How to persist iptables configuration on Amazon EC2 VPC NAT Ami?

Question

I have a small script like this to configure the iptables:

#!/bin/bash

PRE_STR="iptables -t nat -A PREROUTING -p tcp -j DNAT"
FOR_STR="iptables -A FORWARD -p tcp -j ACCEPT"


#####################################
# instances
CM="10.0.1.137"
MASTER="10.0.1.149"
MYSQL="10.0.1.83"
REPORTING="10.0.1.85"

#####################################
# Clear Iptables
iptables -F
iptables -t nat -F

#####################################
# Forward to enable Internet on private nodes
iptables -t nat -A POSTROUTING -j MASQUERADE


#####################################
# Port forwarding

forward()
{
        $PRE_STR --dport $1 --to $2:$3
        $FOR_STR --dport $3 -d $2
}

#what   from    to ip           to port
forward 3222    $CM             22
forward 7183    $CM             7183
forward 7180    $CM             7180

forward 3122    $MASTER         22
forward 8888    $MASTER         8888
forward 11000   $MASTER         11000

forward 2122    $MYSQL          22
forward 13306   $MYSQL          3306

iptables-save > /etc/firewall.conf

The question is, how to load the /etc/firwall.conf with the current iptables settings on the next startup?

On a normal Debian machine I would put a script that fires iptables-restore < /etc/firewall.conf it into the folder /etc/network/if-up.d/iptables. But this isn't available in this image.

So what is the correct why to load this /etc/firewall.conf?

AMI ID: ami-1de2d969

Update:

Is it ok to fire it in iptables-restore < /etc/firewall.conf in /etc/rc.local?

Source: http://www.cyberciti.biz/faq/how-do-i-save-iptables-rules-or-settings/

This question comes up first for a Google query for "Amazon Linux AMI persist iptables", and it has two good answers that tell me exactly what I need to know. The question that this is a duplicate of has neither. Can we un-dupe this one? — Dirk Groeneveld, Aug 12 '14 at 18:09

score 19 · Answer 1 · answered Aug 05 '13 at 23:01

19

service iptables save

or

/etc/init.d/iptables save

answered Aug 05 '13 at 23:01

Kevin

633
3
7

did the trick on my EC2 instance! – Sam Vloeberghs Feb 18 '14 at 13:53
Says unrecognized service on my aws ami. – Ring Feb 24 '16 at 18:38
Where does it save it to? – Ryan Shillington Jun 07 '16 at 21:32
1

If memory serves; /etc/sysconfig/iptables – Kevin Jun 08 '16 at 22:50

dawud · Accepted Answer · 2013-08-05T08:28:18.320

7

Debian (and derivatives) use the iptables-persistent package for this task.

Define your rules in /etc/iptables/rules.4 and/or /etc/iptables/rules.6 and activate the service (using update-rc.d, chkconfig or your tool of choice.

On RHEL and derivatives, the startup script /etc/init.d/iptables reads /etc/sysconfig/iptables, so you need to define your rules there, and ensure that the iptables service is activated (chkconfig iptables on) and started (service iptables start).

edited Aug 05 '13 at 08:28

answered Aug 05 '13 at 08:18

dawud

14,918
3
41
61

Ty for this tipp. Do you know how to do it with Red Hat derivates as well? This Amazon VPC Image is based on red hat – d0x Aug 05 '13 at 08:20

How to persist iptables configuration on Amazon EC2 VPC NAT Ami?

2 Answers2