23_Allowing ICMP in Security list within same subnet(Self ‐Rule) - Nirvan-Pandey/OCI_DOC GitHub Wiki

23_1: Overview

This lab demonstrates how to configure a security list to allow ICMP traffic within the same subnet, also known as a self-rule. ICMP (Internet Control Message Protocol) is used for diagnostic and control purposes, such as ping and traceroute. Allowing ICMP traffic within the same subnet can help with network troubleshooting and monitoring.

23_2: Steps

Below are the steps

23_2_A: Open 1st instance in a putty and run below command to know host's IP.

hostname -i

image

23_2_B: Now open the 2nd instance and run hostname -i to know this IP.

image

23_2_C: Now, will check the reachability of server by pinging one instance to another instance.

ping (host IP)

Both instances are not able to ping each other.

image

23_2_D: Security List Overview

A security list is a virtual firewall that controls the traffic to and from resources within a subnet. It consists of a set of rules that specify the allowed or denied traffic based on various criteria such as IP protocol, source and destination IP addresses, and ports.

  • Ingress Rules: Ingress rules specify the traffic allowed to enter the subnet from external sources, based on criteria such as source IP addresses, protocols, and ports.

  • Egress Rules: Egress rules specify the traffic allowed to leave the subnet to external destinations, based on criteria such as destination IP addresses, protocols, and ports.

By configuring ingress and egress rules, you can control the flow of traffic to and from your instances, enhancing the security and management of your network.

23_2_E: Navigate to Security List & See existing rules.

BurgerMenu-->Networking-->Virtual Cloud Network-->Click on VCN created-->Click on Public subnet vcn--> Click on Default Security List image

Ingress Rule image

There is no rule defined for ping(ICMP) to reach to each other.

Egress Rule image

We are able to reach google.com , that infers the Egress rule is allowed however Ingress rule is preventing these instances to reach to each other.

image

23_2_F: Resolution of reachability issue.

To allow all servers within the subnet to communicate with each other, we need to create a firewall rule that permits traffic within the subnet's IP range. This involves adding the following rule to the ingress rules:

  • Will see the series of the particular subnet.

Navigate Menu-->Networking-->Click on vcn-->Copy IPV4(series) of the public subnet image

  • Allow this copied public subnet by adding Ingress rule under Security list.

Networking-->Virtual Cloud Networks-->VCN-->Security List Details-->Ingress Rule-->Add

image

Choose Source Type- CIDR, Source CIDR-- Copied public ip series IP Protocol --ICMP

image image

  • Ping got successful, hence the servers are able to reach one another, within the subnet.

image