控制节点(主节点)所需要的端口如下:
| 协议 | 端口 | 服务 |
|---|---|---|
| TCP | 6443 | k8s API server |
| TCP | 2379-2380 | etcd server client API |
| TCP | 10250 | Kubelet API |
| TCP | 10251 | kube-scheduler |
| TCP | 10252 | kube-controller-manager |
| TCP | 10255 | Read-only Kubelet API |
| UDP | 8472 | flannel |
| TCP | 9099,9100 | calico | ||
| TCP | 179 | bgp |
| TCP | 111 | rpcbind | 使用 NFS 作为持久化存储 | ||
| IPIP | Calico 需要允许 IPIP 协议 |
计算节点
计算节点(工作节点)所需要的端口如下,如果你的控制节点也要运行容器,也需要开启这些端口:
| 协议 | 端口 | 服务 |
|---|---|---|
| TCP | 10250 | Kubelet API |
| TCP | 10255 | Read-only Kubelet API |
| TCP | 30000-32767 | NodePort Services |
| TCP | 9099,9100 | calico | ||
| TCP | 179 | bgp |
| TCP | 111 | rpcbind | 使用 NFS 作为持久化存储 | ||
| IPIP | Calico 需要允许 IPIP 协议 |
配置防火墙策略
kubernetes master:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 |
################# # NAT # ################# *nat :PREROUTING ACCEPT [27:11935] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [598:57368] :POSTROUTING ACCEPT [591:57092] :DOCKER - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE -A POSTROUTING -j MASQUERADE COMMIT ################# # filter # ################# *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :DOCKER - [0:0] # 这里对已经建立连接的包直接放行,以提高iptables 效率(此条规则通常放在第一条) -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #允许ping -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT #本机设备放行 -A INPUT -i lo -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT #开放sshd服务 -A INPUT -p tcp -m tcp --dport 22 -m recent --name sshd --set -j LOG --log-prefix "SSHLogin:" -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT # ----- kubernetes master ------ # k8s API server -A INPUT -m state --state NEW -m tcp -p tcp --dport 6443 -j ACCEPT # etcd server client API -A INPUT -m state --state NEW -m tcp -p tcp --dport 2379:2380 -j ACCEPT # Kubelet API -A INPUT -m state --state NEW -m tcp -p tcp --dport 10250 -j ACCEPT # kube-scheduler -A INPUT -m state --state NEW -m tcp -p tcp --dport 10251 -j ACCEPT # kube-controller-manager -A INPUT -m state --state NEW -m tcp -p tcp --dport 10252 -j ACCEPT # Read-only Kubelet API -A INPUT -m state --state NEW -m tcp -p tcp --dport 10255 -j ACCEPT # calico -A INPUT -m state --state NEW -m tcp -p tcp --dport 9099:9100 -j ACCEPT # bgp -A INPUT -m state --state NEW -m tcp -p tcp --dport 179 -j ACCEPT # nodeport (如果控制节点也要运行容器) -A INPUT -m state --state NEW -m tcp -p tcp --dport 30000:32767 -j ACCEPT # dns -A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT # rpcbind if use nfs -A INPUT -m state --state NEW -m tcp -p tcp --dport 111 -j ACCEPT #开放node-exporter数据 -A INPUT -m state --state NEW -m tcp -p tcp --dport 9100 -j ACCEPT #允许 80 443 端口,http 和 https -A INPUT -i eth0 -m state --state NEW -p tcp --dport 80 -j ACCEPT -A INPUT -i eth0 -m state --state NEW -p tcp --dport 443 -j ACCEPT # docker -A FORWARD -o docker0 -j DOCKER -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i docker0 ! -o docker0 -j ACCEPT -A FORWARD -i docker0 -o docker0 -j ACCEPT #处理IP碎片数量,防止攻击,允许每秒100个 -A FORWARD -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT #不允许来自外部的ping测试 -A INPUT -p icmp --icmp-type echo-request -j REJECT #-A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT #禁止ping #-A INPUT -p icmp -i eth0 -j DROP #设置ICMP包过滤,允许每秒1个包,限制触发条件是10个包 -A FORWARD -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT #################### #DROP RULL #################### #丢弃坏的TCP包 #-A FORWARD -p TCP ! --syn -m state --state NEW -j DROP # Reject spoofed packets -A INPUT -s 169.254.0.0/16 -j DROP -A INPUT -s 172.16.0.0/12 -j DROP -A INPUT -s 127.0.0.0/8 -j DROP -A INPUT -s 224.0.0.0/4 -j DROP -A INPUT -d 224.0.0.0/4 -j DROP -A INPUT -s 240.0.0.0/5 -j DROP -A INPUT -d 240.0.0.0/5 -j DROP -A INPUT -s 0.0.0.0/8 -j DROP -A INPUT -d 0.0.0.0/8 -j DROP -A INPUT -d 239.255.255.0/24 -j DROP -A INPUT -d 255.255.255.255 -j DROP # Stop smurf attacks -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP -A INPUT -p icmp -m icmp --icmp-type 8 -j DROP # Drop all invalid packets -A INPUT -m state --state INVALID -j DROP #-A FORWARD -m state --state