0

We recently noticed that outgoing HTTP traffic seems be blocked.

Specifically we need to allow HTTP requests to a give website URL. I'm not sure if this is possible as I believe typically it must be allowed to a specific IP. However, the service which we need to send traffic uses ELB and therefore the actual IPs of the instances can change.

Anyway, I've tried running telnet xxx.com 80 and it simply says:

Unable to connect to remote host: Connection timed out

Anyone know how we can allow the HTTP outgoing traffic to this website?

Thanks in advance.

Aaron
  • 183
  • 3
  • 12

2 Answers2

1

You need to find out the IP ranges used by the website using ELB, and add iptables outgoing ALLOW rules to them. Since you didn't include any existing firewall configuration information in your question, I cannot give any more specific instructions.

Tero Kilkanen
  • 36,796
  • 3
  • 41
  • 63
  • Thanks for quick reply :) I will ask them to the IP ranges but I'm not sure Amazon is able to provide this information. I'd be glad to share more details on the firewall configuration - what's best way to share that with you? – Aaron Jun 21 '16 at 09:55
-1

You can use this:

iptables -A OUTPUT -p tcp -d xxx.com --dport 80 -j ACCEPT

You can use web address (but must be domain) for -d (destination) And don't forget att set allow also incoming traffic for same site:

iptables -A INPUT -p tcp -s xxx.com --dport 80 -j ACCEPT

Edit:

If that not goes ... you must make script with take info om ip addres whit command: host -t a xxx.com

Gruja
  • 19
  • 7
  • I'm not sure that using FQDNs in `iptables` rules works like you think it does. – MadHatter Jun 21 '16 at 09:51
  • I tried to include the url within the iptables rules and did not have any success. How would I properly include the command host -t a xxx.com within the rule itself? Just not sure proper formatting... – Aaron Jun 21 '16 at 09:57
  • format is for exmp: `host -t a www.facebook.com` and output is like: `www.facebook.com has address 69.171.228.40` but it's not use in iptables rules ... you must make script at run iptables ... – Gruja Jun 21 '16 at 10:25
  • 1
    Oh okay, I already have a script you can see here: https://goo.gl/YXkg5p can I add this into my existing script? – Aaron Jun 21 '16 at 10:37
  • Yes you can. Take this code: `host -t a siteadress.com > ip.txt ; awk '{print $4}' ip.txt ; rm ip.txt` – Gruja Jun 21 '16 at 11:25
  • This will work until the IP address of xxx.com changes. Then after this, you need to run the script to get the IP address, add it to iptables. Repeat this until you have all the IP addresses, which might take a looong time... – Tero Kilkanen Jun 21 '16 at 12:21
  • Hm, so does this go inside the existing script which I linked above? Or do I need separate script? It seems that if the IP changes all the time then it might be very unpredictable... – Aaron Jun 21 '16 at 12:23
  • As a test I've just added the following (using IP) and traffic is still not able to go out... iptables -A INPUT -p tcp -s 23.21.172.135 --dport 80 -j ACCEPT – Aaron Jun 21 '16 at 13:34
  • but you must added OUTPUT regler also: `iptables -A OUTPUT -p tcp -d 23.21.172.135 --dport 80 -j ACCEPT` – Gruja Jun 22 '16 at 08:03
  • @TeroKilkanen : meaning is at he start script every day ... I think at they change address daily ... :/ but must start script every time when change site address ... – Gruja Jun 22 '16 at 08:06
  • @Gruja good catch, I forgot the OUTPUT line - however it's added now and when I telnet 23.21.172.135 80 it still says 'Unable to connect to remote host: Connection timed out' – Aaron Jun 22 '16 at 10:40
  • In the end, I found out the issue - since the third party service is using AWS with an ELB we have to allow all the IPs of the backend instances. I noticed in the logs it was still blocking a couple IPs once I added the rules then it started working. The 3rd party service is not able to provide an IP range since even AWS doesn't know those IPs. Is there a way we can test and update the iptables script dynamically? – Aaron Jun 26 '16 at 07:11