How can I setup iptables rules on startup? I cannot leave some ports open to wide public (like nagios agent). I did not find any way to do it, without iptables working this cannot be used in production.
I have solved the issue with busybox pull - I just add io.rancher.os.after: wait-for-network, then it works (it needs to wait for eth0 initialization).
But other problems:
recent version of busybox now does not have iptables and iptable-restore, I try to mount it from the host filesystem
while booting for the first time, /opt is not available to the service, so it fails, because files are not found
/sbin/iptables:/usr/bin/iptables:ro
labels:
io.rancher.os.scope: system
io.rancher.os.after: wait-for-network, cloud-init
command: /opt/rancher/init/iptables.sh`
With this example, when I boot first time, I get error that /opt/rancher/init/iptables.sh does not exist. From now on, when I reboot, /opt/rancher/init/iptables.sh executes OK, but I get kernel panic each time. Apparently it does not like launching iptables command from within busybox container.
Set the rules via the cloud-config. Try something like the following, where a script file is created and run when the network is up (The magic lines are 9-11 and the write_files part):
EXTRA_CMDLINE: /init
hostname: RancherUI
rancher:
console: ubuntu
docker:
engine: docker-17.12.1-ce
environment:
EXTRA_CMDLINE: /init
network:
post_cmds:
- /var/lib/iptables/rules.sh post_cmds # run command after the network is set up
resize_device: /dev/vda
services_include:
kvm-vm-tools: true
state:
dev: LABEL=RANCHER_STATE
wait: true
sysctl:
vm.max_map_count: 524288
runcmd:
- echo deadline > /sys/block/sda/queue/scheduler # deadline scheduler is faster on ssds than the default
- ulimit -n 80000
ssh_authorized_keys:
- ssh-rsa some-ssh-public-key
write_files:
- container: network
content: |+
#!/bin/bash
set -ex
echo ui >> /var/log/net.log
iptables -A INPUT -i lo -j ACCEPT # Loopback
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # Outgoing
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT # PING
iptables -A INPUT -s 172.17.0.0/16 -j ACCEPT # Docker internal
iptables -N DOCKER-USER
iptables -I DOCKER-USER 1 -j DROP
iptables -I DOCKER-USER 1 -j LOG
iptables -I DOCKER-USER 1 -s 213.133.96.0/20 -p udp -m udp --sport 53 -j RETURN # DNS
iptables -I DOCKER-USER 1 -p tcp -m tcp --sport 443 -j RETURN # HTTPS
iptables -I DOCKER-USER 1 -s 172.17.0.0/16 -j RETURN # Docker internal
iptables -A INPUT -j LOG
iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
# the last line of the file needs to be a blank line or a comment
owner: root:root
path: /var/lib/iptables/rules.sh
permissions: "0755"