How to persist iptables configuration on Amazon EC2 VPC NAT Ami?

amazon-ec2 iptables nat amazon-vpc

16,281

Solution 1

Debian (and derivatives) use the iptables-persistent package for this task.

Define your rules in /etc/iptables/rules.4 and/or /etc/iptables/rules.6 and activate the service (using update-rc.d, chkconfig or your tool of choice.

On RHEL and derivatives, the startup script /etc/init.d/iptables reads /etc/sysconfig/iptables, so you need to define your rules there, and ensure that the iptables service is activated (chkconfig iptables on) and started (service iptables start).

Solution 2

service iptables save

/etc/init.d/iptables save

16,281

d0x

#SOreadytohelp :D

Updated on September 18, 2022

Comments

d0x over 1 year

I have a small script like this to configure the iptables:

#!/bin/bash

PRE_STR="iptables -t nat -A PREROUTING -p tcp -j DNAT"
FOR_STR="iptables -A FORWARD -p tcp -j ACCEPT"


#####################################
# instances
CM="10.0.1.137"
MASTER="10.0.1.149"
MYSQL="10.0.1.83"
REPORTING="10.0.1.85"

#####################################
# Clear Iptables
iptables -F
iptables -t nat -F

#####################################
# Forward to enable Internet on private nodes
iptables -t nat -A POSTROUTING -j MASQUERADE


#####################################
# Port forwarding

forward()
{
        $PRE_STR --dport $1 --to $2:$3
        $FOR_STR --dport $3 -d $2
}

#what   from    to ip           to port
forward 3222    $CM             22
forward 7183    $CM             7183
forward 7180    $CM             7180

forward 3122    $MASTER         22
forward 8888    $MASTER         8888
forward 11000   $MASTER         11000

forward 2122    $MYSQL          22
forward 13306   $MYSQL          3306

iptables-save > /etc/firewall.conf

The question is, how to load the /etc/firwall.conf with the current iptables settings on the next startup?

On a normal Debian machine I would put a script that fires iptables-restore < /etc/firewall.conf it into the folder /etc/network/if-up.d/iptables. But this isn't available in this image.

So what is the correct why to load this /etc/firewall.conf?

AMI ID: ami-1de2d969

Update:

Is it ok to fire it in iptables-restore < /etc/firewall.conf in /etc/rc.local?

Source: http://www.cyberciti.biz/faq/how-do-i-save-iptables-rules-or-settings/

Dirk Groeneveld almost 10 years

This question comes up first for a Google query for "Amazon Linux AMI persist iptables", and it has two good answers that tell me exactly what I need to know. The question that this is a duplicate of has neither. Can we un-dupe this one?

d0x almost 11 years

Ty for this tipp. Do you know how to do it with Red Hat derivates as well? This Amazon VPC Image is based on red hat
Sam Vloeberghs over 10 years

did the trick on my EC2 instance!
Ring over 8 years

Says unrecognized service on my aws ami.
Ryan Shillington almost 8 years

Where does it save it to?
Kevin almost 8 years

If memory serves; /etc/sysconfig/iptables