@achille-roussel Still working on this! The iptables rules are causing some issues.

Okie doke, this is ready to go @achille-roussel! One minor note: if you run sudo iptables -t nat -L, you'll get something that looks like this:

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  anywhere             169.254.170.2        tcp dpt:http to:127.0.0.1:51679
DOCKER     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
REDIRECT   tcp  --  anywhere             169.254.170.2        tcp dpt:http redir ports 51679
DOCKER     all  --  anywhere            !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

On the ECS-Optimized AMI, the PREROUTING and OUTPUT chains are reversed, like so:

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DOCKER     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL
DNAT       tcp  --  anywhere             169.254.170.2        tcp dpt:http to:127.0.0.1:51679

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DOCKER     all  --  anywhere            !127.0.0.0/8          ADDRTYPE match dst-type LOCAL
REDIRECT   tcp  --  anywhere             169.254.170.2        tcp dpt:http redir ports 51679

I'm not sure the order is a huge deal, but if it is, let me know and I'll try to figure something out. I'm not sure we can get around changing the order without a) updating iptables in the base AMI or b) manually re-ordering the rules in the ecs build, but that feels dirty. If you're game for setting up these changes in the base ami, let me know.

Another few notes:

Line 12:
I'm not entirely 💯 why we're stopping the service, but all the articles I read about persisting iptables rules did this and in my personal tests it didn't look like iptables rules saved while it was running, iirc. If someone else knows the answer, I'm all ears!

You'll notice on line 19 that we manually trigger saving the rules. If anyone else needs to make iptables changes, they'll need to run netfilter-persistent save just like we are here after their changes have been made in order to persist them.

I don't deal with iptables on a daily basis so I couldn't tell you if netfilter-persistent is being used properly here.

We have our private AMIs configured for ECS task roles at Segment and the rules show up in the same order that you have, so I assume it should be working just fine.

Have you been able to test this? It should tell us pretty quickly if this is working or not.

@achille-roussel yup, I was testing it as I was going. Can confirm roles are working.

Awesome! I'm happy to merge those changes, thanks for your contribution, I'm sure this will be very useful to plenty of people!

😄 Thanks for all of yours!