The iptables Policy

This topic describes the custom iptables policy that EFA builds to firewall off services.

As a core component of EFA, Kubernetes uses iptables to control the network connections between pods (and between nodes), handling many of the networking and port forwarding rules. EFA builds a custom iptables policy to firewall off services (such as the MySQL database) on the EFA management interface. The EFA iptables policy is instantiated by default at installation time and is enabled at boot, through the system service.

To see the status of the EFA iptables policy, in addition to the policy itself, run the following commands:

$ ssh -l extreme 192.168.10.109
Password:
extreme@tpvm:~$ sudo su –
root@tpvm:~#
root@tpvm:~# systemctl status efa-iptables
   efa-iptables.service - iptables rules for EFA
   Loaded: loaded (/lib/systemd/system/efa-iptables.service; enabled; vendor preset: enabled)
   Active: active (exited) since Fri 2020-10-09 20:48:03 UTC; 1 day 17h ago
 Main PID: 19384 (code=exited, status=0/SUCCESS)
    Tasks: 0 (limit: 4638)
   CGroup: /system.slice/efa-iptables.service

Oct 09 20:48:03 tpvm systemd[1]: Starting iptables rules for EFA...
Oct 09 20:48:03 tpvm systemd[1]: Started iptables rules for EFA.
root@tpvm:~# iptables -v -nL EFA_INPUT
Chain EFA_INPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            multiport dports 1024:6513,6515:8077,8079:65535 ctstate NEW
    0     0 DROP       udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            multiport dports 1024:65535 ctstate NEW

With iptables policy active, it should not be possible to connect to the MySQL database on TCP port 3306 on the management interface from an external host. Use Nmap to verify that port 3306 has, indeed, been firewalled off:

# nmap -n -p 3306 -sV 192.168.10.109

Starting Nmap 7.60 ( https://nmap.org ) at 2020-10-11 14:42 UTC
Nmap scan report for 192.168.10.109
Host is up (0.0039s latency).

PORT     STATE  SERVICE VERSION
3306/tcp filtered mysql

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.81 seconds

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.85 seconds

Currently visible services include the following:

22 tcp - SSH port (EFA management)
80 tcp - HTTP port (EFA web interface)
111 tcp - NFS port (not used by EFA)
443 tcp - HTTPs port (EFA northbound REST interface)
514 tcp - Syslog port (syslog receiver)
6514 tcp - Secure syslog port (TLS-enabled syslog receiver)
8078 tcp - EFA host monitoring service
30148 tcp - Not used by EFA and can be disabled
30672 tcp - RabbitMQ port for EFA
31672 tcp - RabbitMQ management port for EFA
31730 tcp - Not used by EFA and can be turned off
111 udp - rpcbind NFS port (not used by EFA)

Forthcoming releases will further tighten the iptables policy so that even Kubernetes services are not visible over the network on the EFA management interface. At a minimum, ports 111 (both TCP and UDP), 30148, 30672 (RabbitMQ), 31672 (RabbitMQ), and 31730 will be firewalled off by default.