阅读背景:

如何在Amazon Virtual Private Cloud上设置网络ACL?

来源:互联网 

I have set up an Amazon Virtual Private Cloud (VPC). Inside the VPC I have 2 networks in which I create instances. For security reasons I want to put some network access control lists (Network ACL) on those networks, besides the machines firewall. Following the Amazon example I have a public network (exposed to internet access) 10.0.0.0/24 and 3 private network 10.0.1.0/24, 10.0.2.0/24, 10.0.3.0/24. The traffic between them is routed.

我已经建立了亚马逊虚拟私有云(VPC)。在VPC内部我有2个网络,我在其中创建实例。出于安全原因,我想在这些网络上放置一些网络访问控制列表(网络ACL),除了机器防火墙。在亚马逊示例之后,我有一个公共网络(暴露于互联网访问)10.0.0.0/24和3个私人网络10.0.1.0/24,10.0.2.0/24,10.0.3.0/24。它们之间的流量被路由。


So for the network 10.0.1.0/24 as ACL's I put this:

所以对于网络10.0.1.0/24作为ACL,我把它:

Inbound:
10.0.0.0/24 port 80 (HTTP)
10.0.0.0/24 port 22 (SSH)
10.0.2.0/24 port 3306 (MySql)
10.0.3.0/24 port 3306 (MySql)

Outbound
ALL ALL

For the networks 10.0.2.0/24 and 10.0.3.0/24:

对于网络10.0.2.0/24和10.0.3.0/24:

Inbound 
10.0.1.0/24 port 3306 (MySql)

Outbound
ALL ALL

For the public network 10.0.0.0/24 in here I have an exposed load balancer, which is redirecting traffic to the private network 10.0.1.0/24, where an app is responding over HTTP:

对于此处的公共网络10.0.0.0/24,我有一个公开的负载均衡器,它将流量重定向到专用网络10.0.1.0/24,其中应用程序通过HTTP进行响应:

Inbound
0.0.0.0/0 port 80 (HTTP)
0.0.0.0/0 port 443 (HTTPS)
0.0.0.0/0 port 22 (SSH)

Outbound
ALL ALL

The problem is, when I put those rules in action, all traffic freezes and the app is not available. What's happening? Am I doing something wrong?

问题是,当我将这些规则付诸行动时,所有流量都会冻结,并且应用程序无法使用。发生了什么?难道我做错了什么?

2 个解决方案

#1


19  

Update

Your rules are currently lacking an additional and likely relevant fragment related to the FAQ What are the differences between security groups in a VPC and network ACLs in a VPC?:

您的规则目前缺少与FAQ相关的额外且可能相关的片段.VPC中的安全组与VPC中的网络ACL之间有何区别?:

Security groups in a VPC specify which traffic is allowed to or from an Amazon EC2 instance. Network ACLs operate at the subnet level and evaluate traffic entering and exiting a subnet. Network ACLs can be used to set both Allow and Deny rules. Network ACLs do not filter traffic between instances in the same subnet. In addition, network ACLs perform stateless filtering while security groups perform stateful filtering. [emphasis mine]

VPC中的安全组指定允许或来自Amazon EC2实例的流量。网络ACL在子网级别运行,并评估进出子网的流量。网络ACL可用于设置允许和拒绝规则。网络ACL不会过滤同一子网中的实例之间的流量。此外,网络ACL执行无状态过滤,而安全组执行有状态过滤。 [强调我的]

This is addressed further in What is the difference between stateful and stateless filtering?:

有状态和无状态过滤有什么区别?

Stateful filtering tracks the origin of a request and can automatically allow the reply to the request to be returned to the originating computer. [...]

有状态过滤跟踪请求的来源,并且可以自动允许将对请求的回复返回到原始计算机。 [...]

