Home / server / Questions / 88086
Accepted
readonly
Asked: 2009-11-25 21:53:45 +0800 CST

Should you use iptables with EC2 instances?

  • 772

You can use ec2-authorize to specify what kind of traffic to allow to your ec2 instance. Is it still a good idea to run iptables, or is that introducing unnecessary complexity?

iptables

2 Answers

  1. Best Answer

    Some reasons why you might consider activating iptables:

    • can use to block outgoing trojans, eg block outgoing smtp 25, and you provide defense against spam trojans
    • what if the Amazon firewall is disactivated for some reason by Amazon by accident?
    • what if the instance is started with an inappropriate security group, or there is an issue with the security group's configuration?

    Activating iptables provides defense in depth, and is easy to configure, eg with ufw:

    sudo ufw default allow
sudo ufw enable
sudo ufw allow 22/tcp    # allow ssh
sudo ufw default deny

# sudo ufw allow 80/tcp   # uncomment this line to allow incoming http
# sudo ufw allow 443/tcp  # uncomment this line to allow incoming https

    (note: this won't block outgoing smtp, but it does show that getting a basic iptables configuration setup is fairly painless, and then you can tweak this if you like vi /etc/ufw/*.rules)

    • 6

  2. I'd say it depends on how paranoid you are. I personally use a two-staged approach on my networks: there is a global firewall which blocks most bad stuff, and then each host runs some type of local firewall specific to its purpose in life.

    It sounds like ec2-authorize is a lot like that per-host firewall. I'd configure it up and throw a few bad packets at it, and see what happens. I suspect it is sufficient.

    • 0