infrastructure (OCI).

For more information on the firewall-cmd visit firewall-cmd

For other posts relating to analytics and data integration visit http://www.ateam-oracle.com/dayne-carley

Dayne Carley


Previous Post

A Simple Guide to Oracle CASB Cloud Service Integrations with SIEM Providers

Pulkit Sharma | 5 min read

Next Post


Preparing Linux for Oracle Remote Data Gateway

Dayne Carley | 6 min read