INVALID -j DROP -A OUTPUT -m state --state INVALID -j DROP -A INPUT -m conntrack --ctstate INVALID -j DROP #drop 3128端口是 squid 的默认端口 -A INPUT -p tcp --dport 3128 -j DROP # Drop excessive RST packets to avoid smurf attacks -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT # Attempt to block portscans # Anyone who tried to portscan us is locked out for an entire day. -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP # Once the day has passed, remove them from the portscan list -A INPUT -m recent --name portscan --remove -A FORWARD -m recent --name portscan --remove #禁止其他未允许的规则访问 -A INPUT -j DROP #-A OUTPUT -j DROP #-A FORWARD -j DROP COMMIT |
kubernetes node
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 |
################# # NAT # ################# *nat :PREROUTING ACCEPT [27:11935] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [598:57368] :POSTROUTING ACCEPT [591:57092] :DOCKER - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE #-A POSTROUTING -j MASQUERADE COMMIT ################# # filter # ################# *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :DOCKER - [0:0] # 这里对已经建立连接的包直接放行,以提高iptables 效率(此条规则通常放在第一条) -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #允许ping -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT #本机设备放行 -A INPUT -i lo -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT #开放sshd服务 -A INPUT -p tcp -m tcp --dport 22 -m recent --name sshd --set -j LOG --log-prefix "SSHLogin:" -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT # ----- kubernetes master ------ # Kubelet API -A INPUT -m state --state NEW -m tcp -p tcp --dport 10250 -j ACCEPT # Read-only Kubelet API -A INPUT -m state --state NEW -m tcp -p tcp --dport 10255 -j ACCEPT # calico -A INPUT -m state --state NEW -m tcp -p tcp --dport 9099:9100 -j ACCEPT # bgp -A INPUT -m state --state NEW -m tcp -p tcp --dport 179 -j ACCEPT # nodeport (如果控制节点也要运行容器) -A INPUT -m state --state NEW -m tcp -p tcp --dport 30000:32767 -j ACCEPT # dns -A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT # rpcbind if use nfs -A INPUT -m state --state NEW -m tcp -p tcp --dport 111 -j ACCEPT #开放node-exporter数据 -A INPUT -m state --state NEW -m tcp -p tcp --dport 9100 -j ACCEPT # docker -A FORWARD -o docker0 -j DOCKER -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i docker0 ! -o docker0 -j ACCEPT -A FORWARD -i docker0 -o docker0 -j ACCEPT #处理IP碎片数量,防止攻击,允许每秒100个 -A FORWARD -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT #不允许来自外部的ping测试 #-A INPUT -p icmp --icmp-type echo-request -j REJECT #禁止ping #-A INPUT -p icmp -i eth0 -j DROP #设置ICMP包过滤,允许每秒1个包,限制触发条件是10个包 -A FORWARD -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT #################### #DROP RULL #################### #丢弃坏的TCP包 #-A FORWARD -p TCP ! --syn -m state --state NEW -j DROP # Reject spoofed packets -A INPUT -s 169.254.0.0/16 -j DROP -A INPUT -s 172.16.0.0/12 -j DROP -A INPUT -s 127.0.0.0/8 -j DROP -A INPUT -s 224.0.0.0/4 -j DROP -A INPUT -d 224.0.0.0/4 -j DROP -A INPUT -s 240.0.0.0/5 -j DROP -A INPUT -d 240.0.0.0/5 -j DROP -A INPUT -s 0.0.0.0/8 -j DROP -A INPUT -d 0.0.0.0/8 -j DROP -A INPUT -d 239.255.255.0/24 -j DROP -A INPUT -d 255.255.255.255 -j DROP # Stop smurf attacks -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP -A INPUT -p icmp -m icmp --icmp-type 8 -j DROP # Drop all invalid packets -A INPUT -m state --state INVALID -j DROP #-A FORWARD -m state --state INVALID -j DROP -A OUTPUT -m state --state INVALID -j DROP -A INPUT -m conntrack --ctstate INVALID -j DROP #drop 3128端口是 squid 的默认端口 -A INPUT -p tcp --dport 3128 -j DROP # Drop excessive RST packets to avoid smurf attacks -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT # Attempt to block portscans # Anyone who tried to portscan us is locked out for an entire day. -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP # Once the day has passed, remove them from the portscan list -A INPUT -m recent --name portscan --remove -A FORWARD -m recent --name portscan --remove #禁止其他未允许的规则访问 -A INPUT -j DROP #-A OUTPUT -j DROP #-A FORWARD -j DROP COMMIT |
0 Comments