Set Up a Basic Iptables Firewall on Amazon Linux AMI

ADVERTISEMENTS



How To Set Up a Basic Iptables Firewall on Amazon Linux AMI

How do I set up a basic iptables firewall on Amazon Linux AMI running on EC2 or Lightsail instance?AWS (Amazon Web Services) has its own Linux distribution called Amazon Linux AMI. It is chiefly binary compatible with CentOS Linux, with all necessary packages updated to the latest version. This page explains how to set up a basic iptables based firewall on Amazon Linux.

The procedure for setting up a basic firewall on Amazon Linux AMI is as follows:

Login to your Lightsail/EC2 instance using ssh command. Switch to the root user by typing sudo -i command. Create a file named /etc/sysconfig/iptables Open or close ports and other options as per your needs Enable the iptables at boot time, execute: sudo chkconfig iptables on Start the iptables service, run: sudo service iptables start

Do I genuinely need iptables based firewall settings for EC2 and Lightsail instance powered by Amazon Linux AMI?

The short answer is it depends upon your needs.

Long answer: Both EC2 and Lightsail VM come with a cloud-based firewall. When you create an AWS Lightsail instance/VM, some network ports are open by default. When a port is open, your instance can accept public network connections. For example, you can either open port 22 or close port 22, but you can not specify the source IP address to control access ssh port 22 or any other ports. However, the EC2 firewall allows us to set up a source or destination for the traffic. Here is a sample from Lightsail instance firewall settings:



Sample /etc/sysconfig/iptables

As you can see, the firewall is minimal and does not provide an option to set up the source or destination IP address for Lightsail instances. Therefore, setting up a basic iptables is a good idea on Amazon Linux AMI.

Type the following command:

sudo vi /etc/sysconfig/iptables

Append the following:

*filter # Deny all inbound traffic :INPUT DROP [ 0:0 ] :FORWARD DROP [ 0:0 ] # Accept all outbound traffic :OUTPUT ACCEPT [ 0:0 ] # Accept already connected sessions -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Accept all loopback -A INPUT -i lo -j ACCEPT # Open https/http port from anywhere -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT # Accept ssh port from anywhere # -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT # Accept ssh port from only your static IP address such as 1.2.3.4 -A INPUT -m state --state NEW -m tcp -p tcp -s 1.2.3.4 --dport 22 -j ACCEPT # Multiple IPs are also allowed -A INPUT -m state --state NEW -m tcp -p tcp -s 202.53.1.2,93.1.2.3 --dport 22 -j ACCEPT # Deny from specific IP address #-A INPUT -m state --state NEW -s 1.2.3.4 -j DROP COMMIT *filter # Deny all inbound traffic :INPUT DROP [0:0] :FORWARD DROP [0:0] # Accept all outbound traffic :OUTPUT ACCEPT [0:0] # Accept already connected sessions -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Accept all loopback -A INPUT -i lo -j ACCEPT # Open https/http port from anywhere -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT # Accept ssh port from anywhere # -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT # Accept ssh port from only your static IP address such as 1.2.3.4 -A INPUT -m state --state NEW -m tcp -p tcp -s 1.2.3.4 --dport 22 -j ACCEPT # Multiple IPs are also allowed -A INPUT -m state --state NEW -m tcp -p tcp -s 202.53.1.2,93.1.2.3 --dport 22 -j ACCEPT # Deny from specific IP address #-A INPUT -m state --state NEW -s 1.2.3.4 -j DROP COMMIT

Enable iptables service

Run the following chkconfig command:

sudo chkconfig iptables on

Start iptables service

Execute the following service command to start iptables service on Amazon Linux AMI:

sudo service iptables start

List iptables rules on Amazon Linux AMI

sudo iptables -S

sudo iptables --list

sudo iptables -L

sudo iptables -L -n -v

sudo iptables -L -n -v --line-numbers

sudo iptables -S TABLE_NAME

sudo iptables --table NameHere --list

sudo iptables -t NameHere -L -n -v --line-numbers



A note about IPv6 firewall for Amazon Linux AMI

Please note that we learned about IPv4 security. In Amazon Linux AMI, IPv6 security is maintained separately from IPv4 using a file named /etc/sysconfig/ip6tables:

sudo vi /etc/sysconfig/ip6tables

Append the following config:

*filter # Set default chain policies :INPUT ACCEPT [ 0:0 ] :FORWARD ACCEPT [ 0:0 ] :OUTPUT ACCEPT [ 1:100 ] # Accepts ongoing traffic for any existing connections -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # Accept all ICMP packets -A INPUT -p ipv6-icmp -j ACCEPT # Accept all traffic from/to loopback interface -A INPUT -i lo -j ACCEPT # Accept DHCPv6 traffic -A INPUT -d fe80::/ 64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT # Custom rules go here # Open port 80 , 443 and 22 for IPv6 -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT # Drop everything else # We reject all traffic that didn't match a rule, using "port unreachable" -A INPUT -j REJECT --reject-with icmp6-adm-prohibited -A FORWARD -j REJECT --reject-with icmp6-adm-prohibited COMMIT *filter # Set default chain policies :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [1:100] # Accepts ongoing traffic for any existing connections -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # Accept all ICMP packets -A INPUT -p ipv6-icmp -j ACCEPT # Accept all traffic from/to loopback interface -A INPUT -i lo -j ACCEPT # Accept DHCPv6 traffic -A INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT # Custom rules go here # Open port 80, 443 and 22 for IPv6 -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT # Drop everything else # We reject all traffic that didn't match a rule, using "port unreachable" -A INPUT -j REJECT --reject-with icmp6-adm-prohibited -A FORWARD -j REJECT --reject-with icmp6-adm-prohibited COMMIT

Save and close the file in vim. Turn on ip6tables service and start it:

sudo chkconfig ip6tables on

sudo service ip6tables start

List rules:

sudo ip6tables -L -n -v --line-numbers

sudo ip6tables -L -n -v

sudo ip6tables -S



Conclusion

This page explained how to set up a basic IPv4 and IPv6 iptables firewall for Amazon Linux AMI. Even though Amazon offers a cloud-based firewall, it is a good idea to set up a default firewall to avoid accidental exposure of ports and services to the Internet. Of course, this is not a complete tutorial as we only covered basic stuff. Please see the following links for more info: