I'd like my EC2 instance to have IAM-based permissions, but don't want the docker containers on that instance to have the same permissions. I believe it should be sufficient to block access to the magic IP 169.254.169.254. Is it sufficient to run:
iptables -I DOCKER -s 169.254.169.254 -j DROP
Do I also need to configure my docker daemon with --icc=false or --iptables=false?
Finally got this working, you need to add this rule on the host machine:
1) Drop docker bridge packets when outbound to 169.254.169.254 port 80 or 443.
sudo iptables -I FORWARD -i docker0 -d 169.254.169.254 \
-p tcp -m multiport --dports 80,443 -j DROP
Now, if I try to connect inside the container:
$ sudo docker run -it ubuntu bash
root#8dc525dc5a04:/# curl -I https://www.google.com
HTTP/1.1 200 OK
root#8dc525dc5a04:/# curl -I http://169.254.169.254/
# <-- hangs indefinitely, which is what we want
Connections to the special IP still work from the host machine, but not from inside containers.
Note: my use case is for Google Compute Engine and prevents Docker containers from accessing the metadata server on 169.254.169.254, while still allowing DNS and other queries against that same IP. Your mileage may vary on AWS.
I would recommend the following variation on the accepted answer:
sudo iptables \
--insert DOCKER-USER \
--destination 169.254.169.254 \
--jump REJECT
The reason for this is that the above command adds the rule to the DOCKER-USER chain which Docker is guaranteed not to modify.
Sources:
https://ops.tips/blog/blocking-docker-containers-from-ec2-metadata/
https://docs.docker.com/network/iptables/
Related
I tested AWS EC2 Amazon Linux and Ubuntu 18.04.
Tomcat is reachable from localhost:8081, but not from outside network
After pulling thee tomcat image
docker pull tomcat
Then running a container with port mapping:
docker run -d --name container-test -p 8081:8080 tomcat
Tomcat web page is not accessible, says:
This site can’t be reached 13.49.148.112:8081 took too long to respond.
But if doing this way, it's working fine.
docker run -d --name container-test2 -p 8080:8080 tomcat
I opened ALL ALL ALL in AWS security groups.
netstat shows that ports are listening correctly
ACLs are at default rule 100 allowing everything
I also did nmap this and found out the port is filtered:
$nmap -p8081 172.217.27.174
PORT STATE SERVICE
8081/tcp filtered blackice-icecap
Tried to add a rule to iptables but no luck:
iptables -I INPUT 3 -s 0.0.0.0/0 -d 0.0.0.0/0 -p tcp --dport 8081 -m state --state New -j ACCEPT
What can be done?
UPDATE:
Spent 2 good days to solve the issue with Amazon Linux2, but no success at all, switched to Ubuntu 22.04 and it's working. Also, same setup works on diff ami image in Mumbai region,
hence there is a high chance the image is faulty in Stockholm region specifically.
could be one of this:
check the port mappings of the container of your task definition
check the entries of the NACL (access control list) of your subnet (check if its public)
check if you allowed the trafic in the security group for your ip or 0.0.0.0/0
I'm running the community OpenVPN server (on a CIS Level 1 RHEL 7) instance, which I can connect from my laptop without any issue. Whilst connected, I can SSH to the OpenVPN server instance using the private IP but not anything else at all. Not even a different instance in the same sub-net. Say my VPN server in: 10.100.0.0/28 subnet, VPN client subnet is: 192.168.10.0/24 and I want SSH to an instance in 10.100.0.16/28. This is the part I have in the server config:
push "redirect-gateway def1 bypass-dhcp"
push "route 10.100.0.16 255.255.255.240"
push "route 10.100.0.32 255.255.255.240"
;push "route 10.100.0.0 255.255.240.0"
route 10.100.0.16 255.255.255.240
route 10.100.0.32 255.255.255.240
;route 10.100.0.0 255.255.240.0
server 192.168.10.0 255.255.255.0
I have added these iptables rules to allow the VPN traffic:
## allow udp 1194
iptables -A INPUT -p udp -m udp --dport 1194 -m state --state NEW -j ACCEPT -i eth0
## Allow TUN interface
iptables -A INPUT -i tun+ -j ACCEPT
## Allow TUN connections to be forwarded
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
## NAT the VPN client traffic to the Internet
iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o eth0 -j MASQUERADE
## default TUN OUTPUT
iptables -A OUTPUT -o tun+ -j ACCEPT
apart from that also,
added net.ipv4.ip_forward = 1 to /etc/sysctl.conf
Disabled source/destination check on the VPN instance
added a static route to VPC route table with Destination: 192.168.10.0/24, Targeting the ENI that attached to the VPN instance
added ingress rule in the target instances' SG to allow vpn-client subnet on port 22
There is no NACL involved yet (but have to enable that at some point)
What else didn't do or did wrong?? I'm really stuck and know I'm missing some thing really silly. Could anyone shade some light or point me to right direction please?
