EC2 Block All Outbound calls

Question

I have an ec2 VM, it is CentOS machine that I have exported from VMWare instance. The security group associated with this VM is the default security group, this default security group has only inbound settings enabled, I cannot edit outbound settings of that group (it is displayed as disabled in ec2 dashboard) not sure why.

What I am trying to do is to block all Outbound calls from within the machine, I have an application and am trying to simulate running it in offline environment where it can accept calls from outside the VM, but cannot make any calls outside the VM.

Is there away to achieve this in ec2 VM ? I am not sure what information I can provide at this point so I can get the best help so please ask me for any additional information.

the iptables is currently stopped in the VM, if I start it it will block all inbound calls to the VM, I won't be able to hit the application (it is web app).

Here is the output of iptables -L

[root@ip-10-154-146-78 app_module]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination      
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh 
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh 
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Answer 1

If you are using EC2-classic, you can't change the outbound rules. Only EC2-VPC allows you to configure the outbound traffic in the security group. Also security group rules are always permissive; you can't create rules that deny access. Please look into using network ACL in the EC2-VPC. It supports both allow rules and deny rules for inbound/outbound traffic. However, it operates at the subnet level instead of instance level. If you launch only one instance in your VPC subnet and configure the ACL accordingly, it should meet your requirement to simulate your test case. Using IPTables is also an option. You can see tutorial at http://www.cyberciti.biz/tips/linux-iptables-11-how-to-block-or-open-httpweb-service.html on how to allow http/https access using iptables.