Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Secure iptables configuration for coreos ??
// This systemd runs iptables-restore on boot:
[Unit]
Description=Packet Filtering Framework
DefaultDependencies=no
After=systemd-sysctl.service
Before=sysinit.target
[Service]
Type=oneshot
ExecStart=/usr/sbin/iptables-restore /opt/docker/scripts/iptables/iptables.rules
ExecReload=/usr/sbin/iptables-restore /opt/docker/scripts/iptables/iptables.rules
ExecStop=/usr/sbin/iptables --flush
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
// This is my iptables.rules file
# Adapted from here: http://wiki.centos.org/HowTos/OS_Protection
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type echo-reply -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
# Block Spoofing IP Addresses
-A INPUT -i eth0 -s 10.0.0.0/8 -j DROP
-A INPUT -i eth0 -s 172.16.0.0/12 -j DROP
-A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
-A INPUT -i eth0 -s 224.0.0.0/4 -j DROP
-A INPUT -i eth0 -s 240.0.0.0/5 -j DROP
-A INPUT -i eth0 -d 127.0.0.0/8 -j DROP
# Accept Pings
-A RH-Firewall-1-INPUT -p icmp --icmp-type echo-request -j ACCEPT
# Accept any established connections
-A RH-Firewall-1-INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Accept ssh, http, https - add other tcp traffic ports here
-A RH-Firewall-1-INPUT -m conntrack --ctstate NEW -m multiport -p tcp --dports 22,80,443 -j ACCEPT
#Log and drop everything else
-A RH-Firewall-1-INPUT -j LOG
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
// After the machine has rebooted and a couple of docker containers also started, this is the output of iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
DROP all -- 10.0.0.0/8 anywhere
DROP all -- 172.16.0.0/12 anywhere
DROP all -- 192.168.0.0/16 anywhere
DROP all -- base-address.mcast.net/4 anywhere
DROP all -- 240.0.0.0/5 anywhere
DROP all -- anywhere loopback/8
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT udp -- anywhere 172.17.0.3 udp dpt:domain
ACCEPT tcp -- anywhere 172.17.0.2 tcp dpt:5000
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere ctstate NEW multiport dports ssh,http,https
LOG all -- anywhere anywhere LOG level warning
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
@garthk

This comment has been minimized.

Copy link

garthk commented May 22, 2014

Nice. I dropped the script into /etc/systemd/system/iptables.service and my rules into /etc/systemd/system/iptables.rules. The rules path aside, the unit worked as advertised. For those coming here via search engines, see also the CoreOS documentation for getting started with systemd.

@porjo

This comment has been minimized.

Copy link

porjo commented Jun 23, 2014

Thanks. If, like me, you need IPv6 rules aswell, the unit file can be extended as follows:

ExecStart=/usr/sbin/iptables-restore /opt/docker/scripts/iptables/iptables.rules ; /usr/sbin/ip6tables-restore /opt/docker/scripts/iptables/ip6tables.rules
ExecReload=/usr/sbin/iptables-restore /opt/docker/scripts/iptables/iptables.rules ; /usr/sbin/ip6tables-restore /opt/docker/scripts/iptables/ip6tables.rules
ExecStop=/usr/sbin/iptables --flush ; /usr/sbin/ip6tables --flush

Then create /opt/docker/scripts/iptables/ip6tables.rules with required ruleset.

@GeekBiker

This comment has been minimized.

Copy link

GeekBiker commented Oct 7, 2014

If you have an INPUT policy of DROP, stopping with only a --flush is a very bad idea. You will be immediately kicked off the system with no way back in if you did not create a console accessible account. Setting the POLICY for the default tables (INPUT, OUTPUT, and FORWARD) to ACCEPT before flushing is necessary.

@GeekBiker

This comment has been minimized.

Copy link

GeekBiker commented Oct 7, 2014

Replace the iptables --flush line with iptables-restore and reference a file with this content:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT

@bryanlarsen

This comment has been minimized.

Copy link

bryanlarsen commented Dec 19, 2014

this firewall breaks name resolution in my containers.

@jimmycuadra

This comment has been minimized.

Copy link

jimmycuadra commented Jan 17, 2015

Thought I'd reference this here in case anyone who stumbles upon this Gist would find it useful: A cloud-config file for CoreOS with persistent iptables rules using the built-in iptables-restore.service: https://gist.github.com/jimmycuadra/fe79ae8857f3f0d0cae1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.