We have a container that needs to contact the ECS container agent introspection endpoint at runtime.
The ecs task is using bridge networking mode.
The default iptables on our Amazon Linux 2 contain the following INPUT chain:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:51678
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
I've added the rule ACCEPT tcp -- anywhere anywhere tcp dpt:51678 as an attempt to allow our containers to access the introspection endpoint.
However, it doesn't work.
If I delete REJECT all -- anywhere anywhere reject-with icmp-port-unreachable I can access the ECS container agent introspection no issues at all.
It feels bad removing the REJECT all from a security standpoint. Am I wrong? Is my attempt incorrect?
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-introspection.html
If you're wondering, this is how we are hitting the endpoint at runtime from within our container
EC2_INSTANCE_ID=$(curl --silent ${ECS_CONTAINER_METADATA_URI_V4}/taskWithTags | jq -r '.ContainerInstanceTags.instanceid')
Help is greatly appreciated.
The amazon Linux 2 base ami we used had a reject all saved in the iptables chain INPUT.
Our old amazon Linux 1 instances didn't have this rule in their iptables.
To resolve this I did an iptables --flush and then added my desired rules and saved them.