1 Answer
- Newest
- Most votes
- Most comments
2
There appears to be a problem with the outbound rules of the network ACL.
Network ACLs are stateless security layers.
So we need to add a rule to evaluate the return packet.
Please allow 1024-65535 as ephemeral ports with outbound rule 49.37.10.140/32
network acl outbound rules:
Rule Number | Type | Protocol | Port range | destination | Allow/Deny |
---|---|---|---|---|---|
10 | Custom TCP | TCP (6) | 1024 - 65535 | 49.37.10.140/32 | Allow |
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html
Relevant content
- asked 9 months ago
- asked a year ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated a year ago
If I'm doing telnet at port 3389, and the request is going to EC2, then why EC2 is not responding back on port 3389?
Or, if it's responding back on port 3389, and nacl already has outbound rule to allow traffic on port 3389, then why is the request failing?
When communicating from the client to the destination, the client is assigned one of the ephemeral ports (1024-65535) as the source port.
So after communicating to the destination port (3389 in this case), the return destination port will be one of 1024-65535 and must be allowed in the network ACL.
Even though port 3389 is allowed in the outbound rules, the destination port of return does not match, so it is denied
Additional information. https://repost.aws/knowledge-center/resolve-connection-sg-acl-inbound