Skip to content

Instantly share code, notes, and snippets.

@gbevan
Last active January 4, 2021 11:29
Show Gist options
  • Save gbevan/8a0a786cfc2728cd2998f868b0ff5b72 to your computer and use it in GitHub Desktop.
Save gbevan/8a0a786cfc2728cd2998f868b0ff5b72 to your computer and use it in GitHub Desktop.
Fix internet access for microk8s pods
# see https://unrouted.io/2017/08/15/docker-firewall/
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:FILTERS - [0:0]
:DOCKER-USER - [0:0]
-F INPUT
-F DOCKER-USER
-F FILTERS
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp --icmp-type any -j ACCEPT
-A INPUT -j FILTERS
# you may need to change this, replace eno1 with the nic bound to your external ip
-A DOCKER-USER -i eno1 -j FILTERS
-A DOCKER-USER -i cbr0 -j FILTERS
-A FILTERS -m state --state ESTABLISHED,RELATED -j ACCEPT
# open access for dev
-A FILTERS -m state --state NEW -s 0.0.0.0/0 -j ACCEPT
# you might want more restructive permissions
#-A FILTERS -m state --state NEW -s 192.168.0.0/24 -j ACCEPT
#-A FILTERS -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
#-A FILTERS -m state --state NEW -m tcp -p tcp --dport 23 -j ACCEPT
#-A FILTERS -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
#-A FILTERS -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
# Log&Reject everything else
-A FILTERS -j LOG --log-prefix "IPTables-Dropped: "
-A FILTERS -j REJECT --reject-with icmp-host-prohibited
COMMIT
# see https://unrouted.io/2017/08/15/docker-firewall/
[Unit]
Description=Restore iptables firewall rules
Before=network-pre.target
[Service]
Type=oneshot
ExecStart=/sbin/iptables-restore -n /etc/iptables.conf
[Install]
WantedBy=multi-user.target
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment