How do I secure a CoreOS machine?

  • Posted February 15, 2015

When I run a CoreOS machine but default there are no iptables rules set up to block inbound connections. Looking through the tutorials nothing seems to mention this, am I missing something here?

FWIW I’ve googled around and found a few examples of cloud-config that are supposed to lock things down but they don’t seem to work - as soon as I bring up a test nginx container it’s available externally on the public IP on whichever port I’ve bound the containers port 80 to on the host.

Any good examples of how this is supposed to be done (noting that the CoreOS site itself says it’s recommended to use a physical firewall, EC2 security groups or similar) - is it possible to achieve this with iptables on the machine itself?


Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

@slezhuk thats absolutely correct, being specific about the IP doesn’t mitigate the risk, security within your own faux-private network is your own project.

The fact that @digitalocean doesn’t have true private networks is certainly a hurdle ;-)

this may be a little late but …

the problem you are having is more likely how you are starting the container. if you are using docker run .... -p 80:80 ... then the port will open on all interfaces. if you want it only on the private interface, then you need to docker run ... -p $COREOS_PRIVATE_IPV4:80 ...

Not sure if this is one of the examples you’ve already come across, but I find this blog post helpful. The cloud-config file that it describes writes a set of IPTables rules to /var/lib/iptables/rules-save and enables a systemd unit file which will run /sbin/iptables-restore /var/lib/iptables/rules-save to apply the rule set.

You can run this unit file manually with:

 sudo systemctl start iptables-restore.service

Though do note that the IPTables rules used in that post explicitly open port 80, so your Nginx container would still be visible. You’ll still need to edit the rules to suit your needs. This tutorial, while written targeting Ubuntu, should point you in the right direction for learning more about IPTable rules.