Skip to content

Instantly share code, notes, and snippets.

@franklouwers

franklouwers/gist:d5061b4ef50e2b4253fe

Created July 22, 2015 15:19
Show Gist options
  • Save franklouwers/d5061b4ef50e2b4253fe to your computer and use it in GitHub Desktop.
Save franklouwers/d5061b4ef50e2b4253fe to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gistfile1.txt
Situation before:
root@srv-132:~# iptables -L i-2-4867-VM -n
Chain i-2-4867-VM (1 references)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:1:65535 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:1:65535 state NEW
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 code 0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 0 code 0
DROP all -- 0.0.0.0/0 0.0.0.0/0
Goal: We want to add a rule to allow 0.0.0.0/0 for protocol all. We first try a different
ip-range (0.0.0.0/1) to verify that the "protocol all" rules work.
==> WORKS: add cidr 0.0.0.0/1 (so 0.0.0.0-127.255.255.255), protocol all to securitygroup:
(frank) 🐵 > authorize securitygroupingress securitygroupid=3175ef09-7fb7-11e4-821b-001e6702473c cidrlist="0.0.0.0/1" protocol=all
Rule gets installed:
root@srv-132:~# iptables -L i-2-4867-VM -n
Chain i-2-4867-VM (1 references)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:1:65535 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:1:65535 state NEW
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 code 0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 0 code 0
ACCEPT all -- 0.0.0.0/1 0.0.0.0/0 state NEW
DROP all -- 0.0.0.0/0 0.0.0.0/0
==> DOES NOT WORK: add cidr 0.0.0.0/0, protocol all to securitygroup:
(frank) 🐵 > authorize securitygroupingress securitygroupid=3175ef09-7fb7-11e4-821b-001e6702473c cidrlist="0.0.0.0/0" protocol=all
Rule does not get installed:
root@srv-132:~# iptables -L i-2-4867-VM -n
Chain i-2-4867-VM (1 references)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:1:65535 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:1:65535 state NEW
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 code 0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 0 code 0
ACCEPT all -- 0.0.0.0/1 0.0.0.0/0 state NEW
DROP all -- 0.0.0.0/0 0.0.0.0/0
Logs:
2015-07-22 17:03:40,131 - programming network rules for IP: 37.xxx.xxx.xxx vmname=i-2-4869-VM
2015-07-22 17:03:40,131 - iptables -F i-2-4869-VM
2015-07-22 17:03:40,138 - iptables -F i-2-4869-VM-eg
2015-07-22 17:03:40,145 - iptables -I i-2-4869-VM -m state --state NEW -s 0.0.0.0/1 -j ACCEPT
2015-07-22 17:03:40,151 - iptables -I i-2-4869-VM -p icmp --icmp-type 0/0 -j ACCEPT
2015-07-22 17:03:40,158 - iptables -I i-2-4869-VM -p icmp --icmp-type 8/0 -j ACCEPT
2015-07-22 17:03:40,165 - iptables -I i-2-4869-VM -p tcp -m tcp --dport 1:65535 -m state --state NEW -j ACCEPT
2015-07-22 17:03:40,172 - iptables -I i-2-4869-VM -p udp -m udp --dport 1:65535 -m state --state NEW -j ACCEPT
2015-07-22 17:03:40,179 - iptables -I i-2-4869-VM-eg -p icmp --icmp-type 0/0 -j RETURN
2015-07-22 17:03:40,184 - iptables -I i-2-4869-VM-eg -p icmp --icmp-type 8/0 -j RETURN
2015-07-22 17:03:40,189 - iptables -I i-2-4869-VM-eg -p tcp -m tcp --dport 1:65535 -m state --state NEW -j RETURN
2015-07-22 17:03:40,195 - iptables -I i-2-4869-VM-eg -p udp -m udp --dport 1:65535 -m state --state NEW -j RETURN
2015-07-22 17:03:40,200 - iptables -A i-2-4869-VM-eg -j DROP
2015-07-22 17:03:40,205 - iptables -A i-2-4869-VM -j DROP
(notice the 0.0.0.0/0 is missing)
=== AFTER patch ===
==> WORKS: we can now add 0.0.0.0/0 (note: you first need to remove the rule, otherwise there is no diff)
(frank) 🐵 > authorize securitygroupingress securitygroupid=3175ef09-7fb7-11e4-821b-001e6702473c cidrlist="0.0.0.0/0" protocol=all
Log is installed in iptables:
root@srv-132:~# iptables -L i-2-4867-VM -n
Chain i-2-4867-VM (1 references)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:1:65535 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:1:65535 state NEW
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 code 0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 0 code 0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW
ACCEPT all -- 0.0.0.0/1 0.0.0.0/0 state NEW
DROP all -- 0.0.0.0/0 0.0.0.0/0
Logs:
2015-07-22 17:13:30,176 - programming network rules for IP: 37.xx.xx.xxx vmname=i-2-4884-VM
2015-07-22 17:13:30,176 - iptables -F i-2-4884-VM
2015-07-22 17:13:30,184 - iptables -F i-2-4884-VM-eg
2015-07-22 17:13:30,191 - iptables -I i-2-4884-VM -m state --state NEW -s 0.0.0.0/1 -j ACCEPT
2015-07-22 17:13:30,197 - iptables -I i-2-4884-VM -m state --state NEW -s 0.0.0.0/0 -j ACCEPT
2015-07-22 17:13:30,204 - iptables -I i-2-4884-VM -p icmp --icmp-type 0/0 -j ACCEPT
2015-07-22 17:13:30,211 - iptables -I i-2-4884-VM -p icmp --icmp-type 8/0 -j ACCEPT
2015-07-22 17:13:30,217 - iptables -I i-2-4884-VM -p tcp -m tcp --dport 1:65535 -m state --state NEW -j ACCEPT
2015-07-22 17:13:30,224 - iptables -I i-2-4884-VM -p udp -m udp --dport 1:65535 -m state --state NEW -j ACCEPT
2015-07-22 17:13:30,232 - iptables -I i-2-4884-VM-eg -p icmp --icmp-type 0/0 -j RETURN
2015-07-22 17:13:30,237 - iptables -I i-2-4884-VM-eg -p icmp --icmp-type 8/0 -j RETURN
2015-07-22 17:13:30,244 - iptables -I i-2-4884-VM-eg -p tcp -m tcp --dport 1:65535 -m state --state NEW -j RETURN
2015-07-22 17:13:30,249 - iptables -I i-2-4884-VM-eg -p udp -m udp --dport 1:65535 -m state --state NEW -j RETURN
2015-07-22 17:13:30,254 - iptables -A i-2-4884-VM-eg -j DROP
2015-07-22 17:13:30,260 - iptables -A i-2-4884-VM -j DROP
(notice the 0.0.0.0/0 is added! )
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment