$ sudo iptables -I OUTPUT -d 169.254.169.254 -j REJECT --reject-with icmp-admin-prohibited
$ curl http://169.254.169.254/latest/meta-data/iam/security-credentials/role_name
curl: (7) Failed to connect to 169.254.169.254 port 80: ホストへの経路がありません
- root ユーザ (UID 0) による通信を許可するルールを追加
$ sudo iptables -I OUTPUT -d 169.254.169.254 -m owner --uid-owner 0 -j ACCEPT
$ sudo curl http://169.254.169.254/latest/meta-data/iam/security-credentials/role_name
{
...
}
- ec2-user ユーザ (UID 500) も許可します
$ sudo iptables -I OUTPUT -d 169.254.169.254 -m owner --uid-owner 500 -j ACCEPT
$ id
uid=500(ec2-user) gid=500(ec2-user) groups=500(ec2-user),10(wheel)
$ curl http://169.254.169.254/latest/meta-data/iam/security-credentials/role_name
{
...
}
$ sudo iptables -L OUTPUT
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere instance-data.ap-northeast-1.compute.internal owner UID match ec2-user
ACCEPT all -- anywhere instance-data.ap-northeast-1.compute.internal owner UID match root
REJECT all -- anywhere instance-data.ap-northeast-1.compute.internal reject-with icmp-admin-prohibited
[Jul 3 16:22:49] DEBUG [amazon] execResult: servername: amazon
cmd: /usr/bin/ssh -tt -o StrictHostKeyChecking=yes -o LogLevel=quiet -o ConnectionAttempts=3 -o ConnectTimeout=10 -o ControlMaster=no -o ControlPath=none vuls-user@52.199.26.3 -p 22 -i /root/.ssh/id_rsa -o PasswordAuthentication=no stty cols 1000; curl --max-time 1 --retry 3 --noproxy 169.254.169.254 http://169.254.169.254/latest/meta-data/instance-id
exitstatus: 0
stdout: i-0bf0d78a268f80335
stderr:
err: %!s(<nil>)
[Jul 3 16:22:49] INFO [localhost] (1/1) amazon is running on aws
-
- インスタンス ID が取れなかったため running on other と判定
[Jul 3 16:14:56] DEBUG [amazon] execResult: servername: amazon
cmd: /usr/bin/ssh -tt -o StrictHostKeyChecking=yes -o LogLevel=quiet -o ConnectionAttempts=3 -o ConnectTimeout=10 -o ControlMaster=no -o ControlPath=none vuls-user@52.199.26.3 -p 22 -i /root/.ssh/id_rsa -o PasswordAuthentication=no stty cols 1000; curl --max-time 1 --retry 3 --noproxy 169.254.169.254 http://169.254.169.254/latest/meta-data/instance-id
exitstatus: 7
stdout: Warning: Transient problem: timeout Will retry in 1 seconds. 3 retries left.
curl: (7) Failed to connect to 169.254.169.254 port 80: No route to host
stderr:
err: %!s(<nil>)
[Jul 3 16:14:56] INFO [localhost] (1/1) amazon is running on other