-S
Figured out why it was not working. These two lines:
route 10.100.0.16 255.255.255.240
route 10.100.0.32 255.255.255.240
in the config file were causing the issue. Without those, it forwarding the traffic downstream without any issue. I'm a bit confused though from the OpenVPN documentation on route ... and push "route ..., so not really sure why those two lines were causing connection issue. So, if anyone can shade some light on that will be very much appreciated.
I have a linux AWS instance. I am running the following script on it:
#!/usr/bin/env bash
#This script installs java, sbt and the application
#Run this script on a new EC2 instance as the user-data script, which is run by `root` on machine start-up.
sudo yum update -y
sudo yum install -y docker
sudo service docker start
docker run repo/carrie
Everything installs and I get the below message in the logs:
REST interface bound to /0.0.0.0:8080
However when I try to actually access the port like so:
curl 0.0.0.0/8080
I get the below message:
Failed to connect to 0.0.0.0 port 8080: Connection refused
I have tried editing the inbound rules so that 8080 is open but it doesn't seem to work. Maybe because I'm editing the rules after the instance has already launched?
You have to publish the container's port to the host in the docker run command
$ docker run --help
...
-p, --publish list Publish a container's port(s) to the host
...
The last line of your script should look like this if the process in the container listens on port 80:
docker run -p 8080:80 repo/carrie
The container gets its own interface, hence host's 0.0.0.0 is not applicable.
Tell docker to bind container port 8080 out to the host:
docker run -p 8080:8080 repo/carrie
I have a RDS instance with mysql database and which can only be accessed by an ec2 instance running in AWS. Now i want to access my RDS instance from local machine using SSH tunneling. I searched a lot on the net but none of the solutions worked. Can any one please tell me how to do it step by step with working solution.
Any help will be highly appreciated!
I tried to run -
ssh -i myNewKey.pem -N -L 3306:myredinstance:3306 ec2-user#myec2-instance.
mysql -u dbauser -p -h 127.0.0.1 on mysql-js utility and it gave me error. Please see below :-
You can do it by setting up a ssh tunel
ssh -i /path/to/key -N -L 3306:an_rds_endpoint:3306 user#yourserver.com
Then connect locally
mysql -u myuser -p -h 127.0.0.1
I have set up an Amazon ec2 server but I want to open port 2195 and 443.
I already added ports from security group in Amazon console.
When I listen port using
netstat -anltp | grep LISTEN I got only two ports 23 and 80.
I also checked if ubuntu firewall is blocked or not.
Please help me.
After you add the ports in EC2 Security Group, they are ready to be used by any process. Restarting your EC2 instance is also not needed.
netstat -anltp | grep LISTEN
will start showing the new ports as soon as some process is started which LISTEN on them
Just restart the e2 instance and check it and make sure you have the saved the security group settings after adding the new ports.
iptables -A INPUT -p tcp -d 0/0 -s 0/0 --dport PORT_NO_U_WANTED_TO_OPEN -j ACCEPT
try this .
you can disable iptables on ec2 because because there is security group on console to limit open port, but here my solution if you still want to using it:
manual edit file /etc/sysconfig/iptables with the following step
flush iptables caches
iptables -F
edit the file
nano /etc/sysconfig/iptables
add you port and make sure the line like
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
and not
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
save and restart iptables
service iptables save
service iptables restart