[Total: 0    Average: 0/5]

Introduction

You have a Debian instance running in Google Cloud Compute Engine. You connect to this instance via SSH. One day you decide to enable the UFW firewall and your SSH connection drops. You cannot reconnect.

Problem

The problem is that by enabling UFW you blocked SSH access.

Solution

This article shows two methods of solving this problem.

The first method is to create a startup-script that disables UFW. The second method  attaches the boot disk to another instance and modifies the file /etc/ufw/ufw.conf

Method 1:

Step 1:

Login into the Google Cloud Console. Go to Compute Engine -> VM instances. Click on your instance. Click on the Edit button.

Step 2:

Scroll down to the section “Custom metadata”. For Key enter startup-script. For Value enter:

Click the Save button

Note: An option is to just enable SSH in the startup-script.

Step 3:

Reboot your instance. During reboot, the startup-script will run disabling the UFW firewall. Log into your instance using SSH.

Step 4:

Repeat Step #2 except this time, delete the startup-script. Otherwise, the firewall will be disabled each time your instance boots.

Method 2:

STEP 1:

Shutdown your instance with the UFW problem. Login into the Google Cloud Console. Go to Compute Engine -> VM instances. Click on your instance and make note of the “Boot disk” name. This will be the first disk under “Boot disk and local disks”.

STEP 2:

Create a snapshot of the boot disk before doing anything further. While still in Compute Engine -> Disk. Click on your boot disk. Click on “CREATE SNAPSHOT”.

STEP 3:

Create a new instance in the same zone. A micro instance will work.

STEP 4:

Open a Cloud Shell prompt (this also works from your desktop if gcloud is setup). Execute this command. Replace NAME with your instance name (broken system) and DISK with the boot disk name and ZONE with the zone that the system is in:

Make sure that the previous command did not report an error.

STEP 5:

Now we will attach this disk to the new instance that you created.

Make sure that the repair instance is running before attaching the second disk. Sometimes an instance can get confused on which disk to boot from if more than one disk is bootable.

Go to Compute Engine -> VM instances. Click on your instance. Click Edit. Under “Additional disks” click “Add item”. For name enter/select the disk that you detached from your broken instance. Click Save.

STEP 6:

SSH into your new instance with both disks attached.

STEP 7:

Follow these steps carefully. We will mount the second disk to the root file system. Then change the contents of /mnt/repair/etc/ufw/ufw.conf to disable the firewall.

  • Become superuser. Execute sudo -s
  • Execute df. Make sure that /dev/sdb1 is not mounted.
  • Create a directory for the mountpoint: mkdir /mnt/repair
  • Mount the second disk: mount /dev/sdb1 /mnt/repair
  • Change directories: cd /mnt/repair/etc/ufw
  • Edit ufw.conf
  • Change ENABLED=yes to ENABLED=no
  • Shutdown the repair system: halt
STEP 8:

Now reverse the procedure and move the second disk back to your original instance and reattach using the command below. Then start your instance and connect via SSH.

Note: To reattach the boot disk you have to use gcloud with the -boot option.