If you are using EC2-classic, you can't change the outbound rules. Only EC2-VPC allows you to configure the outbound traffic in the security group. Also security group rules are always permissive; you can't create rules that deny access. Please look into using network ACL in the EC2-VPC. It supports both allow rules and deny rules for inbound/outbound traffic. However, it operates at the subnet level instead of instance level. If you launch only one instance in your VPC subnet and configure the ACL accordingly, it should meet your requirement to simulate your test case. Using IPTables is also an option. You can see tutorial at http://www.cyberciti.biz/tips/linux-iptables-11-how-to-block-or-open-httpweb-service.html on how to allow http/https access using iptables.
EC2 Block All Outbound calls
-
25-06-2023 - |
Question
I have an ec2 VM, it is CentOS machine that I have exported from VMWare instance. The security group associated with this VM is the default security group, this default security group has only inbound settings enabled, I cannot edit outbound settings of that group (it is displayed as disabled in ec2 dashboard) not sure why.
What I am trying to do is to block all Outbound calls from within the machine, I have an application and am trying to simulate running it in offline environment where it can accept calls from outside the VM, but cannot make any calls outside the VM.
Is there away to achieve this in ec2 VM ? I am not sure what information I can provide at this point so I can get the best help so please ask me for any additional information.
the iptables is currently stopped in the VM, if I start it it will block all inbound calls to the VM, I won't be able to hit the application (it is web app).
Here is the output of iptables -L
[root@ip-10-154-146-78 app_module]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Solution