I had the necessity to firewall some VMs after installing a cluster of the awesome CockroachDB, since I couldn’t find out how to password protect the admin interface.
The idea is to drop all connections by default from all machines not in the cluster pool, while allowing unrestricted communication between machines within the pool from any port.
The script, found here, isn’t actually that complicated and since I’m not an expert I might have missed something, but it does includes many of the little details non-professional sysdamin like me tend to miss out:
- ipv6 icmp ports
- outgoing dns rules
- ipv4:6 passtrough rules
- a proper “reset all” option
The configuration is really simple and tuned toward making adding/removing machines from the pool easy across each of them without maintaining dozen lines for each input/output/protocol tuple, i.e
#allow input/output communication trough port 80 ALLOW 80 ALLOW 443 #allow all communication from the specific host HOST 192.0.2.23 #same but for ipv6 addresses HOST6 2001:DB8::4860:3242
Hope you find this useful! It’s already in init.d format. Please do tell if you see any improvement/suggestion to make it more robust/secure!
A word of warning: do not use this with Docker! The reset option will nuke its port forwarding rules.