I have an ec2 VM, it is CentOS machine that I have exported from VMWare instance. The security group associated with this VM is the default security group, this default security group has only inbound settings enabled, I cannot edit outbound settings of that group (it is displayed as disabled in ec2 dashboard) not sure why.
What I am trying to do is to block all Outbound calls from within the machine, I have an application and am trying to simulate running it in offline environment where it can accept calls from outside the VM, but cannot make any calls outside the VM.
Is there away to achieve this in ec2 VM ? I am not sure what information I can provide at this point so I can get the best help so please ask me for any additional information.
the iptables is currently stopped in the VM, if I start it it will block all inbound calls to the VM, I won't be able to hit the application (it is web app).
Here is the output of iptables -L
[root#ip-10-154-146-78 app_module]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
If you are using EC2-classic, you can't change the outbound rules. Only EC2-VPC allows you to configure the outbound traffic in the security group. Also security group rules are always permissive; you can't create rules that deny access. Please look into using network ACL in the EC2-VPC. It supports both allow rules and deny rules for inbound/outbound traffic. However, it operates at the subnet level instead of instance level. If you launch only one instance in your VPC subnet and configure the ACL accordingly, it should meet your requirement to simulate your test case. Using IPTables is also an option. You can see tutorial at http://www.cyberciti.biz/tips/linux-iptables-11-how-to-block-or-open-httpweb-service.html on how to allow http/https access using iptables.
Related
I have 2 EC2 instances (one window and one linux) in same subnet. I am trying to access one instance from another via private IP but I am not able to do so.
In security groups, both instances belong to same security groups and security group allows all traffic from the same security group.
I am not even able to ping one instance from another using private IP address.
Any pointers what could be wrong here.
By default the Windows firewall will deny all inbound requests (including ping), but the firewall also contains a list of Exceptions (otherwise it would block everything!). Those Exceptions are a set of rules that describe what connections should be allowed in out-of-the-box.
To allow any additional connections, you just add a new rule to the firewall. There is a Wizard in the Windows Firewall GUI for viewing and creating rules, but i find it easier to use a PowerShell one-liner like this to allow ping:
New-NetFirewallRule -DisplayName "Inbound LAN Ping" -Direction Inbound -Protocol ICMPv4 -IcmpType 8 -RemoteAddress 192.168.1.0/24 -Action Allow
Above will allow any IP's between 192.198.1.1 ... 192.168.1.255 to send ping requests to your Windows host (all other RemoteAddress will still be ignored). I'm assuming here your Linux machine's IP is for example 192.168.1.1 and your Windows machine's IP is 192.168.1.123.
As a rule of thumb, you should only open up the minimal number of ports, to as few IP/IP ranges as possible.
This will likely be the result of Windows firewall being enabled, with default settings it will block ping access (among other things).
Disabling it should enable inbound/outbound access to work for ping. This is a temporary measure and should not be considered a permanent workaround.
You should enable whitelisting in the Windows firewall to allow the ports you would like inbound or outbound to have network access to/from other resources within the network.
More information is available in this link.
For networking I'm using new Standard SKU (Load balancer, Public IP addresses, etc.). By default everything is disabled for Public IP Address Standard SKU.
I added the following and got TCP outbound connectivity:
1. NSG - enabled all outbound traffic
2. Load balancer rule - rule for Tcp & disabled SNAT
3. Outbound rule - for Tcp
Now when I remote to VMSS VM instance, I can open "google.com". But "ping google.com" keeps timing out.
I wonder what I should configure to enable ping/tracert to work (they are essential for my service offering)?
(First I created VMSS with default Basic Load Balancer - there everything works, including ping).
Turned out this is a limitation of Load Balancer. According to documentation it should apply for both Basic and Standard Load Balancers. For me Basic does allow ICMP traffic and Standard does not.
This article suggests a few workarounds (using psping instead of ping): https://blogs.msdn.microsoft.com/mast/2014/06/22/use-port-pings-instead-of-icmp-to-test-azure-vm-connectivity/
I'd like to redirect specific outgoing TCP traffic to another address.
Say I have an application that tries to establish a connection to a server aaa.bbb.ccc.ddd:99999.
What I am trying to do is to redirect the application's outgoing traffic to another address (e.g., ddd.eee.fff.ggg:88888) without touching the application. Is this possible in Windows or Mac OS X?
Thanks
There two cases here:
First if you have fqdn, it's easy you just have to resolve it to a different ip via the local hosts file.
Second if the application is trying to reach specific ip address it's not so simple, and i will mention a way to do it on the system and one without changing anything on the system.
Within the system you have to modify local firewall. I will write you an example command from iptables which works on linux systems but sth equivalent you can apply with the software MacOS (pf see the edit on the end) and Windows have installed.
What i do below, is to NAT the IP i want to change, to a new IP.
iptables -t nat -A OUTPUT -p tcp -d IP_YOU_WANT_REWRITE --dport PORT -j DNAT --to-destination NEW_IP:NEW_PORT
In case now you don't want to mess with the host machine at all you can apply a similar NAT rule on your gateway/router, you just NAT the IP you want to change to the new one on the router configuration and your host reach the new one transparently.
edit: As far as i can see osx equivalent to iptables is pf so you need to write a similar rule using the nat command.
