As a core component of EFA, Kubernetes uses iptables to control the network connections between pods (and between nodes), handling many of the networking and port forwarding rules. EFA builds a custom iptables policy to firewall off services (such as the MySQL database) on the EFA management interface. The EFA iptables policy is instantiated by default at installation time and is enabled at boot, through the system service.
$ ssh -l extreme 192.168.10.109 Password: extreme@tpvm:~$ sudo su – root@tpvm:~# root@tpvm:~# systemctl status efa-iptables efa-iptables.service - iptables rules for EFA Loaded: loaded (/lib/systemd/system/efa-iptables.service; enabled; vendor preset: enabled) Active: active (exited) since Fri 2020-10-09 20:48:03 UTC; 1 day 17h ago Main PID: 19384 (code=exited, status=0/SUCCESS) Tasks: 0 (limit: 4638) CGroup: /system.slice/efa-iptables.service Oct 09 20:48:03 tpvm systemd[1]: Starting iptables rules for EFA... Oct 09 20:48:03 tpvm systemd[1]: Started iptables rules for EFA. root@tpvm:~# iptables -v -nL EFA_INPUT Chain EFA_INPUT (1 references) pkts bytes target prot opt in out source destination 0 0 DROP tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 multiport dports 1024:6513,6515:8077,8079:65535 ctstate NEW 0 0 DROP udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 multiport dports 1024:65535 ctstate NEW
With iptables policy active, it should not be possible to connect to the MySQL database on TCP port 3306 on the management interface from an external host. Use Nmap to verify that port 3306 been firewalled off:
# nmap -n -p 3306 -sV 192.168.10.109 Starting Nmap 7.60 ( https://nmap.org ) at 2020-10-11 14:42 UTC Nmap scan report for 192.168.10.109 Host is up (0.0039s latency). PORT STATE SERVICE VERSION 3306/tcp filtered mysql Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 0.81 seconds Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 0.85 seconds
Host is up (0.23s latency). Not shown: 64511 filtered ports, 1018 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) 80/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API) 443/tcp open ssl/https 514/tcp open shell? 6514/tcp open ssl/syslog-tls? 8078/tcp open ssl/http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
Host is up (0.0020s latency). Not shown: 65515 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) 80/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API) 111/tcp open rpcbind 2-4 (RPC #100000) 443/tcp open ssl/https 514/tcp open shell? 3306/tcp open mysql? 4567/tcp open tram? 6514/tcp open ssl/syslog-tls? 8078/tcp open ssl/http Golang net/http server (Go-IPFS json-rpc or InfluxDB API) 8079/tcp open ssl/http Golang net/http server (Go-IPFS json-rpc or InfluxDB API) 8080/tcp open ssl/http Golang net/http server (Go-IPFS json-rpc or InfluxDB API) 8088/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API) 8091/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API) 8092/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API) 10250/tcp open ssl/http Golang net/http server (Go-IPFS json-rpc or InfluxDB API) 24007/tcp open rpcbind 49152/tcp open rpcbind 49153/tcp open rpcbind 49154/tcp open rpcbind