6

I've written some programs for Raspberry Pi, which some small companies have shown interest in. I sold pre-configured Raspberry Pi:s to them, with my program on them, and it works for everybody except one of the companies. They have very strict policies, which is understandable.

My program uses Amazon's S3 service. I've given instructions on what ports and services that need to be open in order for the program to work, to access S3, and the system administrator is saying ok to everything except one thing: They can't allow port 443 to the entire Internet. I need to specify IP ranges, they say.

I've been doing some research, and it seems that S3 needs a vast IP range in order to work, and the IP addresses needed just keep adding up. Most documentation I've found, spells out clearly that "port 80 and port 443 needs to be open" and that the IP addresses for the S3 servers vary.

Do you have any suggestions on what I can suggest? Are there firewalls that can filter by domain name (*.amazonaws.com)? Or is there anything else I can do? Is there an official IP range list for S3, that is updated regularly?

Any help from you would be very appreciated. Thanks.

Paolo
  • 161
  • 1
  • 1
  • 4
  • 2
    Port 443 is typically SSL, they don't allow any SSL connections on their network? – thexacre Jun 27 '14 at 10:37
  • @thexacre Maybe they only allow connections to their proxy which then forwards them to the open internet, most likely for logging purposes. –  Jun 27 '14 at 13:25
  • They only allow connections to specified IP addresses. So, they're asking "You must tell us to which IP address you want us to open port 443". Unfortunately S3 doesn't only have one IP address associated to it. – Paolo Jun 27 '14 at 13:59
  • 2
    It sounds to me like the issue is that they want to monitor all web traffic and thus don't want *employees' workstations* to be able to connect to port 443 on arbitrary IP addresses. But perhaps they could instead add a firewall rule just for your Pi-based appliance's source IP to allow it to connect to port 443 anywhere? This would be a more reliable solution for them, I think. – R.. GitHub STOP HELPING ICE Jun 27 '14 at 14:12

2 Answers2

8

Before you start building allowed IP range, identify the region. The list of S3 regions is available here.

Let's assume you need an IP range for s3-us-west-2.amazonaws.com.

You can get it by executing the following commands on a Linux system, or equivalent commands on other systems.

Get IP address for the domain:

$ host s3-us-west-2.amazonaws.com
s3-us-west-2.amazonaws.com has address 54.231.161.248

Domain will have multiple IP addresses associated to it, which possibly will be in separate networks. Try to run this command multiple times to see if IP addresses returned are in the same network. If not, try to identify IPs from separate networks and run the below command on all of such IPs. Unfortunately there is no way to ask a DNS server to return all A records associated with a particular domain.

Run whois to get information about IP address:

$ whois 54.231.161.248
...
NetRange:       54.230.0.0 - 54.231.255.255
CIDR:           54.230.0.0/15
...

Whois output will include a whole lot of extra information which you don't need and the output may differ for different IP addresses. However you should be able to find IP range in it's output.

Alternative approach:

Amazon has a forum post which lists their IP ranges and gets updated regularly, so you can use that as well.

Because those IP ranges are going change over time, ideally you will want to have a script which will probe them for you and give a notice when new IPs are discovered. As noted in the comment below, you probably don't want your firewall configuration to be updated without first confirming that IP ranges are correct.

grekasius
  • 2,056
  • 12
  • 15
  • 2
    Noone who is security consious will update their firewall automatically via a script relying on an external site. All the same reasons why it is standard to use IP addresses and not domain names apply. – JamesRyan Jun 27 '14 at 14:48
  • My script suggestion was more targeted to automate the manual commands used to retrieve the updated IP ranges, not necessarily to update the firewall config itself. I'll fix that part to be a bit more specific. – grekasius Jun 27 '14 at 15:01
  • I wouldn't count on a single lookup getting all IPs for S3. I, for example, get `54.240.252.34` for `host s3-us-west-2.amazonaws.com`. It's probably round-robined, geolocated, and who knows what else. – ceejayoz Jun 27 '14 at 16:24
  • Answer recommends to do multiple lookups. – grekasius Jun 27 '14 at 16:28
  • anyone know what the iptables rule would look like for this? i allow outbound 80/443 to all addresses yet it still fails.. im assuming there is somthing missing. – NDBoost Oct 05 '16 at 01:05
3

Amazon now publish an automatically updated list of IP ranges for each service here: https://ip-ranges.amazonaws.com/ip-ranges.json - see http://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html for semantics and how to get notified on changes.

Malcolm Box
  • 211
  • 2
  • 6