Forum Stats

  • 3,769,714 Users
  • 2,253,014 Discussions
  • 7,875,157 Comments

Discussions

https available although no service is listening on 443 ?

vuatsc
vuatsc Member Posts: 107 Blue Ribbon
edited May 14, 2018 1:12PM in Database Cloud Service

I just created a cloud database service. When SSH into its VM, I find that the ORDS service is running and I can access the default page via https from another system ( after bypassing the warning of invalid certificates ) . I notice that netstat does not show any service that is listening on the port 443 on this VM. I check again with telnet localhost 443 and I do get a connection refused message.

When I run tcpdump on the port 443 and access it again from another system, it does show tcp transactions from the remote host into the VM on this port.

How can this happen when no service is listening on 443  ?

Thanks for your help.

Vu

Best Answer

  • vuvarov-Oracle
    vuvarov-Oracle Member Posts: 42 Employee
    edited May 7, 2018 5:44PM Accepted Answer

    Hi Vu,

    The DBCS VM redirects incoming traffic on port 443 to the actual ORDS listener using iptables NAT table. This is what I see in my VM, for example:

    [[email protected]*** ~]# /sbin/iptables -t nat -nL

    Chain PREROUTING (policy ACCEPT)

    target     prot opt source               destination

    REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 redir ports 8080

    REDIRECT   udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:80 redir ports 8080

    REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443 redir ports 8181

    REDIRECT   udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:443 redir ports 8181

    Chain INPUT (policy ACCEPT)

    target     prot opt source               destination

    Chain OUTPUT (policy ACCEPT)

    target     prot opt source               destination

    Chain POSTROUTING (policy ACCEPT)

    target     prot opt source               destination

    [[email protected]*** ~]# netstat -nat | grep LISTEN | grep 8181

    tcp        0      0 :::8181                     :::*                        LISTEN

    [[email protected]*** ~]# /usr/sbin/lsof -i tcp:8181

    COMMAND   PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME

    java    22988 oracle   31u  IPv6  87371      0t0  TCP *:8181 (LISTEN)

    [[email protected]*** ~]# ps uxww -q 22988

    USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND

    oracle   22988  0.7 14.3 4579224 1102404 ?     Sl   19:28   0:59 /u01/app/oracle/product/java/jdk1.8.0_74/bin/java -jar /u01/app/oracle/product/ords/ords.war standalone

    Hope this helps,

    Vlad

Answers

  • handat
    handat Member Posts: 4,688 Gold Crown
    edited May 4, 2018 4:43PM

    Could it be the load balancer is listening on 443 and passing it on?

  • vuatsc
    vuatsc Member Posts: 107 Blue Ribbon
    edited May 5, 2018 9:09AM

    Hi Handat,

    Thank you for your reply.  Is the load balancer a feature that automatically goes along with the DbaaS service ? When I created the database service, I didn't create/add the load balancer. But even if it is the case that the balancer passes the 443 transactions over to the VM, which program/service on the VM replies to that service ?

    Both netstat and lsof show no listening service on 443 on the VM.

    I also notice that if I turn off the ORDS, then all connections over 443 are refused.

    Then, it poses another question: if I want to install some application that listens on the port 443, for example tomcat, then that "secret" 443 listener will interfere with tomcat.

    Vu

  • vuvarov-Oracle
    vuvarov-Oracle Member Posts: 42 Employee
    edited May 7, 2018 5:44PM Accepted Answer

    Hi Vu,

    The DBCS VM redirects incoming traffic on port 443 to the actual ORDS listener using iptables NAT table. This is what I see in my VM, for example:

    [[email protected]*** ~]# /sbin/iptables -t nat -nL

    Chain PREROUTING (policy ACCEPT)

    target     prot opt source               destination

    REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 redir ports 8080

    REDIRECT   udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:80 redir ports 8080

    REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443 redir ports 8181

    REDIRECT   udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:443 redir ports 8181

    Chain INPUT (policy ACCEPT)

    target     prot opt source               destination

    Chain OUTPUT (policy ACCEPT)

    target     prot opt source               destination

    Chain POSTROUTING (policy ACCEPT)

    target     prot opt source               destination

    [[email protected]*** ~]# netstat -nat | grep LISTEN | grep 8181

    tcp        0      0 :::8181                     :::*                        LISTEN

    [[email protected]*** ~]# /usr/sbin/lsof -i tcp:8181

    COMMAND   PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME

    java    22988 oracle   31u  IPv6  87371      0t0  TCP *:8181 (LISTEN)

    [[email protected]*** ~]# ps uxww -q 22988

    USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND

    oracle   22988  0.7 14.3 4579224 1102404 ?     Sl   19:28   0:59 /u01/app/oracle/product/java/jdk1.8.0_74/bin/java -jar /u01/app/oracle/product/ords/ords.war standalone

    Hope this helps,

    Vlad

  • vuatsc
    vuatsc Member Posts: 107 Blue Ribbon
    edited May 14, 2018 1:12PM

    Hi Vlad,

    First of all, I am sorry for my (too) late reply. I was stuck with clients in the last few days.

    You are right. I definitely forgot to check the pre routing in iptables. I did check iptables -L -n but forgot the parm -t nat. That's why I did not see the redirection.

    Vu

This discussion has been closed.