1

I've a Kubernetes cluster with IPs: 10.10.10.1 (Master) 10.10.10.2 (Slave)

and I've a remote server with nginx with IP 12.12.12.12.

Right now I've configured a nodePort (31000) to allow access on a resource from my cluster.

So if I try to download the content from: 10.10.10.1:31000, I manage to download the file.

So what I want to do is to allow this download only from IP 12.12.12.12 (my nginx server).

I think that a NetworkPolicy cannot do the job because it's an external server (outside the cluster):

apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-specific-ip-nodeport spec: podSelector: {} policyTypes: - Ingress ingress: - from: - ipBlock: cidr: 12.12.12.12/32 ports: - protocol: TCP port: 31000

So I tried with iPtables on master and slave, but the traffic continue to be allowed from everywhere:

sudo iptables -A INPUT -p tcp --dport 31000 -s 12.12.12.12 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 31000 -j DROP

Any idea?

My goal is to block traffic from everywhere on port 31000 except from my nginx server outside the cluster.

Improve this question

1 Answer 1

Reset to default
1

For iptables, order matters. You build chains of rules that are checked in order to accept or reject a packet.

You have added (ip -A) as the final rule, the rejection of all packets going to port 31000, using as the penultimate rule, the exception for the source address 12.12.12.12. If these rules were the first in the chain, all packets to port 31000 not coming from 12.12.12.12 would be rejected, but they are not (I suggest checking this by listing the rules of the INPUT chain).

In any case, if what you want is to reject all traffic to port 31000 that does not come from 12.12.12.12, you could try using the -I option instead of -A. (to add rules in the desired place, which by default is the beginning of the chain):

iptables -I INPUT -p tcp --dport 31000 -s ! 12.12.12.12 -j DROP

Here, the rejection of everything going to port 31000 not coming from 12.12.12.12 is inserted as the first rule. If you don't want it to be the first rule, you could put the number to the right of 'INPUT.' The rest of the chain will decide what to do with the packets to port 31000 from 12.12.12.12 (I don't think it's a great idea to accept it outright, as the second rule).

Improve this answer
1
  • Maybe need a little more adjustment, the rule in your answer will be blocked the connection redirected by ipvs from service or ingress, and this is the difficulty on setting this kind of iptables for k8s from my viewpoint. Commented Nov 25, 2023 at 4:02

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.