How do I use iptables to test a Gateway Load Balancer that has an Amazon EC2 instance as a target?

4 minute read

I want to use iptables to test my Gateway Load Balancer that has an Amazon Elastic Compute Cloud (Amazon EC2) instance as a target. The instance runs Amazon Linux 2023.

Short description

Configure iptables rules on an Amazon EC2 instance that's running Amazon Linux 2023 to test how the Gateway Load Balancer works within your environment. Iptables rules can also help you determine connectivity issues with the firewall. If the Gateway Load Balancer successfully routes traffic through the instance, then the connectivity issues are related to the firewall.

Use iptables only to test your Gateway Load Balancer.

Resolution

Note the Gateway Load Balancer IP addresses

To configure the variables in the iptables rules, you need the IP addresses and their Availability Zones for the Gateway Load Balancer's elastic network interface.

To find the IP addresses, complete the following steps:

Open the Amazon EC2 console.
In the navigation pane, choose Network Interfaces.
Choose Search, and then choose Description from the dropdown list.
Enter your Gateway Load Balancer's name in the Description = field, and then select your Gateway Load Balancer.

You receive a list of network interfaces for each activated subnet in your Gateway Load Balancer. Each network interface has an IP address and Availability Zone associated with it.

Configure the iptables rules

Use SSH to access the EC2 instance that you're going to use as a target or firewall behind the Gateway Load Balancer. In the following example commands, Availability Zone A is the source zone, and Availability Zones B and C are the zones that the source zone sends traffic to.

Set the IP addresses for the Gateway Load Balancer and EC2 instance

Enter the IP addresses for the Gateway Load Balancer and the instance:

export GWLB_IP_A=<GLWB ENI IP from Availability Zone A>  
export INSTANCE_IP=<EC2 instance's IP>

Note: Replace GLWB IP from Availability Zone A and EC2 instance's IP with your values.

(Optional) Configure additional tables for cross-zone traffic

If you activated cross-zone traffic, then run the following commands:

export GWLB_IP_B=<GLWB ENI IP from Availability Zone B>  
export GWLB_IP_C=<GLWB ENI IP from Availability Zone C>

Note: Replace GLWB ENI IP from Availability Zone B and GLWB ENI IP from Availability Zone C with your values. You must have an iptables rule for the Gateway Load Balancer's network interface for every Availability Zone on every target EC2 instance.

Set up the iptables

To install and activate the iptables, run the following commands:

sudo sysctl -w net.ipv4.ip_forward=1  
sudo yum install -y iptables-services  
sudo systemctl enable iptables  
sudo systemctl start iptables

Set the default policies to ACCEPT for each built-in chain

To set the default policies, run the following commands:

sudo iptables -P INPUT ACCEPT  
sudo iptables -P FORWARD ACCEPT  
sudo iptables -P OUTPUT ACCEPT

Flush the NAT and mangle tables, chains (-F) and delete settings

To flush the NAT and mangle tables, and chains and delete settings, run the following commands:

sudo iptables -t nat -F  
sudo iptables -t mangle -F  
sudo iptables -F  
sudo iptables -X

Configure the NAT table to reroute traffic back to the Gateway Load Balancer

To reroute the traffic, run the following commands:

sudo iptables -t nat -A PREROUTING -p udp -s $GWLB_IP_A -d $INSTANCE_IP -i enX0 -j DNAT --to-destination $GWLB_IP_A:6081  
sudo iptables -t nat -A POSTROUTING -p udp --dport 6081 -s $GWLB_IP_A -d $GWLB_IP_A -o enX0 -j MASQUERADE,/code>

(Optional) Add NAT rules to manage cross-zone traffic

To add NAT rules for cross-zone traffic, run the following commands:

sudo iptables -t nat -A PREROUTING -p udp -s $GWLB_IP_B -d $INSTANCE_IP -i enX0 -j DNAT --to-destination $GWLB_IP_B:6081  
sudo iptables -t nat -A POSTROUTING -p udp --dport 6081 -s $GWLB_IP_B -d $GWLB_IP_B -o enX0 -j MASQUERADE  
  
sudo iptables -t nat -A PREROUTING -p udp -s $GWLB_IP_C -d $INSTANCE_IP -i enX0 -j DNAT --to-destination $GWLB_IP_C:6081  
sudo iptables -t nat -A POSTROUTING -p udp --dport 6081 -s $GWLB_IP_C -d $GWLB_IP_C -o enX0 -j MASQUERADE

Save the iptables

To save the iptables, run the following command:

sudo service iptables save

Check the status

To verify that the iptables rules are correctly configured, run the following command:

sudo service iptables status

Run a health check for the Gateway Load Balancer

To check the Gateway Load Balancer's health, run the following commands:

sudo su  
yum install -y httpd  
service httpd start  
chkconfig httpd on  
echo "Health check page" >>/var/www/html/index.html  
exit

Topics

Networking & Content Delivery

Relevant content

IPTABLES - Unexpected traffic - EC2 - Should I configure IPTABLES on instance command line?
Marcelo
asked 8 months ago
IPtables isn't working on Amazon Linux 2
Frank
asked 4 years ago
ApiGateway to control an EC2 instance with load balancer running a FastAPI
Accepted Answer
AWS-User-7781609
asked 2 years ago
Why I Can't make SNAT using IPTables in EC2?
Ellipsis_
asked a year ago
How to configure an ALB to target an internal application using ec2 instances randomly within a IP range?
Ravinder
asked 2 years ago
Why can't my Amazon EC2 instance access the internet through an internet gateway?
AWS OFFICIALUpdated 2 months ago
How can I connect to a private Amazon RDS DB instance from a local machine using an Amazon EC2 instance as a bastion host?
AWS OFFICIALUpdated 2 years ago
How do I assign a static hostname to an Amazon EC2 instance that runs Ubuntu Linux?
AWS OFFICIALUpdated a year ago
Why can't I connect to a website that is hosted on my EC2 instance?
AWS OFFICIALUpdated a month ago
Access a private Amazon Redshift from a local machine via a private EC2 instance
EXPERT
Ziad
published a year ago