Stateless filtering, on the other hand, only examines the source or destination IP address and the destination port, ignoring whether the traffic is a new request or a reply to a request. In the above example, two rules would need to be implemented on the filtering device: one rule to allow traffic inbound to the web server on tcp port 80, and another rule to allow outbound traffic from the webserver (tcp port range 49,152 through 65,535). [emphasis mine]

另一方面,无状态过滤仅检查源或目标IP地址和目标端口,忽略流量是新请求还是对请求的回复。在上面的示例中,需要在过滤设备上实现两个规则:一个规则允许流量入站到tcp端口80上的Web服务器,另一个规则允许来自Web服务器的出站流量(tcp端口范围49,152到65,535) 。 [强调我的]

Now, you allow all outbound traffic already, so this doesn't apply as per the example, but the same issue applies the other way round as well, so e.g. for HTTP requests originating from your EC2 instances you'll need to have a corresponding inbound rule as outlined, see section Ephemeral Ports within Network ACLs for more details on this:

现在,您已经允许所有出站流量,因此这不适用于示例,但同样的问题也适用于其他方式,例如,对于源自EC2实例的HTTP请求,您需要具有所列的相应入站规则,请参阅网络ACL中的临时端口部分以获取更多详细信息:

The client that initiates the request chooses the ephemeral port range. The range varies depending on the client's operating system. [...]

发起请求的客户端选择临时端口范围。范围取决于客户端的操作系统。 [...]

If an instance in your VPC is the client initiating a request, your network ACL must have an inbound rule to enable traffic destined for the ephemeral ports specific to the type of instance (Amazon Linux, Windows Server 2008, etc.).

如果您的VPC中的实例是发起请求的客户端,则您的网络ACL必须具有入站规则,以启用发往特定于实例类型(Amazon Linux,Windows Server 2008等)的临时端口的流量。

In practice, to cover the different types of clients that might initiate traffic to public-facing instances in your VPC, you need to open ephemeral ports 1024-65535. [...]

实际上,要覆盖可能为您的VPC中的面向公众的实例启动流量的不同类型的客户端,您需要打开临时端口1024-65535。 [...]

Solution

Accordingly, section Recommended Rules for Scenario 2 within Appendix A: Recommended Network ACL Rules suggests the following inbound rule (OS dependent example) for your scenario:

因此,附录A:推荐网络ACL规则中的方案2推荐规则部分为您的方案建议了以下入站规则(操作系统相关示例):

Inbound:
0.0.0.0/0 port 49152-65535 (TCP)

To test whether this issue actually applies, you might simply include the entire ephemeral port range:

要测试此问题是否确实适用,您可以简单地包括整个临时端口范围:

Inbound:
0.0.0.0/0 port 1024-65535 (TCP)

Initial Answer (obsolete)

For the public network 10.0.0.0/24 in here I have an exposed load balancer, which is redirecting trafic to the private network 10.0.1.0/24, where an app is responding over http

对于这里的公共网络10.0.0.0/24,我有一个暴露的负载均衡器,它将流量重定向到专用网络10.0.1.0/24,其中一个应用程序通过http响应

Your setup suggests you intend to terminate SSL on the load balancer as usual; given your increased security requirements you might actually have setup the Elastic Load Balancing for back-end HTTPS communication as well (see Architectural Overview) - you don't seem to have an ACL rule accommodating inbound HTTPS traffic to 10.0.1.0/24 though, so that would be the one missing in case:

您的设置建议您像往常一样在负载均衡器上终止SSL;鉴于您提高了安全性要求,您实际上也可以为后端HTTPS通信设置Elastic Load Balancing(请参阅架构概述) - 您似乎没有ACL规则可以容纳到10.0.1.0/24的入站HTTPS流量,所以那将是一个失踪的案件:

Inbound:
10.0.0.0/24 port 80 (HTTP)
10.0.0.0/24 port 443 (HTTPS) // <= missing in your example currently!
10.0.0.0/24 port 22 (SSH)
10.0.2.0/24 port 3306 (MySql)
10.0.3.0/24 port 3306 (MySql)

Outbound
ALL ALL

#2


0  

If you want to open ephemeral ports except for ports below 10,000 regarding exceptions for tomcat, other servlets, etc, just create specific rules per exception range. Rules are evaluated from the lowest number first to highest number last with the highest valid rule number being 32766.

如果要打开临时端口(除了10,000以下的端口,关于tomcat,其他servlet等的异常),只需为每个异常范围创建特定规则。规则从最低编号的第一个到最高编号进行评估,最高有效规则编号为32766。


分享到: