A simple guide to adding rules to security lists using OCI CLI

April 27, 2021 | 3 minute read
Text Size 100%:

Before you implement a web application firewall (WAF) in Oracle Cloud Infrastructure (OCI), you need to configure your web server to accept traffic from the WAF servers. The WAF documentation gives a list of CIDR range that you need to add into your security list.

A screenshot of the Securing your WAF section in the documentation with CIDR ranges.

So, how can you add all these entries to your security list manually?

Adding ingress rules manually

First, create a security list. It has no rules by default.

A screenshot of a new security list created in the OCI Console.

To add an ingress rule into the security list, click Add Ingress Rules.

A screenshot of the Add Ingress Rules page with detail fields filled out.

To add a list of WAF IP ranges, you can repeat this step multiple times.

Adding ingress rules using the OCI CLI

You could add every ingress rule by hand, or you can use the OCI CLI to add all the CIDR ranges into the security list with a few simple steps.

  1. Launch Cloud Shell. If the OCI CLI is installed and configured to connect to your tenancy, you can use any Linux instance.

    A screenshot of Oracle Cloud Shell.

  2. Prepare a list of IP address in a text file. You can copy the CIDR ranges from the documentation.

    A screenshot of the selected CIDR ranges in Cloud Shell.

  3. To read the IP ranges and generate a JSON output, create the generate_json.sh script. If you want to enable TCP protocol only, replace “all” with “6.”

    #!/bin/bash
    total_lines=`cat iprange.txt | wc -l`
    lines_no=0
    echo "["
    while read -r line;
    do
      lines_no=$(( $lines_no + 1 ));
      echo " {";
      echo "  \"source\": \"${line}\",";
      echo "  \"protocol\": \"all\",";
      echo "  \"isStateless\": \"false\",";
      echo "  \"Description\": \"OCI WAF IP Ranges\"";
      if [[ $lines_no -eq $total_lines ]]; then
       echo " }"; 
      else
       echo " },";
      fi
    done < iprange.txt
    echo "]"
  4. To generate a json file to update your security list with all the entries from WAF nodes, run the generate_json.sh script.

    A screenshot of Cloud Shell creating the json file.

  5. Check the contents of the json file.

    A screenshot of the json file in Cloud Shell.

  6. Get the OCID of the security list that you created.

    A screenshot of the Security List Details page with the Copy button for the OCID highlighted in yellow.

  7. Run the following command to update the security list with all the ingress rules. Replace <security-list-ocid> with the OCID from the previous step.

    oci network security-list update --security-list-id <security-list-ocid> --ingress-security-rules  file://./security_list.json --force

Summary

For details of OCI CLI commands, updating security lists, and other acceptable parameters, see the Oracle Cloud Infrastructure CLI Command Reference.

If you want to add ports information into your security list rules, refer to this JSON file format.
[
 {
 "destination": "10.0.2.0/24",
 "protocol": "6",
 "isStateless": true,
 "tcpOptions":
 {
 "destinationPortRange":
 {
 "max": 1521,
 "min": 1521
 },
 "sourcePortRange":
 {
 "max": 1521,
 "min": 1521
}
 }
 }
]

Sam Eu


Previous Post

Redis high availability deployment with HAProxy on Oracle Cloud Infrastructure

Farooq Nafey | 9 min read

Next Post


How Oracle Dedicated Region Cloud@Customer brings a more complete set of public cloud services to customers’ data centers than AWS Outposts

Brian Huynh | 3 min read