6

My EC2 instance is blocking all outbound connections. 

wget http://www.google.com  ==> Hangs
ping google.com ==>hangs
ssh user@anyserver ==>hangs

I ran : sudo iptables -F to eliminate all rules to no avail

AWS Management console shows Security Group for that instance has Inbound rule allowing ssh and port 80. Can't find anything about Outbound rules there.

Rebooted instance, no change.

If anyone knows how to diagnose or fix, please help.

Adding info:

[ec2-user@ip-10-112-62-73 ~]$ ifconfig
eth0      Link encap:Ethernet  HWaddr 12:31:3D:06:31:BB  
          inet addr:10.112.62.73  Bcast:10.112.63.255  Mask:255.255.254.0
          inet6 addr: fe80::1031:3dff:fe06:31bb/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1933 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1764 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:164075 (160.2 KiB)  TX bytes:343256 (335.2 KiB)
          Interrupt:9 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:8 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:672 (672.0 b)  TX bytes:672 (672.0 b)


[ec2-user@ip-10-112-62-73 ~]$ ip route show
10.112.62.0/23 dev eth0  proto kernel  scope link  src 10.112.62.73 
default via 10.112.62.1 dev eth0
Fraggle
  • 61
  • 1
  • 2
  • 10
  • What if you `ping 8.8.8.8`? Where are your DNS servers? – SmallClanger Apr 05 '12 at 16:42
  • 1
    ping 8.8.8.8 ==> Hangs – Fraggle Apr 05 '12 at 16:45
  • Public DNS (from AWS Console): ec2-174-129-153-180.compute-1.amazonaws.com – Fraggle Apr 05 '12 at 16:46
  • Private DNS: ip-10-112-62-73.ec2.internal – Fraggle Apr 05 '12 at 16:46
  • log entries for your NIC? iptables -L? – Bart Silverstrim Apr 05 '12 at 16:48
  • iptables is clean since I ran iptables -F: Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination – Fraggle Apr 05 '12 at 16:48
  • Not sure about log entries in NIC. How do I find out about that? – Fraggle Apr 05 '12 at 16:50
  • Look in /var/log for a log that has entries regarding network settings or issues. – Bart Silverstrim Apr 05 '12 at 16:51
  • looked in /var/log Lots of files there, checked a few of the recently modified ones and nothing seems relevant. – Fraggle Apr 05 '12 at 16:55
  • Ok, output of `ifconfig` and `ip route show` would be useful (edit into your main answer so they're formatted.) – SmallClanger Apr 05 '12 at 17:02
  • Ok, I launched a new EC2 instance which doesn't have this problem. I'll use that for now. If you have any ideas about the problem with this one, then let me know. – Fraggle Apr 05 '12 at 17:34
  • Well if it's merely academic now, then just ditch the instance, but the final test is to `ping 10.112.62.1` (the next hop). – SmallClanger Apr 05 '12 at 17:48
  • ping 10.112.62.1 hangs. Oh well. Amazon must have done something to mess it up, I haven't touched this instance in a while and pretty sure it didn't have this issue before. I'll just use the new instance, only a handful of files to copy. – Fraggle Apr 06 '12 at 22:21
  • Same thing is happening to me...have tried all the things suggested here and nothing is working. Our setup has been working fine for 9 months and all of a sudden all outbound traffic has been blocked. – jamesfzhang May 24 '17 at 16:10

3 Answers3

3

I just resolved this issue on my EC2 instance. I had to update the security group configuration, adding:

  1. An Outbound rule for all HTTP TCP traffic on port 80, from destination 0.0.0.0/0
  2. An Outbound rule for all HTTPS TCP traffic on port 443, from destination 0.0.0.0/0

I probably removed these accidentally while troubleshooting a different problem.

lucrussell
  • 131
  • 5
  • 1
    Even if I add these, there's always an EC2 outbound rule (which I cannot seem to edit) that shows 0.0.0.0/0 to be DENY for "all traffic". How is that managed? – PKHunter Oct 10 '15 at 03:08
  • 1
    That rule is fixed by Amazon and cannot be edited. It's a fail-safe rule. – Michael Johnson Nov 09 '15 at 16:44
1

Coming from the future: If you are having the same issue but you are sure that you have the correct security configuration, just detach the security group from the instance, and reattach it.

Joshua
  • 11
  • 1
  • You can't just detach security group, one thing need to be attached each time. Anyway juggling groups didn't work for me. – Suor May 29 '17 at 08:44
  • This was my issue. Even though I updated the rules, for some reason they weren't being applied. Removing and re-adding the security group did the trick. – eugene Jun 29 '20 at 06:10
0

I finally solved the problem by dis-associating the elastic ip and then re-associating it.

don
  • 1