How to modify (add) iptables rules in awx-on-k3s
193 views
Skip to first unread message
HG
Nov 23, 2022, 12:47:44 PM11/23/22
to AWX Project
Hi,
I have installed awx-on-k3s as described by
kurokobo on https://github.com/kurokobo/awx-on-k3s.
My postgres database is external and no longer inside a pod/container.
Now I want to add firewall rules to harden the system.
How can I add iptables rules at the host level to close ports that are open from outside while they do not have to be accessible from outside?
Any help ?
Regards Hans
AWX Project
Nov 23, 2022, 2:41:43 PM11/23/22
to AWX Project
If you are talking about setting up a firewall on your external database, this is probably not the best place to ask. You should only need open up the postgres port you specified (default is 5432).
If that is not the case, could you clarify your question?
Thanks,
AWX Team
HG
Nov 23, 2022, 3:13:18 PM11/23/22
to awx-p...@googlegroups.com
No I want to add rules to close ports (5432 postgres, 53 Dnsmasq and others) from outside.
Imho, since my setup is a single node all ports used for awx and k3s can be closed e.g. 10250 etc. Only 22 for ash and 443 are necessary.
Correct?
--
You received this message because you are subscribed to a topic in the Google Groups "AWX Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/awx-project/H8LIrjHhd-c/unsubscribe.
To unsubscribe from this group and all its topics, send an email to awx-project...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/e4f4638f-b230-483f-9536-7736484eacf5n%40googlegroups.com.
HG
Dec 1, 2022, 4:16:05 AM12/1/22
to AWX Project
Hi
I have clarified the question.
Do you have any updates?
Regards Hans
Op woensdag 23 november 2022 om 20:41:43 UTC+1 schreef AWX Project:
AWX Project
Dec 9, 2022, 1:44:13 PM12/9/22
to AWX Project
Did you ever resolve this? This dose not feel like an AWX question directly as you should be able to close whatever ports you want to on the host but if you close too much you may loose functionality. Our best suggestion would be to try it and see what happens.
-The AWX Team
HG
Dec 12, 2022, 9:37:25 AM12/12/22
to awx-p...@googlegroups.com
HI,
No I have not yet been able to do this.
But I am researching
Regards Hans-Peter
Op vr 9 dec. 2022 om 19:44 schreef AWX Project <awx-p...@googlegroups.com>:
--
You received this message because you are subscribed to a topic in the Google Groups "AWX Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/awx-project/H8LIrjHhd-c/unsubscribe.
To unsubscribe from this group and all its topics, send an email to awx-project...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/b1ca85d4-22ef-4c1a-af5d-1745746ff639n%40googlegroups.com.
HG
Mar 2, 2023, 3:59:11 AM3/2/23
to AWX Project
Hi
I finally got it working on Redhat!!
- Remove iptables/firewalld (if installed)
- Install nftables
Since nftables is based on eBPF you will not see a process running. You will see the service as active when you do systemctl status nftables.
K3S will add the rules to nftables. - Create a script to add a new table that meet your requirements
I have attached my script.
Apart from ssh, 443 and 9090 it allows connections to 5432 for postgres (in my case it is unmanaged)
Op vrijdag 9 december 2022 om 19:44:13 UTC+1 schreef AWX Project:
Reply all
Reply to author
Forward
0 new messages