Browse the Repo
Browse the Repo
Lock down specified outgoing ip addresses on a Linux server such that only specific OS users can access them. Used to protect metadata endpoints.
This module can lock down specified outgoing ip addresses on a Linux server such that only specific OS users can access them. The main motivation for locking down EC2 metadata is as follows:
This module has been tested specifically with Ubuntu, but will probably work with any Debian distribution that uses iptables.
In the example below we restrict access to ec2-instance-metadata endpoint to the users
root. All other users on the instance will be blocked from access.
./ip-lockdown 169.254.169.254 foo bar root
Normally users make a
curl call to get metadata like the AWS region or credentials associated with this EC2 Instance's IAM Role. Following the invocation of ip-lockdown, only users foo, bar, and root can query that data.
The complete example of using terraform to deploy a generated AMI into your AWS account and automatically invoke
ip-lockdown from the
User Data is also available in the examples folder.
To use this module, you just need to:
ip-lockdownscript on your servers.
The best way to do that is to use the Gruntwork Installer in a
Packer template (make sure to replace
<MODULE_SECURITY_VERSION> below with the latest versions from the bash-commons releases
page and module-security releases
gruntwork-install --module-name bash-commons --tag <BASH_COMMONS_VERSION> --repo https://github.com/gruntwork-io/bash-commons gruntwork-install --module-name ip-lockdown --tag <MODULE_SECURITY_VERSION> --repo https://github.com/gruntwork-io/module-security
|IP||IP address that will be locked down (outgoing access will be disabled) for all but the users specified in subequent
|USER||Space separated whitelist of users who will be allowed outgoing access to specified ip address||Optional||root (or any other OS user name)|
This script will insert the necessary rules to achieve the proper end result of only allowing the specified users to access the locked ips.
ip-lockdown script uses iptables under the hood. The iptables application works by defining rules that can then be applied to each outgoing packet. The rules are applied in order (
sudo iptables -L line-num to see your current rules as well as their rule-indicies).
In order to block access to a specific IP address for a specific user you need 2 rules.
YYYowned by user
The ordering of the rules is important as iptables will go through the rules list until it finds a matching rule. As soon as a matching rule is found none of the subsequent rules are evaluated.
In the above example, reversing those two rules would result in all access to
YYY blocked even though there is a subsequent rule to allow
foo to access.
In an ideal scenario, rather than adding one allow rule per user, we would just create a new
canAccessIP group, and add our required users to that group. Then we would just need two iptables rules to manage access.
Unfortunately iptables suffers from the limitation that it will only compare the primary group of the user rather than all of the groups that users belongs to. This limitation is the reason the ip-lockdown script has to create rules per user. As we do not want to modify each user and update their primary user group in case that this causes issues for some other process.
For reference of this limitation see the following:
We're here to talk about our services, answer any questions, give advice, or just to chat.