[Firehol-support] CoreOS and Firehol

Rudi ooly.me at gmail.com
Thu Aug 20 07:45:24 BST 2015


Thanks for the replies.

Yep will have to use the CoreOS forums direct to get more details I think.

I do know that Iptables runs outside containers and that the cloud config
can run iptables commands on boot. Here's a sample of how that's done.

#cloud-config coreos: units: - name: iptables-restore.service enable: true
write_files: - path: /var/lib/iptables/rules-save permissions: 0644 owner:
root:root content: | *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT
ACCEPT [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -i eth1 -j ACCEPT -A INPUT
-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp
--dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT
-p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 0
-j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT -A INPUT -p icmp
-m icmp --icmp-type 11 -j ACCEPT COMMIT

As we are aware Firehol is our preferred way to run iptables rules, how
that's going to fit into CoreOS's model is a  little more tricky.

There's no package manager so you can't "install" firehol and run a script.

Might need to have a basic Iptables config then have a configuration
management tool like Chef/Puppet etc copy in the firehol scripts and run

If it all works out, it'll be worth a blog post - keep you posted.


More information about the Firehol-support mailing list