How do I set up a basic iptables firewall on Amazon Linux AMI running on EC2 or Lightsail instance?
AWS (Amazon Web Services) has its own Linux distribution called Amazon Linux AMI. It is chiefly binary compatible with CentOS Linux, with all necessary packages updated to the latest version. This page explains how to set up a basic iptables based firewall on Amazon Linux.
How To Set Up a Basic Iptables Firewall on Amazon Linux AMI
The procedure for setting up a basic firewall on Amazon Linux AMI is as follows:
- Login to your Lightsail/EC2 instance using ssh command.
- Switch to the root user by typing sudo -i command.
- Create a file named /etc/sysconfig/iptables
- Open or close ports and other options as per your needs
- Enable the iptables at boot time, execute: sudo chkconfig iptables on
- Start the iptables service, run: sudo service iptables start
Do I genuinely need iptables based firewall settings for EC2 and Lightsail instance powered by Amazon Linux AMI?
The short answer is it depends upon your needs.
Long answer: Both EC2 and Lightsail VM come with a cloud-based firewall. When you create an AWS Lightsail instance/VM, some network ports are open by default. When a port is open, your instance can accept public network connections. For example, you can either open port 22 or close port 22, but you can not specify the source IP address to control access ssh port 22 or any other ports. However, the EC2 firewall allows us to set up a source or destination for the traffic. Here is a sample from Lightsail instance firewall settings:
As you can see, the firewall is minimal and does not provide an option to set up the source or destination IP address for Lightsail instances. Therefore, setting up a basic iptables is a good idea on Amazon Linux AMI.
Type the following command:
sudo vi /etc/sysconfig/iptables
Append the following:
*filter # Deny all inbound traffic :INPUT DROP [0:0] :FORWARD DROP [0:0] # Accept all outbound traffic :OUTPUT ACCEPT [0:0] # Accept already connected sessions -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Accept all loopback -A INPUT -i lo -j ACCEPT # Open https/http port from anywhere -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT # Accept ssh port from anywhere # -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT # Accept ssh port from only your static IP address such as 18.104.22.168 -A INPUT -m state --state NEW -m tcp -p tcp -s 22.214.171.124 --dport 22 -j ACCEPT # Multiple IPs are also allowed -A INPUT -m state --state NEW -m tcp -p tcp -s 126.96.36.199,188.8.131.52 --dport 22 -j ACCEPT # Deny from specific IP address #-A INPUT -m state --state NEW -s 184.108.40.206 -j DROP COMMIT
Enable iptables service
Run the following chkconfig command:
sudo chkconfig iptables on
Start iptables service
Execute the following service command to start iptables service on Amazon Linux AMI:
sudo service iptables start
List iptables rules on Amazon Linux AMI
sudo iptables -S
sudo iptables --list
sudo iptables -L
sudo iptables -L -n -v
sudo iptables -L -n -v --line-numbers
sudo iptables -S TABLE_NAME
sudo iptables --table NameHere --list
sudo iptables -t NameHere -L -n -v --line-numbers
A note about IPv6 firewall for Amazon Linux AMI
Please note that we learned about IPv4 security. In Amazon Linux AMI, IPv6 security is maintained separately from IPv4 using a file named /etc/sysconfig/ip6tables:
sudo vi /etc/sysconfig/ip6tables
Append the following config:
*filter # Set default chain policies :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [1:100] # Accepts ongoing traffic for any existing connections -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # Accept all ICMP packets -A INPUT -p ipv6-icmp -j ACCEPT # Accept all traffic from/to loopback interface -A INPUT -i lo -j ACCEPT # Accept DHCPv6 traffic -A INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT # Custom rules go here # Open port 80, 443 and 22 for IPv6 -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT # Drop everything else # We reject all traffic that didn't match a rule, using "port unreachable" -A INPUT -j REJECT --reject-with icmp6-adm-prohibited -A FORWARD -j REJECT --reject-with icmp6-adm-prohibited COMMIT
Save and close the file in vim. Turn on ip6tables service and start it:
sudo chkconfig ip6tables on
sudo service ip6tables start
sudo ip6tables -L -n -v --line-numbers
sudo ip6tables -L -n -v
sudo ip6tables -S
This page explained how to set up a basic IPv4 and IPv6 iptables firewall for Amazon Linux AMI. Even though Amazon offers a cloud-based firewall, it is a good idea to set up a default firewall to avoid accidental exposure of ports and services to the Internet. Of course, this is not a complete tutorial as we only covered basic stuff. Please see the following links for more info: