Rancher and host firewall setup

Does Rancher setup any kind of iptables firewall rules to hosts created when using Ranchers built-in functionality to add hosts to services like Digitalocean and Packet? If not what would be the best practise to setup firewall rules?


The cloud providers vary. Rancher is just using Docker machine under the hood to set things up, and then runs the agent command to register back in.

Its really upto what you need. The minimum that a host is needs is 22 inbound and 8080(opt), 443, 80 outbound to the Rancher server. Between the nodes in an environment they need 500/UDP 4500/UDP for the overlay network to work. Outside of that, its really application specific. If your going to be running front end webservers then you’d need 80 and 443 available to the world for instance.

Rancher does not manage the external pieces of the network that allow access to the boxes. It does manipulate Iptables in the CATTLE_POST and CATTLE_PRE routing chains in the nat tables for the overlay network.