Ao usar o AWS re:Post, você concorda com os AWS re:Post Termos de uso
AWS re:Postre:Post

IPTABLES - Unexpected traffic - EC2 - Should I configure IPTABLES on instance command line?

0

Hi there. I'm migrating on-premise server running MySQL to a new EC2 instance (Amazon Linux 2). I'm trying to move IPTABLES configuration to EC2 as well, but I see unexpected traffic being blocked by IPTABLES. I'm starting to suspect that AWS ping the EC2 instance on time basis for monitoring and thus has being causing these unexpected traffic. Is that right ?

I know firewall rules can be configure when lunching EC2 instance, but I'd like to know whether is a good practice to define IPTABLES on instance command lines. Does IPTABLES configuration compromises AWS to monitor instances?

Should I configure IPTABLES on EC2 instances?

Thanks, Marcelo Maciel

  • Marcelo
    há 4 meses

    Shibata/Didier. Thanks for you replies

    It's clear for me now. Thanks!

    All thouse unexpected traffic I questioned earlier were generated by "EC2 Instance Connect" and instance metadata endpoint.

    Another question: does Security Groups process its filtering at instance level? Does Security consume ane instance resource ?

Tópicos
Computação
Tags
Amazon EC2Amazon LinuxMonitoramento
Idioma
English
Marcelo
feita há 4 meses326 visualizações
3 Respostas
0

I prefer to use Security Groups to protect EC2 from external communication.

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html

I can't find the documentation, but EC2 stats checks should work fine even if all packets are droped using iptables. However, I don't know about other services.

profile picture
ESPECIALISTA
shibata
respondido há 4 meses
profile pictureAWS
ESPECIALISTA
Didier_Durand
avaliado há 4 meses
  • Didier_Durand ESPECIALISTA
    há 4 meses

    Hi, I agree with Shibata that sec groups should be used as much as possible because it brings many advantages. But, I also agree on the fact that iptables cannot be fully fully replicated with sec group for sophisticated rules. So, I'd suggest to do as much as possible with sec group and complements with iptables

0

Hi Shibata. Thanks for your reply!

Security Groups is not a bad option, but it can't replace IPTABLES in full. It's only possible to create complex rules (using states and expressions) with IPTABLES.

It's not clear to me whether IPTABLES rules prevent any AWS functionaly to work

Marcelo
respondido há 4 meses
0

So far, I think I should combine both IPTABLES and Security Groups.

For example, on Security Groups I would allow traffic on 22 and 3306 ports. On IPTABLES I would allow all traffic, but drop those with bad flags.

In other words, on Security Groups I could configure what is allowed and on IPTABLES I could configure how its allowed

Marcelo
respondido há 4 meses

Você não está conectado. Fazer login para postar uma resposta.

Uma boa resposta responde claramente à pergunta, dá feedback construtivo e incentiva o crescimento profissional de quem perguntou.

Diretrizes para responder a perguntas

Conteúdo relevante