How do I secure a CoreOS machine?

February 15, 2015 3.6k views

When I run a CoreOS machine but default there are no iptables rules set up to block inbound connections. Looking through the tutorials nothing seems to mention this, am I missing something here?

FWIW I've googled around and found a few examples of cloud-config that are supposed to lock things down but they don't seem to work - as soon as I bring up a test nginx container it's available externally on the public IP on whichever port I've bound the containers port 80 to on the host.

Any good examples of how this is supposed to be done (noting that the CoreOS site itself says it's recommended to use a physical firewall, EC2 security groups or similar) - is it possible to achieve this with iptables on the machine itself?

3 Answers

Not sure if this is one of the examples you've already come across, but I find this blog post helpful. The cloud-config file that it describes writes a set of IPTables rules to /var/lib/iptables/rules-save and enables a systemd unit file which will run /sbin/iptables-restore /var/lib/iptables/rules-save to apply the rule set.

You can run this unit file manually with:

 sudo systemctl start iptables-restore.service

Though do note that the IPTables rules used in that post explicitly open port 80, so your Nginx container would still be visible. You'll still need to edit the rules to suit your needs. This tutorial, while written targeting Ubuntu, should point you in the right direction for learning more about IPTable rules.

by Justin Ellingwood
The iptables firewall is a great way to secure your Linux server. In this guide, we'll discuss how to configure iptables rules on an Ubuntu 14.04 server.

this may be a little late but ...

the problem you are having is more likely how you are starting the container.
if you are using docker run .... -p 80:80 ... then the port will open on all interfaces.
if you want it only on the private interface, then you need to docker run ... -p $COREOS_PRIVATE_IPV4:80 ...

  • Do not forget that $COREOSPRIVATEIPV4 is binded to digital ocean private network, but still visible for your neighbours. So it is not suitable to expose things, that should be really secure.

@slezhuk thats absolutely correct, being specific about the IP doesn't mitigate the risk, security within your own faux-private network is your own project.

The fact that @digitalocean doesn't have true private networks is certainly a hurdle ;-)

Have another answer? Share your knowledge.