Recently I wanted to run DC/OS on Packet, the bare metal cloud. However, the Terraform scripts do not setup any firewall rules. This leaves the cluster exposed to internet traffic. To fix this
I setup an IP whitelist to block undesirable external traffic. In this blog I will show you how this works using the
First let's create a small development DC/OS cluster. We will deploy this cluster on Packet, the bare metal cloud provider. In many cases Packet is cheaper with better performance than AWS and it offers bare-metal instances and a layer-3 network so it is an interesting option for running DC/OS on. To get started clone the repository with Terraform scripts for DC/OS on Packet and then follow the DC/OS Terraform documentation. I recommend creating a small cluster with a single master, a bootstrap node and a at least one agent.
The easiest way to protect the cluster is via an IP whitelist. This whitelist will be applied to all nodes in the cluster. This way we can create firewall rules that only allow traffic from your IP and the IPs of nodes in the cluster while logging and dropping other traffic from outside else. This setup should be good enough for a simple development cluster. On all instances create a whitelist that contains your laptop, workstation or company IP and the IPs of each node in the DC/OS cluster.
You are probably familiar with iptables but may not know ipset. ipset is like iptables part of netfilter subsystem in Linux and it support creating lists of IPs or networks also supports IPv6. For more information check the ipset website. Before you create the IP whitelist SSH into your cluster nodes using the following command. Note the private key for Packet and the core user because the cluster runs CoreOS.
ssh -i packet-key core@$IP
Now let's create an IP whitelist:
ipset create whitelist hash:ip
ipset add whitelist $IPto add an IP
Let's activate the whitelist with some remaining firewall rules. First, we will allow established and related connections. If you don't do this DC/OS won't be able to connect to the universe package repository. Second, let's log packets that are not in the whitelist and third, let's drop them. See the commands below.
ipset create whitelist hash:ip ipset list whitelist (out) Name: whitelist (out) Type: hash:ip (out) Revision: 4 (out) Header: family inet hashsize 1024 maxelem 65536 (out) Size in memory: 120 (out) References: 0 (out) Members: ipset add whitelist $YOUR_IP_HERE ipset add whitelist $MASTER_IP ipset add whitelist $AGENT1_IP ipset add whitelist $AGENT2_IP ipset add whitelist $AGENT3_IP ipset add whitelist 127.0.0.1 ipset add whitelist 198.51.100.1 ipset add whitelist 198.51.100.2 ipset add whitelist 198.51.100.3 ipset add whitelist 18.104.22.168 ipset add whitelist 22.214.171.124 iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m set ! --match-set whitelist src -j LOG iptables -A INPUT -m set ! --match-set whitelist src -j DROP
Great! The cluster is ready and shielded from external internet traffic.
We described a simple way to manually setup a firewall for a small development DC/OS cluster on Packet. An obvious improvement would be to make these rules persistent and to automate this process by using tools like Ansible or Nix or to install firewall management software.
Container Solutions offers Cloud Native Training Courses such as Kubernetes 101, Continuous Delivery with Docker, Container & Microservice Security, Monitoring with Prometheus and our 2-day From Zero to Hero Workshop. We also offer a month-long Cloud Native Bootcamp. The bootcamp will cover Linux Basics, Agile and TDD, containers, orchestrators and Design Thinking courses. The final week of the bootcamp consists of a Hackathon where you will build a Cloud Native application with your team. To learn more check out our training courses website.