***********************************************************************************
* Description: RHEL integrated firewall causing Oracle database connection timeout
* Date: 11:27 PM EST, 11/12/2017
***********************************************************************************
<1> Oracle database connection being blocked by "TNS-12170: connection timeout" error:
|
|__ o. The database is based on AWS cloud EC2 environment.
|
|__ o. Security group and ACL are being configured correctly with port 1521 open.
|
|__ o. The cause is Red Hat integrated firewall up, which only allows SSH traffic inbound/outbound.
<2> Confirm if firewall running:
|
|__ $ sudo su -
|
|__ $ systemctl status firewalld.service
firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2017-11-02 17:29:13 EDT; 1 weeks 0 days ago
Docs: man:firewalld(1)
Main PID: 835 (firewalld)
CGroup: /system.slice/firewalld.service
|__ 835 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
Nov 02 17:29:13 ip-172-31-31-109.ec2.internal systemd[1]: Starting firewalld - dynamic firewall daemon...
Nov 02 17:29:13 ip-172-31-31-109.ec2.internal systemd[1]: Started firewalld - dynamic firewall daemon.
Nov 02 17:29:14 ip-172-31-31-109.ec2.internal firewalld[835]: WARNING: ICMP type 'beyond-scope' is not supported by the kernel for ipv6.
Nov 02 17:29:14 ip-172-31-31-109.ec2.internal firewalld[835]: WARNING: beyond-scope: INVALID_ICMPTYPE: No supported ICMP type., ignoring for run-time.
Nov 02 17:29:14 ip-172-31-31-109.ec2.internal firewalld[835]: WARNING: ICMP type 'failed-policy' is not supported by the kernel for ipv6.
Nov 02 17:29:14 ip-172-31-31-109.ec2.internal firewalld[835]: WARNING: failed-policy: INVALID_ICMPTYPE: No supported ICMP type., ignoring for run-time.
Nov 02 17:29:14 ip-172-31-31-109.ec2.internal firewalld[835]: WARNING: ICMP type 'reject-route' is not supported by the kernel for ipv6.
Nov 02 17:29:14 ip-172-31-31-109.ec2.internal firewalld[835]: WARNING: reject-route: INVALID_ICMPTYPE: No supported ICMP type., ignoring for run-time.
<3> Checking firewall state:
|
|__ $ sudo su -
|
|__ $ firewall-cmd --query-lockdown
|
| no
|
|__ $ firewall-cmd --state
|
| running
|
|__ $ firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client ssh <<<<<<<<<< Only SSH port 22 open. Firewall is blocking port 1521 for Oracle database connection.
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
<4> Stopping/disabling firewall:
|
|__ $ sudo su -
|
|__ $ systemctl stop firewalld.service
|
|__ $ systemctl disable firewalld.service
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
<5> Firewall manual:
|
|__ $ firewall-cmd --help
<6> Reference:
|
|__ https://docs.eucalyptus.com/eucalyptus/4.3/install-guide/rhel7_disable_firewalld.html
Your Comments