1

I am running into a problem where xRDP fails to respond to any RDP requests sent to a VM instance running in OCP under Ubuntu Server 20.04 with GNOME GUI installed (via sudo tasksel install ubuntu-desktop). The instance has UFW in "inactive" status and the VCN security list is configured to allow all ports from my NAT IP.

The instance successfully receives packets in dst port 3389 as seen in the following capture done on the OCP instance:

ubuntu@hitc-lab-vm1:~$ sudo tcpdump -nn -i ens3 port 3389
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
03:01:34.578853 IP <omitted>.56726 > 172.20.1.2.3389: Flags [S], seq 972912567, win 64240, options [mss 1460,nop,nop,sackOK], length 0
03:01:35.579071 IP <omitted>.56726 > 172.20.1.2.3389: Flags [S], seq 972912567, win 64240, options [mss 1460,nop,nop,sackOK], length 0
03:01:37.579039 IP <omitted>.56726 > 172.20.1.2.3389: Flags [S], seq 972912567, win 64240, options [mss 1460,nop,nop,sackOK], length 0
^C
3 packets captured
3 packets received by filter
0 packets dropped by kernel

If I cat /var/log/xrdp.log, I see no mentioning of the session request, even though the packets get to the server:

ubuntu@hitc-lab-vm1:~$ sudo cat /var/log/xrdp.log
[20200922-02:39:22] [INFO ] address [0.0.0.0] port [3389] mode 1
[20200922-02:39:22] [INFO ] listening to port 3389 on 0.0.0.0
[20200922-02:39:22] [INFO ] xrdp_listen_pp done
[20200922-02:39:22] [DEBUG] Closed socket 7 (AF_INET6 :: port 3389)
[20200922-02:39:24] [INFO ] starting xrdp with pid 2426
[20200922-02:39:24] [INFO ] address [0.0.0.0] port [3389] mode 1
[20200922-02:39:24] [INFO ] listening to port 3389 on 0.0.0.0
[20200922-02:39:24] [INFO ] xrdp_listen_pp done
[20200922-02:40:03] [DEBUG] Closed socket 11 (AF_INET6 :: port 3389)
[20200922-02:40:03] [INFO ] address [0.0.0.0] port [3389] mode 1
[20200922-02:40:03] [INFO ] listening to port 3389 on 0.0.0.0
[20200922-02:40:03] [INFO ] xrdp_listen_pp done
[20200922-02:40:03] [DEBUG] Closed socket 7 (AF_INET6 :: port 3389)
[20200922-02:40:05] [INFO ] starting xrdp with pid 2687
[20200922-02:40:05] [INFO ] address [0.0.0.0] port [3389] mode 1
[20200922-02:40:05] [INFO ] listening to port 3389 on 0.0.0.0
[20200922-02:40:05] [INFO ] xrdp_listen_pp done

xrdp-sesman log shows a very similar story but with the relevant ports into localhost from the sesman process:

ubuntu@hitc-lab-vm1:~$ sudo cat /var/log/xrdp-sesman.log
[20200922-02:39:22] [DEBUG] libscp initialized
[20200922-02:39:22] [DEBUG] Testing if xrdp-sesman can listen on 127.0.0.1 port 3350.
[20200922-02:39:22] [DEBUG] Closed socket 5 (AF_INET6 ::1 port 3350)
[20200922-02:39:22] [INFO ] starting xrdp-sesman with pid 2416
[20200922-02:39:22] [INFO ] listening to port 3350 on 127.0.0.1
[20200922-02:40:03] [INFO ] shutting down sesman 1
[20200922-02:40:03] [DEBUG] Closed socket 7 (AF_INET6 ::1 port 3350)
[20200922-02:40:03] [DEBUG] libscp initialized
[20200922-02:40:03] [DEBUG] Testing if xrdp-sesman can listen on 127.0.0.1 port 3350.
[20200922-02:40:03] [DEBUG] Closed socket 5 (AF_INET6 ::1 port 3350)
[20200922-02:40:03] [INFO ] starting xrdp-sesman with pid 2666
[20200922-02:40:03] [INFO ] listening to port 3350 on 127.0.0.1

If I spin up an Ubuntu Server 20.04 VM in VMware, install ubuntu-desktop through tasksel, then install xrdp, everything works as expected. Any help here is greatly appreciated.

1 Answers1

1

I opened a ticket with Oracle Support to look at this issue and received this answer:

Oracle-provided images are preconfigured with firewall rules to enable instances to make outgoing connections to the instance's boot and block volumes. For more information, see Essential Firewall Rules. UFW may remove these rules so that during a reboot the instance is not able to connect to the boot and block volumes.

To modify or add new firewall rules, update the /etc/iptables/rules.v4 file instead. Modifications to firewall rules here will take effect after a reboot.

Following this, I reconfigured the custom OCP /etc/iptables/rules.v4file on to allow all connections in and out on the instance, leveraging the VCN security list to do its job:

-A INPUT -j ACCEPT -m comment --comment "Accept all incoming"
-A OUTPUT -j ACCEPT -m comment --comment "Accept all outgoing"

Connections now work as expected. Connections into the instance are now protected by the security list and not IPTABLES.

Since this is a lab environment, the above rules suffice to allow the connections inbound. In a production environment I would use a rule to whitelist the IP and the port used inbound. Still, I'm not a fan of having 2 firewalls to configure for the same traffic flow...