Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Can't connect to EC2 instance on any port other than SSH

0
  • My instance has an EIP allocated as its Public IP.
  • I have Route 53 aliasing a hostname to my EIP.
  • My instance as a Security Group that allows inbound SSH (tcp 22) and OpenVPN (upd 1194) traffic.
  • My ACLs allow all traffic on all ports from all sources (0.0.0.0/0).
  • I can connect to my instance over port 22 using my public hostname, which resolves to my EIP.

My iptables output:

$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
ACCEPT     udp  --  anywhere             anywhere             udp dpt:openvpn

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp spt:openvpn

As a network test, I tried using netcat to test the port:

$ nc -v -l 0.0.0.0 1194

On my personal computer:

$ nc -v <hostname> 1194
nc: connect to <hostname> (<EIP>) port 1194 (tcp) failed: No route to host

However, when I try to connect to port 22:

$ nc -v <hostname> 22
Connection to <hostname> (<EIP>) 22 port [tcp/ssh] succeeded!
SSH-2.0-OpenSSH_8.7

Clearly, I can route to the host since I'm running commands on it over SSH, but I can't tell where in the entire process I'm failing for other ports.

Topics
ComputeNetworking & Content Delivery
Tags
Amazon VPCAmazon EC2Security GroupNetworking & Content Delivery
Language
English
asked 2 months ago66 views
1 Answer
3
Accepted Answer

Based on your description, there are several potential issues preventing connections to ports other than SSH (port 22) on your EC2 instance. Let me analyze the problem:

  1. iptables Configuration Issue: Looking at your iptables output, I can see a critical issue. The REJECT rule appears before your OpenVPN rule in the INPUT chain:
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
ACCEPT     udp  --  anywhere             anywhere             udp dpt:openvpn

This means all traffic is being rejected before the OpenVPN rule can be evaluated. Rules in iptables are processed in order, so your OpenVPN rule is never reached.

  1. Protocol Mismatch: Your OpenVPN is configured for UDP port 1194, but your netcat test is using TCP by default. When you run nc -v -l 0.0.0.0 1194, you're listening on TCP port 1194, not UDP. For UDP testing, you need to use the -u flag with netcat.

  2. Network ACLs vs. Security Groups: While you mentioned your Network ACLs allow all traffic, remember that Network ACLs are stateless, unlike security groups which are stateful. For Network ACLs, you need to ensure both inbound and outbound rules are properly configured, especially for the ephemeral port range (typically 1024-65535) which is needed for return traffic.

To fix these issues:

  1. Reorder your iptables rules to place the ACCEPT rule for OpenVPN before the REJECT rule:
sudo iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
sudo iptables -A INPUT -p udp --dport 1194 -j ACCEPT
sudo iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
  1. For testing UDP ports with netcat, use:
# On server
nc -u -v -l 0.0.0.0 1194

# On client
nc -u -v <hostname> 1194
  1. Double-check your security group to ensure it explicitly allows UDP traffic on port 1194, not just TCP.

If you're still experiencing issues after these changes, you might want to temporarily disable the host firewall completely for testing purposes (remember to re-enable it afterward):

sudo systemctl stop firewalld  # For RHEL/CentOS/Fedora
# or
sudo ufw disable  # For Ubuntu/Debian

Sources
The connection has timed out. No access to ec2 | AWS re:Post
Unable to access to EC2 via SSH or Instance Connect - Sorted! | AWS re:Post
SSH not working on fresh account, | AWS re:Post

answered 2 months ago
AWS
EXPERT
reviewed 2 months ago
AWS
EXPERT
reviewed 2 months ago
  • Kevin Amaral
    2 months ago

    Reordering the iptables rules fixed this!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content