blazed’s tech blog

CoreOS, Iptables and Vulcand

| Comments

Since a fresh install of CoreOS comes without any iptables rules you’ll have to write them yourself.

So in order to secure it we’ll have to add there rules, in the example below we starts iptables and enable incoming trafic to port 22, 80 and 443. The rest is rejected. However vulcand kept failing to forward the traffic without the “-A INPUT -i docker0 -j ACCEPT” part, it can probably be written better or different. These rules also allows the containers to get access to etcd.

user_data.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
#cloud-config
---
coreos:
  units:
  - name: iptables-restore.service
    enable: true

write_files:
  - path: /var/lib/iptables/rules-save
  permissions: 0644
  owner: root:root
  content: |
    *filter
    :INPUT DROP [0:0]
    :FORWARD DROP [0:0]
    :OUTPUT ACCEPT [0:0]
    -A INPUT -i lo -j ACCEPT
    -A INPUT -i eth1 -j ACCEPT
    -A INPUT -i docker0 -j ACCEPT
    -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
    -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
    -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
    -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
    -A FORWARD -i docker0 -o eth1 -j ACCEPT
    -A FORWARD -o docker0 -i eth1 -j ACCEPT
    -A INPUT  -i docker0 -p tcp --dport 4001 -m state --state NEW,ESTABLISHED -j ACCEPT
    -A OUTPUT -o docker0 -p tcp --sport 4001 -m state --state ESTABLISHED -j ACCEPT
    -A OUTPUT -o eth1 -p tcp --dport 4001 -m state --state NEW,ESTABLISHED -j ACCEPT
    -A INPUT  -i eth1 -p tcp --sport 4001 -m state --state ESTABLISHED -j ACCEPT
    -A INPUT  -i eth1 -p tcp --dport 4001 -m state --state NEW,ESTABLISHED -j ACCEPT
    -A OUTPUT -o eth1 -p tcp --sport 4001 -m state --state ESTABLISHED -j ACCEPT
    COMMIT

Here’s a little explanation what the rules does:

  • Allow all input to localhost
  • Allow all input on the private network (eth1 in this case)
  • Allow incoming TCP traffic on ports 22, 80 and 443
  • Allow TCP traffic on port 4001 via docker0
  • Drops all other incoming traffic
  • Drops all traffic attemting to forward through the network, except via docker0
  • Allow all outbound traffic

These rules will be added on every boot. To verify the configuration run sudo iptables -nvL.

That’s it! At the moment we don’t use any other rules.

Comments