Last active
June 29, 2024 16:56
-
-
Save loperd/de3678b30a47ef126a643094d2e211c1 to your computer and use it in GitHub Desktop.
Setup firewall for kubernetes bare metal
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| iptables -N cluster-input && \ | |
| iptables -A cluster-input -m comment --comment "lo accept" -i lo -j ACCEPT && \ | |
| iptables -A cluster-input -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT && \ | |
| iptables -A cluster-input -m comment --comment "calico subnet src accept" -s 192.168.0.0/16 -j ACCEPT && \ | |
| iptables -A cluster-input -m comment --comment "calico subnet dst accept" -d 192.168.0.0/16 -j ACCEPT && \ | |
| iptables -A cluster-input -m comment --comment "kubelet subnet src accept" -s 10.0.0.0/8 -j ACCEPT && \ | |
| iptables -A cluster-input -m comment --comment "kubelet subnet dst accept" -d 10.0.0.0/8 -j ACCEPT && \ | |
| iptables -A cluster-input -j RETURN && \ | |
| iptables -I INPUT 2 -j cluster-input && \ | |
| iptables -N allowance-cluster-ips && \ | |
| iptables -A allowance-cluster-ips -s {master_1_server_ip} -j ACCEPT && \ | |
| iptables -A allowance-cluster-ips -s {workernode_1_server_ip} -j ACCEPT && \ | |
| iptables -A allowance-cluster-ips -j RETURN && \ | |
| iptables -I INPUT 3 -j allowance-cluster-ips && \ | |
| iptables -N allowance-ports && \ | |
| iptables -A allowance-ports -p tcp -m multiport --comment "allow ssh, http, https ports" --dports 22,80,443 -j ACCEPT && \ | |
| iptables -A allowance-ports -p tcp -m tcp --comment "allow kubernetes access port" --dport 6443 -j ACCEPT && \ | |
| iptables -A allowance-ports -j RETURN && \ | |
| iptables -I INPUT 4 -j allowance-ports && \ | |
| iptables -P INPUT DROP |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment