From d9420f8ac4440888b448796be09fc1b3dac3a57b Mon Sep 17 00:00:00 2001 From: Earl Warren Date: Thu, 17 Oct 2024 19:08:00 +0200 Subject: [PATCH 1/2] k8s: hetzner firewall is not good enough --- README.md | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/README.md b/README.md index 6f3b4e7..98375ff 100644 --- a/README.md +++ b/README.md @@ -65,17 +65,6 @@ lxc-helpers.sh lxc_container_user_install $name $(id -u) $USER ## firewall -Hetzner hosts have a firewall that must be configured from -https://robot.hetzner.com/server to only allow incoming ssh, http, -https requests for both IPv4 & IPv6. Each server has a "Firewall" tab -that provides control over this firewall. - -The firewall applies to the VLAN too. The 10.0.0.0/8 source address -must therefore be allowed explicitly for IPv4 and that must be the -first rule of the firewall. - -A template "k8s" was defined that can be used for sharing the same -rules between multiple k8s nodes. ## nftables From ab3221ab8918984cde6318edbb6371830e78f31d Mon Sep 17 00:00:00 2001 From: Earl Warren Date: Thu, 17 Oct 2024 20:24:03 +0200 Subject: [PATCH 2/2] k8s ufw firewall --- README.md | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/README.md b/README.md index 98375ff..7f5c0cc 100644 --- a/README.md +++ b/README.md @@ -65,6 +65,36 @@ lxc-helpers.sh lxc_container_user_install $name $(id -u) $USER ## firewall +```sh +sudo apt-get install ufw +``` + +```sh +sudo ufw default allow incoming +sudo ufw default allow outgoing +sudo ufw default allow routed + +ips="88.198.58.177 2a01:4f8:222:507::2" # host specific + +for host_ip in $ips ; do + sudo ufw allow to $host_ip port 22 proto tcp + sudo ufw deny to $host_ip +done + +for public_ip in 188.40.16.47 2a01:4f8:fff2:48::2 ; do + sudo ufw allow to $public_ip port 22,80,443,2000:3000 proto tcp + sudo ufw deny to $public_ip +done +``` + +```sh +sudo systemctl enable ufw +sudo ufw enable +``` + +```sh +sudo ufw status verbose +``` ## nftables