openshift 4.3 firewall

本文记录，如何在openshift集群主机上应用防火墙。这对于客户有内部扫描审计来说，很有用。

做法很简单，就是调用systemd来注入一个新服务，启动本地定制化脚本。

这种做法可以用来做任何你想在coreos瞎搞的事情：）

coreos

对于coreos，特别是master。

cat << EOF > wzh.script
#!/bin/bash

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s 127.0.0.1/32 -j ACCEPT
iptables -A INPUT -s 223.87.20.0/24 -j ACCEPT
iptables -A INPUT -s 117.177.241.0/24 -j ACCEPT
iptables -A INPUT -s 39.134.200.0/24 -j ACCEPT
iptables -A INPUT -s 192.168.7.0/24 -j ACCEPT
iptables -A INPUT -s 112.44.102.224/27 -j ACCEPT
iptables -A INPUT -s 47.93.86.113/32 -j ACCEPT
iptables -A INPUT -p tcp -j REJECT
iptables -A INPUT -p udp -j REJECT

EOF

var_local=$(cat ./wzh.script | python3 -c "import sys, urllib.parse; print(urllib.parse.quote(''.join(sys.stdin.readlines())))"  )

cat <<EOF > 45-master-wzh-service.yaml
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  labels:
    machineconfiguration.openshift.io/role: master
  name: 45-master-wzh-service
spec:
  config:
    ignition:
      version: 2.2.0
    storage:
      files:
      - contents:
          source: data:text/plain,${var_local}
          verification: {}
        filesystem: root
        mode: 0755
        path: /etc/rc.d/wzh.local
    systemd:
      units:
      - name: wzh.service
        enabled: true
        contents: |
          [Unit]
          Description=/etc/rc.d/wzh.local Compatibility
          Documentation=zhengwan@redhat.com
          ConditionFileIsExecutable=/etc/rc.d/wzh.local
          After=network.target

          [Service]
          Type=oneshot
          User=root
          Group=root
          ExecStart=/bin/bash -c /etc/rc.d/wzh.local

          [Install]
          WantedBy=multi-user.target

EOF
oc apply -f 45-master-wzh-service.yaml -n openshift-config

oc delete -f 45-wzh-service.yaml -n openshift-config

for rhel with firewalld

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-setting_and_controlling_ip_sets_using_firewalld

https://unix.stackexchange.com/questions/159873/whitelist-source-ip-addresses-in-centos-7

firewall-cmd --get-ipset-types
firewall-cmd --permanent --get-ipsets

firewall-cmd --permanent --new-ipset=my-allow-list --type=hash:net
firewall-cmd --permanent --get-ipsets

# firewall-cmd --permanent --info-ipset=my-allow-list

cat > /root/ocp4/iplist.txt <<EOL
127.0.0.1/32
223.87.20.0/24
117.177.241.0/24
39.134.200.0/24
39.134.201.0/24
39.137.101.0/24
192.168.7.0/24
112.44.102.224/27
47.93.86.113/32
EOL

firewall-cmd --permanent --ipset=my-allow-list --add-entries-from-file=iplist.txt

firewall-cmd --permanent --ipset=my-allow-list --get-entries

firewall-cmd --permanent --zone=trusted --add-source=ipset:my-allow-list 
firewall-cmd --reload

firewall-cmd --list-all

# firewall-cmd --permanent --zone=trusted --add-source=192.168.7.0/24
firewall-cmd --get-active-zones
# firewall-cmd --zone=block --change-interface=em1

firewall-cmd --set-default-zone=block
firewall-cmd --runtime-to-permanent
firewall-cmd --reload

firewall-cmd --list-all-zones

firewall-cmd --get-default-zone

for rhel with iptables

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-setting_and_controlling_ip_sets_using_iptables

# secure for anti-scan
cat << EOF >> /etc/rc.local

ipset create my-allow-set hash:net
ipset add my-allow-set 127.0.0.1/32
ipset add my-allow-set 223.87.20.0/24
ipset add my-allow-set 117.177.241.0/24
ipset add my-allow-set 39.134.200.0/24
ipset add my-allow-set 39.134.201.0/24
ipset add my-allow-set 39.137.101.0/24
ipset add my-allow-set 192.168.7.0/24
ipset add my-allow-set 112.44.102.224/27
ipset add my-allow-set 47.93.86.113/32

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m set --match-set my-allow-set src -j ACCEPT
iptables -A INPUT -p tcp -j REJECT
iptables -A INPUT -p udp -j REJECT

EOF

chmod +x /etc/rc.d/rc.local
systemctl enable rc-local

# systemctl start rc-local

ipset list

# 221.226.0.75
# 210.21.236.182
# 61.132.54.2
ipset add my-allow-set 221.226.0.75/32
ipset add my-allow-set 210.21.236.182/32
ipset add my-allow-set 61.132.54.2/32

other record

# https://bugzilla.redhat.com/show_bug.cgi?id=1723327
# https://access.redhat.com/solutions/4264181
for i in $(oc get pods -n openshift-machine-config-operator -l k8s-app=machine-config-daemon -o go-template --template '{{range .items}}{{.metadata.name}}{{"\n"}}{{end}}' | xargs); do oc rsh -n openshift-machine-config-operator $i chroot /rootfs rm -rf /run/pivot/reboot-needed; done

rpm-ostree rollback --reboot

cat << EOF > wzh.service
[Unit]
Description=/etc/rc.d/wzh.local Compatibility
Documentation=zhengwan@redhat.com
ConditionFileIsExecutable=/etc/rc.d/wzh.local
After=network.target

[Service]
Type=oneshot
User=root
Group=root
ExecStart=/bin/bash -c /etc/rc.d/wzh.local

[Install]
WantedBy=multi-user.target
EOF

var_service=$(cat ./wzh.service | python3 -c "import sys, urllib.parse; print(urllib.parse.quote(''.join(sys.stdin.readlines())))"  )