Seven Minute Server

May 9, 2017 - 3 minute read - Security sysadmin aws

Locking down ports on Amazon Lightsail

I’ve been using Amazon Lightsail, which is kind of an “EC2-lite” to host my VPN server. It’s quick to set up and tear down, but one limitation is that, unlike traditional EC2, you can’t granularly control access to firewall ports from Amazon’s web UI. You open the port or close it, it’s all or nothing. While I might leave the VPN port open to access via mobile device, I don’t really want SSH open to the world. In addition, you can access Lightsail using Amazon’s web console, so you don’t even really need SSH open to yourself, just Amazon’s internal network.

What follows is a quick how-to for blocking access to your system using iptables, excerpted from my book, The Seven Minute Server: Build Your Own VPN.

Note that this procedure assumes you’re running a VPN on the system and want to block SSH, and thus includes rules to allow access from IPs you might use to access the system if connected to the VPN. Switch -p tcp and --dport 22 to whichever port/protocol you need to block.

Using iptables to Block Outside Access to Your Systems

  1. Open the Lightsail console, tap the menu next to your instance, and select Connect.

  2. Type last to show the last IP addresses that accessed the system; this will show our internal network via the web console. For instance, if all connections came from between 72.21.217.1 through 72.21.217.255, we can assume Amazon is using this network block to manage Lightsail.

  3. Once in, enter the following command to allow the web-based console connection (72.21.217.0/8), the internal EC2 network (172.0.0.0/12), the internal VPN network (10.0.0.0/8), the VPN server’s external address (s.s.s.s/32 below; add your VPN server’s external IP here instead) and any IP address you normally use to connect via SSH into the system:

    $ sudo iptables -A INPUT -p tcp -s 172.0.0.0/12 --dport 22 -j ACCEPT
    $ sudo iptables -A INPUT -p tcp -s 10.0.0.0/8 --dport 22 -j ACCEPT
    $ sudo iptables -A INPUT -p tcp -s 72.21.217.0/24 --dport 22 -j ACCEPT
    $ sudo iptables -A INPUT -p tcp -s s.s.s.s/32 --dport 22 -j ACCEPT
    $ sudo iptables -A INPUT -p tcp -s y.y.y.y/32 --dport 22 -j ACCEPT
    
  4. Run the following command to show your changes to the INPUT chain and review them. Make sure they are correct or you may be locked out (restart the system to clear the rules if you goof up!):

    $ sudo iptables -L INPUT
    
  5. If you need to delete any rules, use the same syntax, but replace the -A with a -D, for example:

    $ sudo iptables -D INPUT -p tcp -s 172.0.0.0/12 --dport 22 -j ACCEPT
    
  6. Once you’ve got these in, you’re ready to block port 22 to everyone else:

    $ sudo iptables -A INPUT -p tcp --dport 22 -j DROP
    
  7. Make sure you still have access! If not, you can reboot the system to clear your changes. If the changes are good and you can still access your server via SSH, save your changes and restart:

    $ sudo service iptables save && sudo service iptables restart
    

If you’re logged on using the web console, you may get kicked off during restart. You can click Reconnect to reconnect.