Created
May 10, 2014 10:19
-
-
Save richp10/1c367d3c67aec762788e to your computer and use it in GitHub Desktop.
Secure iptables configuration for coreos ??
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // This systemd runs iptables-restore on boot: | |
| [Unit] | |
| Description=Packet Filtering Framework | |
| DefaultDependencies=no | |
| After=systemd-sysctl.service | |
| Before=sysinit.target | |
| [Service] | |
| Type=oneshot | |
| ExecStart=/usr/sbin/iptables-restore /opt/docker/scripts/iptables/iptables.rules | |
| ExecReload=/usr/sbin/iptables-restore /opt/docker/scripts/iptables/iptables.rules | |
| ExecStop=/usr/sbin/iptables --flush | |
| RemainAfterExit=yes | |
| [Install] | |
| WantedBy=multi-user.target | |
| // This is my iptables.rules file | |
| # Adapted from here: http://wiki.centos.org/HowTos/OS_Protection | |
| *filter | |
| :INPUT DROP [0:0] | |
| :FORWARD DROP [0:0] | |
| :OUTPUT ACCEPT [0:0] | |
| :RH-Firewall-1-INPUT - [0:0] | |
| -A INPUT -j RH-Firewall-1-INPUT | |
| -A FORWARD -j RH-Firewall-1-INPUT | |
| -A RH-Firewall-1-INPUT -i lo -j ACCEPT | |
| -A RH-Firewall-1-INPUT -p icmp --icmp-type echo-reply -j ACCEPT | |
| -A RH-Firewall-1-INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT | |
| -A RH-Firewall-1-INPUT -p icmp --icmp-type time-exceeded -j ACCEPT | |
| # Block Spoofing IP Addresses | |
| -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP | |
| -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP | |
| -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP | |
| -A INPUT -i eth0 -s 224.0.0.0/4 -j DROP | |
| -A INPUT -i eth0 -s 240.0.0.0/5 -j DROP | |
| -A INPUT -i eth0 -d 127.0.0.0/8 -j DROP | |
| # Accept Pings | |
| -A RH-Firewall-1-INPUT -p icmp --icmp-type echo-request -j ACCEPT | |
| # Accept any established connections | |
| -A RH-Firewall-1-INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | |
| # Accept ssh, http, https - add other tcp traffic ports here | |
| -A RH-Firewall-1-INPUT -m conntrack --ctstate NEW -m multiport -p tcp --dports 22,80,443 -j ACCEPT | |
| #Log and drop everything else | |
| -A RH-Firewall-1-INPUT -j LOG | |
| -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited | |
| COMMIT | |
| // After the machine has rebooted and a couple of docker containers also started, this is the output of iptables -L | |
| Chain INPUT (policy DROP) | |
| target prot opt source destination | |
| RH-Firewall-1-INPUT all -- anywhere anywhere | |
| DROP all -- 10.0.0.0/8 anywhere | |
| DROP all -- 172.16.0.0/12 anywhere | |
| DROP all -- 192.168.0.0/16 anywhere | |
| DROP all -- base-address.mcast.net/4 anywhere | |
| DROP all -- 240.0.0.0/5 anywhere | |
| DROP all -- anywhere loopback/8 | |
| Chain FORWARD (policy DROP) | |
| target prot opt source destination | |
| ACCEPT udp -- anywhere 172.17.0.3 udp dpt:domain | |
| ACCEPT tcp -- anywhere 172.17.0.2 tcp dpt:5000 | |
| ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED | |
| ACCEPT all -- anywhere anywhere | |
| ACCEPT all -- anywhere anywhere | |
| RH-Firewall-1-INPUT all -- anywhere anywhere | |
| Chain OUTPUT (policy ACCEPT) | |
| target prot opt source destination | |
| Chain RH-Firewall-1-INPUT (2 references) | |
| target prot opt source destination | |
| ACCEPT all -- anywhere anywhere | |
| ACCEPT icmp -- anywhere anywhere icmp echo-reply | |
| ACCEPT icmp -- anywhere anywhere icmp destination-unreachable | |
| ACCEPT icmp -- anywhere anywhere icmp time-exceeded | |
| ACCEPT icmp -- anywhere anywhere icmp echo-request | |
| ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED | |
| ACCEPT tcp -- anywhere anywhere ctstate NEW multiport dports ssh,http,https | |
| LOG all -- anywhere anywhere LOG level warning | |
| REJECT all -- anywhere anywhere reject-with icmp-host-prohibited | |
If you have an INPUT policy of DROP, stopping with only a --flush is a very bad idea. You will be immediately kicked off the system with no way back in if you did not create a console accessible account. Setting the POLICY for the default tables (INPUT, OUTPUT, and FORWARD) to ACCEPT before flushing is necessary.
Replace the iptables --flush line with iptables-restore and reference a file with this content:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
this firewall breaks name resolution in my containers.
Thought I'd reference this here in case anyone who stumbles upon this Gist would find it useful: A cloud-config file for CoreOS with persistent iptables rules using the built-in iptables-restore.service: https://gist.github.com/jimmycuadra/fe79ae8857f3f0d0cae1
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thanks. If, like me, you need IPv6 rules aswell, the unit file can be extended as follows:
Then create
/opt/docker/scripts/iptables/ip6tables.ruleswith required ruleset.