Saturday, November 5, 2022

Allow port in firewall - linux - OCI

By Gowthami | apps-dba.com | Oracle Cloud Infrastructure Series

When deploying Oracle Database or application servers on OCI Linux instances, opening the correct ports in both the OS firewall and OCI security lists is essential. This post covers how to allow ports through the Linux firewall (firewalld) and OCI network security rules.

What You Will Learn: How to open ports on OCI Linux instances using firewalld commands, and how to configure OCI Security Lists and Network Security Groups to allow inbound traffic.

Two Layers of Firewall on OCI

OCI Linux instances have two firewall layers that must both allow traffic:

  • OS-level firewall — firewalld (Oracle Linux / RHEL) or iptables
  • OCI network-level — Security Lists attached to subnets, or Network Security Groups (NSGs)

A common mistake is opening only one layer and wondering why connections still fail.

Step 1: Allow Port in Linux Firewall (firewalld)

Check if firewalld is running:

$ sudo systemctl status firewalld

Add a permanent rule to allow a specific port (example: TCP 1521 for Oracle listener):

$ sudo firewall-cmd --permanent --add-port=1521/tcp

Reload firewalld to apply the change:

$ sudo firewall-cmd --reload

Verify the port is allowed:

$ sudo firewall-cmd --list-ports

Common Ports to Open for Oracle DBAs

PortProtocolPurpose
1521TCPOracle SQL*Net listener
443TCPHTTPS / OCI Console
22TCPSSH access
8080TCPOracle APEX / EM Express
5500TCPOracle EM Express (19c+)
7001TCPWebLogic Admin Server

Step 2: Allow Port in OCI Security List

  1. Log in to OCI Console
  2. Navigate to Networking > Virtual Cloud Networks
  3. Select your VCN, then click on the relevant Subnet
  4. Click on the Security List attached to the subnet
  5. Click Add Ingress Rules
  6. Fill in:
    • Source CIDR: 0.0.0.0/0 (or restrict to specific IPs)
    • IP Protocol: TCP
    • Destination Port Range: 1521
  7. Click Add Ingress Rules to save

Step 2 (Alternative): Allow Port via Network Security Group

If using NSGs instead of Security Lists:

  1. Navigate to Networking > Network Security Groups
  2. Select the NSG attached to your instance VNIC
  3. Click Add Rules and configure an ingress rule for the port

Verify Connectivity

Test from a remote host using telnet or nc:

$ telnet <OCI_INSTANCE_PUBLIC_IP> 1521

# Or using netcat
$ nc -zv <OCI_INSTANCE_PUBLIC_IP> 1521

Troubleshooting

  • If port is still blocked after both steps, check if the Oracle listener is actually running: lsnrctl status
  • Verify the instance's VNIC is in the correct subnet with the right security list
  • Use sudo firewall-cmd --list-all to see all active firewalld rules
  • Check OCI VCN flow logs if available for dropped packets

Master Oracle Exadata

This post is part of our Oracle Cloud Infrastructure series. Get our comprehensive Exadata guide with cloud deployment patterns, networking guides, and performance tuning techniques.

Get the Exadata PDF Guide
on
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)