ECS 容器代理自省 iptables 配置

Question

We have a container that needs to contact the ECS container agent introspection endpoint at runtime.

The ecs task is using bridge networking mode.

The default iptables on our Amazon Linux 2 contain the following INPUT chain:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:51678
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

I've added the rule ACCEPT tcp -- anywhere anywhere tcp dpt:51678 as an attempt to allow our containers to access the introspection endpoint.

However, it doesn't work.

If I delete REJECT all -- anywhere anywhere reject-with icmp-port-unreachable I can access the ECS container agent introspection no issues at all.

It feels bad removing the REJECT all from a security standpoint. Am I wrong? Is my attempt incorrect?

https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-introspection.html

If you're wondering, this is how we are hitting the endpoint at runtime from within our container

EC2_INSTANCE_ID=$(curl --silent ${ECS_CONTAINER_METADATA_URI_V4}/taskWithTags | jq -r '.ContainerInstanceTags.instanceid')

Help is greatly appreciated.

Answer 1

The amazon Linux 2 base ami we used had a reject all saved in the iptables chain INPUT.

Our old amazon Linux 1 instances didn't have this rule in their iptables.

To resolve this I did an iptables --flush and then added my desired rules and saved them.