0

I built an AMI (RedHat Linux) using Amazon's EC2 Image Builder service. I created a EC2 instance using this AMI, and found that there are certain firewall rules set (ran the following command iptables -nL). Unfortunately, I was not able to find the configuration for setting these rules. Here are a couple of commands I ran to check for the configuration:

  1. systemctl status iptables - iptables config is not located
  2. systemctl status firewalld - returns a status of inactive for firewalld

I am not able to communicate with this instance from outside, though there is a public ip available. Any suggestions on how to disable these set rules? I tried disabling them using - systemctl stop firewalld, systemctl disable firewalld, but since the status of firewalld is inactive, the rules still existed.

Another approach I tried was creating a component in my AMI which flushes the rules in iptables:

  • iptables -F INPUT
  • iptables -F FORWARD
  • iptables -F OUTPUT

The AMI was created successfully, but the rules still existed when I launched an instance. However, other components (in which I was installing some packages) worked well.

Any suggestions on how to disable the firewall?

anjali
  • 93
  • 1
  • 2
  • 11
  • Have you saved the rules, `iptables save`? By default iptables resets after reboot if not saved. So if your instances launch from ami, they may not be affected by your un-saved rules. – Marcin May 21 '20 at 08:49
  • `iptables-restore` is required after a reboot/restart, right? – anjali May 21 '20 at 11:01
  • This [thread](https://serverfault.com/questions/626521/centos-7-save-iptables-settings) has useful info about centos7 firewall. – Marcin May 21 '20 at 11:04
  • Are you using subnets or is this the default VPC? Did you add a SG to allow inbound traffic? – Sully May 24 '20 at 13:36
  • Also, check subnet route table to route traffice accordingly and VPC NACLs (default allows all traffic) – Sully May 24 '20 at 13:42
  • I'm using subnets. My instances were created successfully when I allowed all traffic (I had only certain ports open before; cleared the, from the AWS console). My question was really this - is there an ami-based approach to edit/remove these rules, instead of from the console? – anjali May 26 '20 at 06:10

0 Answers0