Persisting iptables Rules After Reboot on Amazon Linux 2 EC2 Instances


12 views

When working with Amazon Linux 2 EC2 instances, you might notice that custom iptables rules don't persist after system reboots. This happens because:

  • Amazon Linux 2 uses a different initialization system (systemd) compared to traditional init systems
  • The default configuration doesn't automatically save and restore firewall rules
  • EC2 instances have unique networking considerations with elastic network interfaces

To properly save and restore iptables rules, we need these key elements:

# Required packages
sudo yum install -y iptables-services

# Basic service commands
sudo systemctl enable iptables
sudo systemctl start iptables

Here's the complete workflow to make your iptables rules persistent:

1. Save Current Rules

sudo /sbin/iptables-save > /etc/sysconfig/iptables

2. Configure the iptables Service

sudo systemctl mask firewalld
sudo systemctl stop firewalld
sudo systemctl enable iptables
sudo systemctl start iptables

3. Create a Reload Hook

Add this script to handle interface changes:

#!/bin/bash
# /etc/network/if-pre-up.d/iptablesload
echo "Loading iptables rules..."
/sbin/iptables-restore < /etc/sysconfig/iptables

For a web server setup, here's a complete iptables configuration:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

After implementation:

# Check saved rules
sudo iptables -L -n -v

# Test persistence
sudo reboot
# Then verify rules after reboot
sudo iptables -L

For systems using NetworkManager:

# Create dispatcher script
cat > /etc/NetworkManager/dispatcher.d/01firewall <<'EOF'
#!/bin/bash
[ "$1" != "eth0" ] && exit 0
/sbin/iptables-restore < /etc/sysconfig/iptables
EOF
chmod +x /etc/NetworkManager/dispatcher.d/01firewall
  • Always test rules in a non-production environment first
  • Maintain SSH access during rule implementation
  • Consider using AWS Security Groups alongside iptables
  • Regularly back up your iptables rules file

When working with Amazon Linux 2 EC2 instances, administrators often need to implement custom firewall rules using iptables. The core challenge emerges when these manually configured rules disappear after system reboots, requiring manual reconfiguration - a tedious and error-prone process in production environments.

Amazon Linux 2 uses systemd as its init system, but notably doesn't include the traditional iptables-persistent package found in Debian-based systems. Instead, we'll leverage the built-in iptables-services package and systemd integration.

First, install the necessary package:

sudo yum install -y iptables-services

Stop any existing iptables services and flush rules:

sudo systemctl stop iptables
sudo iptables -F
sudo iptables -X

Add your rules using standard iptables syntax. For example, to allow SSH and HTTP traffic:

sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -j DROP

Save your current rules to the persistent storage location:

sudo service iptables save

This creates/updates /etc/sysconfig/iptables which will be loaded at boot.

Ensure the service starts at boot:

sudo systemctl enable iptables
sudo systemctl start iptables

After reboot, verify your rules persisted:

sudo iptables -L -n -v

For complex rule sets, consider creating a custom script in /etc/sysconfig/iptables-config or using network hooks. Here's an example of adding NAT rules that persist:

sudo sh -c "iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE \
&& service iptables save"