0

I have a firewalled server (in this case, Redis, but this probably isn't central to my question.) I want to lock down access to only certain IP addresses -- a variable, changing set of worker Amazon EC2 instances. The catch is that I don't know the IP addresses up front. What are some good approaches to manage this?

2012-08-31 Update: the Redis server is not running on EC2. If it was, I could use Amazon Security Groups.

2012-09-20 Update: See also this question from 2008: How can I programmatically manage iptables rules on the fly?. I'm looking for updated approaches, work-arounds, or whatever. Currently, I'm using some hand-made scripts that generate rules from template files -- I'd be surprised if there is not something better out there.

2012-09-21 Update: I'm running Ubuntu 12. I'm using Amazon Elastic IP's. Currently, I'm regenerating the iptables config using an ERB template and reloading via a remote script. I was hoping to, at least, find an API for iptables -- or, better yet, a tool to help.

Community
  • 1
  • 1
David J.
  • 31,569
  • 22
  • 122
  • 174
  • And I see a vote to close... Please share your reasons. – David J. Sep 15 '12 at 05:22
  • See http://serverfault.com/questions/341926/modify-debian-firewall-rules-programmatically – David J. Sep 21 '12 at 00:35
  • I don't know why you're being downvoted, or why people are voting to close. As a suggestion, perhaps remove references to ec2, as it just seems to be confusing the issue (though, an elastic IP may indeed work). What matters isn't the application that the firewall is protecting, or where the connection is coming from, but: 1) What is the operating system what the firewall is running on? (answers can change wildly when comparing Ubuntu and RHEL, for example) 2) What have you tried, and what specifically makes those approaches not work, insufficient, or inapplicable to your situation? – Will Palmer Sep 21 '12 at 05:37
  • Thanks Will for the suggestions -- I updated my question above. I'm using `iptables-restore` via a remote script. It feels clunky to reload the whole configuration that way. – David J. Sep 21 '12 at 16:57

2 Answers2

1

There are various options mentioned in this 2008 question: How can I programmatically manage iptables rules on the fly?. According to that, there is no API for iptables.

Community
  • 1
  • 1
David J.
  • 31,569
  • 22
  • 122
  • 174
0

You have to opt for Elastic IPs from amazon and associate the Elastic IPs to your instance on ec2. This will do the rick of having static public IP for your ec2 instance.

Ajay Tiwari
  • 3,388
  • 1
  • 17
  • 13
  • Ok, this advice doesn't hurt -- and might be one way of doing it -- but it doesn't directly answer my question. I don't care if my EC2 instances have stable IPs. I'd rather not pay for that. Also, I have a variable number of EC2 instances -- that vary based on scaling needs. My question is about how to intelligently manage the firewall setup on the Redis server, which is *not* running on EC2. – David J. Aug 31 '12 at 15:59