Firewall woes in Centos 7

I’m using Centos 7 as a host for rancher hosts and having serious firewall problems.

In short I have to set both the INPUT and the FORWARD chains to ACCEPT to make Rancher work. That cannot stay like that in production. What do I need to add as more restrictive rules to allow external access to containers and also access between containers? I’ve tried a lot of options but failed.

INPUT could be set to DENY. I don’t see an issue with that, but haven’t tried it out. To make forwarding easier we can change our iptables in the CATTLE_PREROUTING to set a mark. You would then need to accept forward traffic that matches our mark.

Thanks for the reply. I’m nowhere near a wizard on iptables and your natting is beyond me so I was struggling a bit. When I tested I thought that FORWARD DENY was stopping communications between containers and INPUT DENY was stopping me accessing containers externally.

Thinking about it further I guess the latter part is just that I need the usual external firewall rules as if the services were running on the host.

If you could work out a better way of handling the FORWARD part then I would be grateful.

@kiboro I’ve created a GitHub issue for us to track for when we can look into firewall rules.