MoinMoin in Production on CoreOS - Part8: iptables on DigitalOcean
Posted on
DigitalOcean now officially supports CoreOS and cloud-config is integrated. It offers better user experience for providing cloud-config setting via the web console or api than other VPS providers. I often use IDCF Cloud which offers virtual router and each instances resides behind a firewall. When I use CoreOS on DigitalOcean I am a bit surprised that it has no iptables rules and open to the world as default.
DigitalOcean now officially supports CoreOS and cloud-config is integrated. It offers better user experience for providing cloud-config setting via the web console or api than other VPS providers. I often use IDCF Cloud which offers virtual router and each instances resides behind a firewall. When I use CoreOS on DigitalOcean I am a bit surprised that it has no iptables rules and open to the world as default.
cloud-config with iptables
Thanks to this post, I have learned to configure iptables rules. I edited cloud-config data providing for DigitalOcean. Do not forget to end with comment line when writing iptables rules in write_files directive, it should be end line in rules.
if [ -e$(dirname"$0")/nsenter ];then # with boot2docker, nsenter is not in the PATH but it is in the same folder NSENTER=$(dirname"$0")/nsenter else NSENTER=nsenter fi
if [ -z"$1" ];then echo"Usage: `basename "$0"`CONTAINER [COMMAND [ARG]...]" echo "" echo "EnterstheDockerCONTAINERandexecutesthespecifiedCOMMAND." echo"If COMMAND is not specified, runs an interactive shell in CONTAINER." else PID=$(dockerinspect--format"{{.State.Pid}}""$1") [ -z"$PID" ] &&exit1 shift
if [ "$(id -u)"-ne"0" ];then whichsudo>/dev/null if [ "$?"-eq"0" ];then LAZY_SUDO="sudo" else echo "Warning:Cannotfindsudo;Invokingnsenterastheuser$USER.">&2 fi fi # Get environment variables from the container's root process
# env is to clear all host environment variables and set then anew if [ $#-lt1 ];then # No arguments, default to `su` which executes the default login shell $LAZY_SUDO"$NSENTER"$OPTSenv-i-$ENVsu-mroot else # Has command # "$@" is magic in bash, and needs to be in the invocation $LAZY_SUDO"$NSENTER"$OPTSenv-i-$ENV"$@" fi fi -path:/etc/iptables.rules permissions:0600 content:| *filter :INPUTDROP [0:0] :FORWARDDROP [0:0] :OUTPUTACCEPT [0:0] :RH-Firewall-1-INPUT- [0:0] -AINPUT-jRH-Firewall-1-INPUT -AFORWARD-jRH-Firewall-1-INPUT -ARH-Firewall-1-INPUT-ilo-jACCEPT -ARH-Firewall-1-INPUT-picmp--icmp-typeecho-reply-jACCEPT -ARH-Firewall-1-INPUT-picmp--icmp-typedestination-unreachable-jACCEPT -ARH-Firewall-1-INPUT-picmp--icmp-typetime-exceeded-jACCEPT # Block Spoofing IP Addresses -AINPUT-ieth0-s10.0.0.0/8-jDROP -AINPUT-ieth0-s172.16.0.0/12-jDROP -AINPUT-ieth0-s192.168.0.0/16-jDROP -AINPUT-ieth0-s224.0.0.0/4-jDROP -AINPUT-ieth0-s240.0.0.0/5-jDROP -AINPUT-ieth0-d127.0.0.0/8-jDROP # Accept Pings -ARH-Firewall-1-INPUT-picmp--icmp-typeecho-request-jACCEPT # Accept any established connections -ARH-Firewall-1-INPUT-mconntrack--ctstateESTABLISHED,RELATED-jACCEPT # Accept ssh, http, https - add other tcp traffic ports here -ARH-Firewall-1-INPUT-mconntrack--ctstateNEW-mmultiport-ptcp--dports22,80,443-jACCEPT #Log and drop everything else -ARH-Firewall-1-INPUT-jLOG -ARH-Firewall-1-INPUT-jREJECT--reject-withicmp-host-prohibited COMMIT # end of file