[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

[atomic-devel] Atomic ISO has bad default IPtables

From: Josh Berkus <jberkus redhat com>
To: "atomic-devel projectatomic io" <atomic-devel projectatomic io>
Subject: [atomic-devel] Atomic ISO has bad default IPtables
Date: Wed, 22 Jun 2016 16:21:15 -0700

Folks,

Bringing this to atomic-devel because I'm not sure that it isn't an
issue with centos Atomic ISOs as well.  Also, I'm not quite sure where
the rule is coming from.

Currently, the Fedora Atomic ISOs come with an iptables setup which
includes a reject-by-default rule, which results in making it impossible
to expose any services through Kubernetes.

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp
dpt:otv /* vxlan */
ACCEPT     all  --  anywhere             anywhere             /*
kube-proxy redirects */
...
REJECT     all  --  anywhere             anywhere
reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             /* flannel
subnet */
ACCEPT     all  --  anywhere             anywhere             /* flannel
subnet */
...

REJECT     all  --  anywhere             anywhere
reject-with icmp-host-prohibited

This creates a terrible out-of-box experience for setting up a new
bare-metal cluster with Atomic, especially as most admins are not adept
at reading IPtables (it required the help of Tim Wright to figure out
that this was the issue).

Where's the best place to fix this?

-- 
--
Josh Berkus
Project Atomic
Red Hat OSAS

Follow-Ups:
- Re: [atomic-devel] Atomic ISO has bad default IPtables
  - From: Jonathan Lebon

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]