Skip to content

Instantly share code, notes, and snippets.

@darabi
Created May 13, 2020 09:46
Show Gist options
  • Save darabi/d4d6519f6cf0e8d1ea46547038d0dd4e to your computer and use it in GitHub Desktop.
Save darabi/d4d6519f6cf0e8d1ea46547038d0dd4e to your computer and use it in GitHub Desktop.
Shorewall start script which restores Kubernetes and Cilium iptables chains
# the idea is not mine:
#
# https://blog.discourse.org/2015/11/shorewalldocker-two-great-tastes-that-taste-great-together/#
#
BACKUP=/etc/shorewall/kubernetes_rules
if [ -f $BACKUP ]; then
echo Restore Kubernetes specific rules
# Kubernetes custom chains AND Cilium chains were backed up in /etc/shorewall/stop
# we have to re-create the jump instructions both for Kubernetes and Cilium
# cf. https://docs.cilium.io/en/v1.6/architecture/#kubernetes-integration
iptables-restore -n < $BACKUP
# filter table
iptables -t filter -I INPUT 1 -j KUBE-FIREWALL
iptables -t filter -I INPUT 1 -m conntrack --ctstate NEW -m comment --comment "kubernetes externally-visible service portals" -j KUBE-EXTERNAL-SERVICES
iptables -t filter -I INPUT 1 -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
iptables -t filter -I OUTPUT 1 -j KUBE-FIREWALL
iptables -t filter -I OUTPUT 1 -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
iptables -t filter -I FORWARD 1 -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
iptables -t filter -I FORWARD 1 -m comment --comment "kubernetes forwarding rules" -j KUBE-FORWARD
# insert jumps from nat table chains
iptables -t nat -I PREROUTING 1 -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
iptables -t nat -I OUTPUT 1 -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
iptables -t nat -I POSTROUTING 1 -m comment --comment "kubernetes postrouting rules" -j KUBE-POSTROUTING
#
# When using Cilium, we have to preserve its chains too, which were already dumped
# in /etc/shorewall/stop.
#
# cf. https://docs.cilium.io/en/v1.6/architecture/#kubernetes-integration
#
# the Cilium jumps are located before the Kubernetes jumps (-I ... 1)
# you can verify these by doing a quick 'iptables -t {filter,nat,mangle} -S | less
#
# or iptables -t filter -S | grep -v -e '-[A|N] CILI' | grep CILIUM
iptables -t filter -I INPUT 1 -m comment --comment "cilium-feeder: CILIUM_INPUT" -j CILIUM_INPUT
iptables -t filter -I FORWARD 1 -m comment --comment "cilium-feeder: CILIUM_FORWARD" -j CILIUM_FORWARD
iptables -t filter -I OUTPUT 1 -m comment --comment "cilium-feeder: CILIUM_OUTPUT" -j CILIUM_OUTPUT
iptables -t mangle -I PREROUTING 1 -m comment --comment "cilium-feeder: CILIUM_PRE_mangle" -j CILIUM_PRE_mangle
iptables -t mangle -I POSTROUTING 1 -m comment --comment "cilium-feeder: CILIUM_POST_mangle" -j CILIUM_POST_mangle
iptables -t nat -I PREROUTING 1 -m comment --comment "cilium-feeder: CILIUM_PRE_nat" -j CILIUM_PRE_nat
iptables -t nat -I OUTPUT 1 -m comment --comment "cilium-feeder: CILIUM_OUTPUT_nat" -j CILIUM_OUTPUT_nat
iptables -t nat -I POSTROUTING 1 -m comment --comment "cilium-feeder: CILIUM_POST_nat" -j CILIUM_POST_nat
iptables -t raw -I PREROUTING 1 -m comment --comment "cilium-feeder: CILIUM_PRE_raw" -j CILIUM_PRE_raw
iptables -t raw -I OUTPUT 1 -m comment --comment "cilium-feeder: CILIUM_OUTPUT_raw" -j CILIUM_OUTPUT_raw
rm -f $BACKUP
fi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment