There are 2 parts to do. First is to ensure the ubuntu or any linux OS firewall enable ICMP ping. Ubuntu uses iptables.
1st part: Allow Ping from Outside to Inside
Type in the following commands
sudo iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
sudo iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
Type in the following commands
ubuntu@ubuntuwp:~$ sudo iptables -L
The output sample is as follow and the yellow highlight are the 2 conditions added.
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp spt:ntp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
ACCEPT icmp -- anywhere anywhere icmp echo-request
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
InstanceServices all -- anywhere link-local/16
ACCEPT icmp -- anywhere anywhere icmp echo-reply
2nd part: Update the security list in the OCI security list.
Create new or edit existing Security List that is within your VCN. Click on "Create Security List". I have created a new Security List named "Allow ping"
Input the same as the screenshot below for the ingress rule. This is to allow all types of ICMP in the ingress rule.
Click on Save Changes.
Next is very important. Assign this Security List to your desired compartment. In my case is the Wordpress compartment.
Click on the Subnets, then the subnet name you created.
Click on Add Security List
Select the Security List you created. In my case is "Allow ping", then click on Add Security List.
You should now be able to ping to your OCI Ubuntu instance from your workstation.
The reason to create a delicated security list for ping is because if you like to disable it, all you need to do is just remove/de-assign it from the VCN's subnet.
Have fun.
No comments:
Post a Comment