openshift 4.3 firewall

本文记录,如何在openshift集群主机上应用防火墙。这对于客户有内部扫描审计来说,很有用。

做法很简单,就是调用systemd来注入一个新服务,启动本地定制化脚本。

这种做法可以用来做任何你想在coreos瞎搞的事情:)

coreos

对于coreos,特别是master。

cat << EOF > wzh.script #!/bin/bash iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -s 127.0.0.1/32 -j ACCEPT iptables -A INPUT -s 223.87.20.0/24 -j ACCEPT iptables -A INPUT -s 117.177.241.0/24 -j ACCEPT iptables -A INPUT -s 39.134.200.0/24 -j ACCEPT iptables -A INPUT -s 192.168.7.0/24 -j ACCEPT iptables -A INPUT -s 112.44.102.224/27 -j ACCEPT iptables -A INPUT -s 47.93.86.113/32 -j ACCEPT iptables -A INPUT -p tcp -j REJECT iptables -A INPUT -p udp -j REJECT EOF var_local=$(cat ./wzh.script | python3 -c "import sys, urllib.parse; print(urllib.parse.quote(''.join(sys.stdin.readlines())))" ) cat <<EOF > 45-master-wzh-service.yaml apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig metadata: labels: machineconfiguration.openshift.io/role: master name: 45-master-wzh-service spec: config: ignition: version: 2.2.0 storage: files: - contents: source: data:text/plain,${var_local} verification: {} filesystem: root mode: 0755 path: /etc/rc.d/wzh.local systemd: units: - name: wzh.service enabled: true contents: | [Unit] Description=/etc/rc.d/wzh.local Compatibility Documentation=zhengwan@redhat.com ConditionFileIsExecutable=/etc/rc.d/wzh.local After=network.target [Service] Type=oneshot User=root Group=root ExecStart=/bin/bash -c /etc/rc.d/wzh.local [Install] WantedBy=multi-user.target EOF oc apply -f 45-master-wzh-service.yaml -n openshift-config oc delete -f 45-wzh-service.yaml -n openshift-config

for rhel with firewalld

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-setting_and_controlling_ip_sets_using_firewalld

https://unix.stackexchange.com/questions/159873/whitelist-source-ip-addresses-in-centos-7

firewall-cmd --get-ipset-types firewall-cmd --permanent --get-ipsets firewall-cmd --permanent --new-ipset=my-allow-list --type=hash:net firewall-cmd --permanent --get-ipsets # firewall-cmd --permanent --info-ipset=my-allow-list cat > /root/ocp4/iplist.txt <<EOL 127.0.0.1/32 223.87.20.0/24 117.177.241.0/24 39.134.200.0/24 39.134.201.0/24 39.137.101.0/24 192.168.7.0/24 112.44.102.224/27 47.93.86.113/32 EOL firewall-cmd --permanent --ipset=my-allow-list --add-entries-from-file=iplist.txt firewall-cmd --permanent --ipset=my-allow-list --get-entries firewall-cmd --permanent --zone=trusted --add-source=ipset:my-allow-list firewall-cmd --reload firewall-cmd --list-all # firewall-cmd --permanent --zone=trusted --add-source=192.168.7.0/24 firewall-cmd --get-active-zones # firewall-cmd --zone=block --change-interface=em1 firewall-cmd --set-default-zone=block firewall-cmd --runtime-to-permanent firewall-cmd --reload firewall-cmd --list-all-zones firewall-cmd --get-default-zone

for rhel with iptables

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-setting_and_controlling_ip_sets_using_iptables

# secure for anti-scan cat << EOF >> /etc/rc.local ipset create my-allow-set hash:net ipset add my-allow-set 127.0.0.1/32 ipset add my-allow-set 223.87.20.0/24 ipset add my-allow-set 117.177.241.0/24 ipset add my-allow-set 39.134.200.0/24 ipset add my-allow-set 39.134.201.0/24 ipset add my-allow-set 39.137.101.0/24 ipset add my-allow-set 192.168.7.0/24 ipset add my-allow-set 112.44.102.224/27 ipset add my-allow-set 47.93.86.113/32 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m set --match-set my-allow-set src -j ACCEPT iptables -A INPUT -p tcp -j REJECT iptables -A INPUT -p udp -j REJECT EOF chmod +x /etc/rc.d/rc.local systemctl enable rc-local # systemctl start rc-local ipset list # 221.226.0.75 # 210.21.236.182 # 61.132.54.2 ipset add my-allow-set 221.226.0.75/32 ipset add my-allow-set 210.21.236.182/32 ipset add my-allow-set 61.132.54.2/32

other record

# https://bugzilla.redhat.com/show_bug.cgi?id=1723327 # https://access.redhat.com/solutions/4264181 for i in $(oc get pods -n openshift-machine-config-operator -l k8s-app=machine-config-daemon -o go-template --template '{{range .items}}{{.metadata.name}}{{"\n"}}{{end}}' | xargs); do oc rsh -n openshift-machine-config-operator $i chroot /rootfs rm -rf /run/pivot/reboot-needed; done rpm-ostree rollback --reboot cat << EOF > wzh.service [Unit] Description=/etc/rc.d/wzh.local Compatibility Documentation=zhengwan@redhat.com ConditionFileIsExecutable=/etc/rc.d/wzh.local After=network.target [Service] Type=oneshot User=root Group=root ExecStart=/bin/bash -c /etc/rc.d/wzh.local [Install] WantedBy=multi-user.target EOF var_service=$(cat ./wzh.service | python3 -c "import sys, urllib.parse; print(urllib.parse.quote(''.join(sys.stdin.readlines())))" )