Last active
January 4, 2021 11:29
-
-
Save gbevan/8a0a786cfc2728cd2998f868b0ff5b72 to your computer and use it in GitHub Desktop.
Fix internet access for microk8s pods
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# see https://unrouted.io/2017/08/15/docker-firewall/ | |
*filter | |
:INPUT ACCEPT [0:0] | |
:FORWARD DROP [0:0] | |
:OUTPUT ACCEPT [0:0] | |
:FILTERS - [0:0] | |
:DOCKER-USER - [0:0] | |
-F INPUT | |
-F DOCKER-USER | |
-F FILTERS | |
-A INPUT -i lo -j ACCEPT | |
-A INPUT -p icmp --icmp-type any -j ACCEPT | |
-A INPUT -j FILTERS | |
# you may need to change this, replace eno1 with the nic bound to your external ip | |
-A DOCKER-USER -i eno1 -j FILTERS | |
-A DOCKER-USER -i cbr0 -j FILTERS | |
-A FILTERS -m state --state ESTABLISHED,RELATED -j ACCEPT | |
# open access for dev | |
-A FILTERS -m state --state NEW -s 0.0.0.0/0 -j ACCEPT | |
# you might want more restructive permissions | |
#-A FILTERS -m state --state NEW -s 192.168.0.0/24 -j ACCEPT | |
#-A FILTERS -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT | |
#-A FILTERS -m state --state NEW -m tcp -p tcp --dport 23 -j ACCEPT | |
#-A FILTERS -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT | |
#-A FILTERS -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT | |
# Log&Reject everything else | |
-A FILTERS -j LOG --log-prefix "IPTables-Dropped: " | |
-A FILTERS -j REJECT --reject-with icmp-host-prohibited | |
COMMIT |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# see https://unrouted.io/2017/08/15/docker-firewall/ | |
[Unit] | |
Description=Restore iptables firewall rules | |
Before=network-pre.target | |
[Service] | |
Type=oneshot | |
ExecStart=/sbin/iptables-restore -n /etc/iptables.conf | |
[Install] | |
WantedBy=multi-user.target |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment