Clarification on firewall rules?

Stefan_Lasiewski · October 21, 2016, 10:51pm

Hello Everyone,

I’m setting up a Rancher Server cluster, with multiple management nodes for HA, and multiple nodes to host the containers.

Installing Rancher Server (Multi Nodes) : Requirements says the following about the Firewall rules:

Ports that need to be opened on Nodes

Global Access: TCP Ports 22 , 80, 443, 18080 (Optional: Used to view the management stack as it comes up)

Access between nodes:

UDP Ports 500, 4500

TCP Ports: 2181, 2376, 2888, 3888,6379

When the docs say “Access between nodes”, do I need to manually add access rules for the 172.16.0.0/12 and 10.42.x.x networks? Or do Docker and Rancher do that automatically?

I’m adding these rules for to allow acccess from our routable, production networks; but do I need to add rules for the overlay networks also?

Thank you,

-= Stefan

vincent · October 22, 2016, 12:08am

No, 172.16 is the local docker network and doesn’t leave that host, and 10.42 is the overlay network sent over IPSec so the physical network doesn’t ever see packets with those IPs.

Stefan_Lasiewski · October 22, 2016, 1:04am

so the physical network doesn’t ever see packets with those IPs

I see. But iptables itself does see the packets, which might part of our problem.

However, it sounds like Docker and Rancher both add their own rules to iptables, but add them to their own chains, and maybe only to the nat table? I don’t neeed to manually manage these rules.

But I do need to ensure that other tools, like Puppet or Ansible, don’t run in and remove the rules.

-= Stefan

Topic		Replies	Views
Firewall rules for managed network Rancher 1.x	9	9868	April 18, 2017
Rancher and host firewall setup Rancher 1.x	1	2109	May 6, 2016
Question about network rules Rancher	0	371	September 5, 2019
Network ports explanation Rancher	0	508	November 11, 2018
Nodes on the same subnet? Rancher 1.x	1	1231	January 14, 2018

Clarification on firewall rules?

Related topics