Working iptables rules for LKE nodes
Hi,
Following up on https://www.linode.com/community/questions/19155/securing-k8s-cluster, I am trying to allow only the required access to my Linodes.
I added something like this to my iptables rules, but things started breaking in weird ways, so I backed out the changes.
(Note - I tried some weeks ago, but now I thought I'd ask before trying again)
echo '*filter' > /etc/iptables/rules.v4
echo -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT >> /etc/iptables/rules.v4
echo -A INPUT --proto tcp --dport 22 -j ACCEPT >> /etc/iptables/rules.v4
echo -A INPUT --proto tcp --dport 443 -j ACCEPT >> /etc/iptables/rules.v4
echo -A INPUT -d ${node} -j REJECT >> /etc/iptables/rules.v4
echo COMMIT >> /etc/iptables/rules.v4
Where $node
is the public IP of the node. I could not use the interface name, because it looks like both the internal and external IP are bound to eth0
.
Can anyone share a working set of iptables rules for securing LKE nodes?
Thanks,
Robert
5 Replies
Hey there -
I wanted to update this quickly, because I'm looking into this for you. I have reached out to our LKE team to get their insight into this, and once they have we'll give you an additional response here.
In the meantime, I've added a few additional tags to this to get it some more exposure to the Community so that some of our experienced LKE users can offer their ideas as well.
Hey @rgerke and thanks for the reply. I wanted to check whether you had any updates on this.
I'm happy to start with a minimal set of working changes, e.g. block port 12345 from the public network and allow it for k8s pods.
Last time I applied my rules I manged to block access between k8s pods as well, which is unfortunate…
Thanks,
Robert
Hey Robert -
I did look into this for you, and the issue you're dealing with is complicated because Kubernetes itself uses iptables to route traffic to your pods, services and other nodes. Because of that, changes to your iptables rules might conflict with those that Kubernetes is putting into place.
Something that might work for you down the road is our upcoming Cloud Firewall - and while it's still in the works, it's coming. Once it's ready we'll announce it on our blog.
In the meantime, I recommend checking out Kubernetes' network policies which should be able to help you work with the services running inside Kubernetes:
That said, I did get some input from one of our team members who's tried something similar. Although this isn't guaranteed to work, the suggestions they give are to write something that does the following:
- Jumps to a custom user-defined chain from the start of the INPUT chain
- Watches to ensure that that rule is always at the start of the INPUT chain
- Manages those custom rules in that user-defined chain
It's not certain that this will always work reliably, but it might be worth giving a try.
Thanks for the reply @rgerke . I'll try and look into it, although I'm not sure I will be able to - this looks way over my level of networking/iptables knowledge.
Really looking forward to the Cloud Firewall. If you have any sort of internal vote tracker, feel free to add my vote for this functionality.
@rombert Let the community know if you have any questions as you test out rgerke's suggestions. As for Cloud Firewall, while we don’t have an exact timeline for when we expect this to be available, this is already being worked on by our developers. We are looking to add this feature before the end of this year.
As rgerke mentioned, keep on eye on our blog for any future product announcements we might post - https://blog.linode.com