Merge pull request 'k8s firewall' (#26) from earl-warren/documentation:wip-firewall into main

Reviewed-on: https://code.forgejo.org/infrastructure/documentation/pulls/26
2024-11-15 09:31:52 +00:00 · 2024-10-17 19:06:36 +00:00 · 2024-10-17 19:06:36 +00:00 · 679177673d
parent e732428516 ab3221ab89
commit 679177673d
1 changed files with 28 additions and 9 deletions
--- a/README.md
+++ b/README.md
@ -65,17 +65,36 @@ lxc-helpers.sh lxc_container_user_install $name $(id -u) $USER

 ## firewall

-Hetzner hosts have a firewall that must be configured from
-https://robot.hetzner.com/server to only allow incoming ssh, http,
-https requests for both IPv4 & IPv6. Each server has a "Firewall" tab
-that provides control over this firewall.
+```sh
+sudo apt-get install ufw
+```

-The firewall applies to the VLAN too. The 10.0.0.0/8 source address
-must therefore be allowed explicitly for IPv4 and that must be the
-first rule of the firewall.
+```sh
+sudo ufw default allow incoming
+sudo ufw default allow outgoing
+sudo ufw default allow routed

-A template "k8s" was defined that can be used for sharing the same
-rules between multiple k8s nodes.
+ips="88.198.58.177 2a01:4f8:222:507::2" # host specific
+
+for host_ip in $ips ; do
+  sudo ufw allow to $host_ip  port 22 proto tcp
+  sudo ufw deny to $host_ip
+done
+
+for public_ip in 188.40.16.47 2a01:4f8:fff2:48::2 ; do
+  sudo ufw allow to $public_ip  port 22,80,443,2000:3000 proto tcp
+  sudo ufw deny to $public_ip
+done
+```
+
+```sh
+sudo systemctl enable ufw
+sudo ufw enable
+```
+
+```sh
+sudo ufw status verbose
+```

 ## nftables