Iptables – Deny IP address on AWS ELB

amazon ec2amazon-web-servicesdenyipiptables

I've, more or less, following configuration on AWS:

Elastic load balancer with 3 machines o 3 different availability zones. My security group allows 0.0.0.0/0:80 as it's my rails application (nginx, unicorn).

I was wondering if there's any way to deny access to my app to an specific public ip address? I've been reading AWS documentation, but as SG's are "deny all" there's no way to deny just one specific IP address.

Any ideas? iptables on the 3 machines behind load balancer?

Thanks!

Best Answer

A straight forward solution is to use a VPC Network ACL Inbound Rule. This only works if your ELB is in a VPC, but if you've created it in the last few years it should be in the default one.

To ban 1.2.3.4 for example, do the following:

Login to AWS.
Navigate to VPC.
Choose Network ACLs from the left hand menu.
Choose the ACL associated with the VPC your ELB is in.
Choose the Inbound Rules tab.
Choose Edit and add a new rule with the following attributes:
- Rule #: 50 (any number as long as it's less than the rule that ALLOWs from ALL)
- Type: ALL Traffic
- Protocol: ALL
- Port Range: ALL
- Source: 1.2.3.4/32
- Allow / Deny: DENY

There's a bunch more information about Network ACLs here: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html

Related Solutions

Nginx AWS ELB – How to Set Real IP from AWS ELB Load Balancer Address

If you can guarantee that all requests will be coming from ELB (I'm not familiar with it), you could try:

real_ip_header X-Forwarded-For;
set_real_ip_from 0.0.0.0/0;

That should tell nginx to trust an X-Forwarded-For header from anyone. The downside is that if anyone directly accesses your server, they would be able to spoof an X-Forwarded-For header and nginx would use the wrong client ip address.

Determine availability zone of AWS IP address

That's not an easy task (if solvable at all), because availability zones are different per Amazon EC2 account in the first place, see FAQ How can I make sure that I am in the same Availability Zone as another developer?:

We do not currently support the ability to coordinate launches into the same Availability Zone across AWS developer accounts.

Eric Hammond has explored the topic and developed a technique/trick to work around this limitation, see Matching EC2 Availability Zones Across AWS Accounts:

Summary: EC2 availability zone names in different accounts do not match to the same underlying physical infrastructure. This article explains a trick which can be used to figure out how to match availability zone names between different accounts.

However, he stresses the respective caveats as well:

Please note that this approach is not a documented feature of Amazon EC2. [...]

Amazon could at any time restructure how these values work so that the described offering ids cannot be used between accounts or do not map to any common infrastructure.

The trick seems to work for the time being, so you might be able to achieve your goal by applying this technique, but be prepared for it not yielding a reliable solution down the road eventually.

Best Answer

Related Solutions

Nginx AWS ELB – How to Set Real IP from AWS ELB Load Balancer Address

Determine availability zone of AWS IP address

Related Topic