Another question we're being asked a lot is: "How do I configure the firewall on my instance?", or, even more frequently, "How come I cannot connect to port XXX on my instance?"
Let us deal with the issue of outbound ports (your instance attempts to contact an external service on a certain port) first. At this point, they all should be open, except the mail port 25. If you need to send mail, you may consider secure smtp (port 465)
For the inbound ports, you have the luxury of configuring them in at least two ways: in the virtual machine itself (e.g. using iptables), or by injecting rules pertinent to your VM into the overall hypervisor firewall rules. Let us look at both of these in detail.
Clearly, dealing with the firewall on the hypervisor level is preferred if you care about performance. If you are restricting the packets on this level, they do not need to be even delivered to your VM before they could be discarded. On the other hand, the process here is somewhat involved, namely:
- In the base master images, only ports 22, 80, and 443 are opened for your VM by the hypervisor. If you need to open other ports, follow the steps below:
- You'll need to capture an image of your running instance. In the control panel, select your instance and click "select image". This may take up to an hour, depending on the instance size
- Once the capture is complete, you will need to find and access your custom image in the image catalog. Make sure that you are logged in; from the image homepage you'll need to click on the content tab and navigate to the file called parameters.xml
- Take a look at your default parameters.xml. It should look something like this Take a look, only ports 22, 80, and 443 are open.
- Feel free to add the ports that you want open. If you want to open all ports, use this file as your baseline, for instance
- Upload the modified file (replacing the old parameters.xml) and make sure that you save the new image.
- Provision a new instance from the modified image. Once the instance is active, new firewall rules will supercede the old ones.
Changing the iptables rules is quicker. By default, the iptables firewall is not enabled in the instances. To learn about iptables, visit the project homepage
. To enable it, you could do this, for instance:
- Become root (sudo su-), navigate to /etc/sysconfig and edit the file called iptables.
- Add or remove the lines as desired; once you're done, start the service: service iptables start
- Check that the service is running and the rules in effect: service iptables status
You sholld be all set!