Here's the scenario. I'm currently running a Mikrotik RB433AH for my router here at my office. I have several firewall rules setup and all is good. I am also configured for NAT. I'm at a point now where I need to retrieve data from a host located on the inside network "192.168.0.10", protocol TCP and port 502. I will be accessing this internal host from a server that is located in a remote location with a static IP address. I need to allow this IP and everything else will need to be denied.
I add my dst-nat rule and once again all is fine there. However, since adding a dst-nat rule I can access this internal host from the outside where I need to have this internal host only accessible from my equipment that is located at a datacenter.
From what I've read so far I do believe that NAT rules are processed first and then the firewall filter rules. So this explains why I'm able to access this device from the outside. How do I filter the outside world from accessing this device?
Do I need to add another rule perhaps on the filter rule for chain=forward ? I've read a lot of documentation thus far and now things are quite hazy so any help would be awesome at this point.
Thanks in advance!
T
Yes, you need to make a firewall rule, from a specific address, to your host, and accept it, and drop everything else... That can be done in a single rule, using the ! option.
/ip firewall filter
add chain=forward src-address=!EXTERNALSERVERIP dst-address=192.168.0.10 action=accept
After that change only your external server can access your local host.
you need to put this rule on top
/ip firewall filter add chain=forward src-address=yourexternalipaddress dst-address=192.168.0.10 action=accept
below that rule you need to do this block
/ip firewall filter add chain=forward dst-address=192.168.0.10 action=drop
the explaination
when the connection goes through firewall filter rule, it will be checked by first rule.. if it match then it will be executed... if not matched it will be pass to the next rule..
Is there a problem using VMware on Windows to host a virtual linux box running iptables? I have a configuration that seems to work on physical hardware but is flaky under VMware.
I'm using VMware to run a virtual linux 2.6.24 machine on a Windows 2003 Server host. The linux application is essentially a NATting router that runs iptables. The rules in the nat table include:
Chain foo_pre
target prot opt in out source destination
LOG all -- * * 0.0.0.0/0 0.0.0.0/0 [options here]
LOG all -- * * 0.0.0.0/0 10.10.1.33 [options here]
DNAT all -- * * 0.0.0.0/0 10.10.1.33 tcp dpt:80 to:192.168.0.33:8080
Chain PREROUTING
target prot opt in out source destination
foo_pre all -- * * 0.0.0.0/0 0.0.0.0/0
I'm seeing the incoming packets to 10.10.1.33:80 using tcpdump, and the first LOG generates messages, but neither the DNAT or the second LOG show the packets registering on their packet counters, the second LOG generates no messages, and tcpdump doesn't show the packets to 192.168.0.33.
The eth0 adapter is on the 10.10.0.0/16 network with a default gateway of 10.10.1.1; it has a secondary address of 10.10.1.33/32. /proc/sys/net/ipv4/config/eth0/forwarding is set to 1.
Is VMware the culprit, or am I missing something? Thanks!
Update: we've simplified the test environment. No NAT rules at all, just a linux VM running under a Win2k3 Server host. Test steps:
VM is bridged to host NIC. VM and host are on the same subnet, with the same default gateway as above.
VM communicates with devices both on and off its subnet: ICMP, TCP, UDP. Communication is bidirectional: it doesn't matter which equipment initiates it.
Engineer power-cycled the default gateway while poking at the system.
VM now communicates only with devices on its subnet. Any attempt to communicate through the gateway to the same equipment from Step 2 fails to put packets on the wire. tcpdump on eth0 on the VM shows outgoing packets with no response; WireShark on the host shows nothing on the physical NIC.
Stopping and restarting the VM does not change its behavior. Stopping the VM and replacing it with a different VM with appropriate IP address, etc. does not change the behavior.
The Win2k3 host continues to communicate normally, both on and off its subnet.
I can only conclude from this that "something happens" between the VM and the host: in the VMware drivers, or in the host's network stacks. I'm off to scour the web again.... it's hard to imagine we're the first to observe this.
Updates as they come. Thanks for your thoughts and discussion.
Your second log line is trying to match packets sent to 10.10.1.33, but you changed the destination address to 192.168.0.33 on the line above it.
I'm not sure why you don't see the outgoing packets in tcpdump yet. I assume you're running tcpdump on the linux VM itself. Is the VM sending packets on the same interface it's receiving, or is there a second virtual ethernet adapter? What machines are the various IP addresses assigned to (other than 10.10.1.33).
Regarding update:
I gather you're not using DHCP (people usually don't bother when using static IP addresses). Also, it sounds like the gateway sees one NIC using two IP addresses. Normally that should be ok, but it's always the details that get you.
Is it possible the gateway will only assign one IP address to the NIC and is ignoring traffic from the VM?
After your edit, I suggest an experiment: on your physical machine, configure your NIC to disable all hardware acceleration.