Does it makes sense to configure iptables when you have configured AWS EC2 security groups?

Question

We are using some Amazon EC2 instances with configured Security Groups (e.g. can SSH only from particular IPs -- sorry I cant post rules).

Some time ago I checked iptables and it looked like there were not configured.

sudo iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

My question is:

Does it makes sense to configured iptables - either via raw method or via some front-end e.g. csf (not neceserraly the best pick, but I want to provide some example)?

Or maybe we don't gain anything?

score 5 · Answer 1 · answered Aug 02 '18 at 21:41

iptables has various features that simply aren't available in EC2 security groups. So if you need certain features of iptables, there's your answer. There's no technical limitation to prevent you from running both.

From a security perspective, it's as if you had a locked door, then another locked door, with both locks requiring the same key. It would protect you in case of a serious malfunction in either iptables or EC2. I'm not sure I'd call this "defense-in-depth" if both systems are relying on the same network rules.

However, IMHO, it's a problem waiting to happen. The potential security improvement is at best minor. The operational risk of failing to keep your filtering rules in sync is a much more realistic concern.

`iptables has various features that simply aren't available in EC2` Which ones? — nothing-special-here, Aug 03 '18 at 16:30
masq, nat, chains, accounting, auditing, custom actions... it's just a far more extensible service (which doesn't make it better per se). — TheCoolah, Aug 05 '18 at 16:26

score 4 · Answer 2 · edited Aug 08 '18 at 16:13

It's always a good idea to setup iptables, especially if the rules do not change.

The AWS firewall may give you the protection you need, but there is always a chance for a failure. There could be a service failure, or a configuration issue. It is better to have a second line of defense. With iptables you don't depend as much on the AWS firewall, and you have more and direct control.

Of course if the rules are dynamically changing then managing iptables can become a pain... but you can find solutions for that as well.

Does it makes sense to configure iptables when you have configured AWS EC2 security groups?

2 Answers2