Question

How do I secure a CoreOS machine?

Posted February 15, 2015 8.8k views

When I run a CoreOS machine but default there are no iptables rules set up to block inbound connections. Looking through the tutorials nothing seems to mention this, am I missing something here?

FWIW I’ve googled around and found a few examples of cloud-config that are supposed to lock things down but they don’t seem to work - as soon as I bring up a test nginx container it’s available externally on the public IP on whichever port I’ve bound the containers port 80 to on the host.

Any good examples of how this is supposed to be done (noting that the CoreOS site itself says it’s recommended to use a physical firewall, EC2 security groups or similar) - is it possible to achieve this with iptables on the machine itself?

Add a comment
timmit
By:
timmit
Add a comment

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
3 answers
johnjansen August 12, 2015

@slezhuk thats absolutely correct, being specific about the IP doesn’t mitigate the risk, security within your own faux-private network is your own project.

The fact that @digitalocean doesn’t have true private networks is certainly a hurdle ;-)

Reply Report
asb February 18, 2015

Not sure if this is one of the examples you’ve already come across, but I find this blog post helpful. The cloud-config file that it describes writes a set of IPTables rules to /var/lib/iptables/rules-save and enables a systemd unit file which will run /sbin/iptables-restore /var/lib/iptables/rules-save to apply the rule set.

You can run this unit file manually with:

 sudo systemctl start iptables-restore.service

Though do note that the IPTables rules used in that post explicitly open port 80, so your Nginx container would still be visible. You’ll still need to edit the rules to suit your needs. This tutorial, while written targeting Ubuntu, should point you in the right direction for learning more about IPTable rules.

How To Set Up a Firewall Using Iptables on Ubuntu 14.04
by Justin Ellingwood
The iptables firewall is a great way to secure your Linux server. In this guide, we'll discuss how to configure iptables rules on an Ubuntu 14.04 server.
Reply Report
johnjansen April 9, 2015

this may be a little late but …

the problem you are having is more likely how you are starting the container.
if you are using docker run .... -p 80:80 ... then the port will open on all interfaces.
if you want it only on the private interface, then you need to docker run ... -p $COREOS_PRIVATE_IPV4:80 ...

Reply Report
  • slezhuk August 11, 2015

    Do not forget that $COREOSPRIVATEIPV4 is binded to digital ocean private network, but still visible for your neighbours. So it is not suitable to expose things, that should be really secure.

    Reply Report
Submit an Answer

Looking for something else?

Ask a new question Search for more help