0

I'm using amazon EC2 and looking to set up some firewall rules for my scenario. EC2 is strange - in case you aren't familiar with EC2 - amazon offers elastic IP addresses that resolve to private IP addresses - there is no such thing as a truly public IP. I've got two private IP addresses attached to a single ethernet interface (eth0), and two corresponding elastic IPs that resolve to the private IPs to allow public access to the machine.

For the second private IP, I only want to accept packets if they come from a particular source (my IP address).

I can NOT use multiple ethernet interfaces to solve this, as I can only simulate multiple public IP addresses from the same interface (eth0) on EC2.

I've got standard rules in-place that allow ALL connections to commonly-used public ports from any source.

-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9001 -j ACCEPT

How can I add a rule further in the chain, that will further inspect the destination for EVERY request, and simply drop the request if the source (-s) isn't the IP address I specify?

I basically want to use a second IP address along with iptables and apache2 to only serve certain pages to me when I'm on my home network.

Thanks!

Sam Levin
  • 510
  • 1
  • 5
  • 11
  • Why not just use `.htaccess` instead of iptables? iptables will stop at the first rule a packet matches. (note: `-s ` does the source check) – Nathan C Apr 28 '14 at 16:39
  • That sounds like a good temporary suggestion, thanks. However, this would mean my devs can alter security by simply removing this file, as it would be located in what can be considered their working directories. Something in iptables at the kernel level would be preferred – Sam Levin Apr 28 '14 at 17:14
  • If I understand what you want to do: a) bind apache2 test/private to 2nd ip address b) add iptable rule at the top to allow yourself access `INPUT -s home_ip_address -j ACCEPT` , add rule at the end to block all access to 2nd private ip `INPUT -d 2nd_private_ip -j DROP` . Or you can use Security Group to block all :80 access on 2nd public IP (tied to 2nd private IP) except for your home ip (easier to change from home if something goes wrong) – LinuxDevOps Apr 28 '14 at 17:32
  • Why not add as answer so I can mark as correct?! As far as ec2 security groups go, I think a security group applies to an entire ENI. It's not currently possible on ec2 to have separate private ips on multiple Ethernet interfaces, at least without advanced routing. – Sam Levin Apr 30 '14 at 02:42
  • @SamLevin added as answer, comment was just making sure I understood the requirements, thanks. – LinuxDevOps Apr 30 '14 at 15:00

1 Answers1

3

Add iptable rule at the top to allow yourself access: INPUT -s home_ip_address -j ACCEPT

Add rule at the end to block all access to 2nd private ip: INPUT -d 2nd_private_ip -j DROP

LinuxDevOps
  • 1,774
  • 9
  • 14