Since a fresh install of CoreOS comes without any iptables rules you’ll have to write them yourself.
So in order to secure it we’ll have to add there rules, in the example below we starts iptables and enable incoming trafic to port 22, 80 and 443. The rest is rejected. However vulcand kept failing to forward the traffic without the “-A INPUT -i docker0 -j ACCEPT” part, it can probably be written better or different. These rules also allows the containers to get access to etcd.