Clarification on firewall rules?

Hello Everyone,

I’m setting up a Rancher Server cluster, with multiple management nodes for HA, and multiple nodes to host the containers.

Installing Rancher Server (Multi Nodes) : Requirements says the following about the Firewall rules:

  • Ports that need to be opened on Nodes
  • Global Access: TCP Ports 22 , 80, 443, 18080 (Optional: Used to view the management stack as it comes up)
  • Access between nodes:
    • UDP Ports 500, 4500
    • TCP Ports: 2181, 2376, 2888, 3888,6379

When the docs say “Access between nodes”, do I need to manually add access rules for the and 10.42.x.x networks? Or do Docker and Rancher do that automatically?

I’m adding these rules for to allow acccess from our routable, production networks; but do I need to add rules for the overlay networks also?

Thank you,

-= Stefan

No, 172.16 is the local docker network and doesn’t leave that host, and 10.42 is the overlay network sent over IPSec so the physical network doesn’t ever see packets with those IPs.

so the physical network doesn’t ever see packets with those IPs

I see. But iptables itself does see the packets, which might part of our problem.

However, it sounds like Docker and Rancher both add their own rules to iptables, but add them to their own chains, and maybe only to the nat table? I don’t neeed to manually manage these rules.

But I do need to ensure that other tools, like Puppet or Ansible, don’t run in and remove the rules.

-= Stefan