The iptables Policy

As a core component of EFA, Kubernetes uses iptables to control the network connections between pods (and between nodes), handling many of the networking and port forwarding rules. EFA builds a custom iptables policy to firewall off services (such as the MySQL database) on the EFA management interface. The EFA iptables policy is instantiated by default at installation time and is enabled at boot, through the system service.

To see the status of the EFA iptables policy, in addition to the policy itself, run the following commands:
$ ssh -l extreme 192.168.10.109
Password:
extreme@tpvm:~$ sudo su –
root@tpvm:~#
root@tpvm:~# systemctl status efa-iptables
   efa-iptables.service - iptables rules for EFA
   Loaded: loaded (/lib/systemd/system/efa-iptables.service; enabled; vendor preset: enabled)
   Active: active (exited) since Fri 2020-10-09 20:48:03 UTC; 1 day 17h ago
 Main PID: 19384 (code=exited, status=0/SUCCESS)
    Tasks: 0 (limit: 4638)
   CGroup: /system.slice/efa-iptables.service

Oct 09 20:48:03 tpvm systemd[1]: Starting iptables rules for EFA...
Oct 09 20:48:03 tpvm systemd[1]: Started iptables rules for EFA.
root@tpvm:~# iptables -v -nL EFA_INPUT
Chain EFA_INPUT (1 references)
 pkts bytes target     prot opt in     out     source         destination
    0     0 DROP       tcp  --  eth0   *       0.0.0.0/0      0.0.0.0/0       multiport dports 1024:6513,6515:8077,8079:65535 ctstate NEW
    0     0 DROP       udp  --  eth0   *       0.0.0.0/0      0.0.0.0/0       multiport dports 1024:65535 ctstate NEW

With iptables policy active, it should not be possible to connect to the MySQL database on TCP port 3306 on the management interface from an external host. Use Nmap to verify that port 3306 been firewalled off:

# nmap -n -p 3306 -sV 192.168.10.109

Starting Nmap 7.60 ( https://nmap.org ) at 2020-10-11 14:42 UTC
Nmap scan report for 192.168.10.109
Host is up (0.0039s latency).

PORT     STATE  SERVICE VERSION
3306/tcp filtered mysql

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.81 seconds

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.85 seconds

Nmap Scan Output from a Remote System on the VIP

Host is up (0.23s latency).

Not shown: 64511 filtered ports, 1018 closed ports

PORT      STATE  SERVICE      VERSION

22/tcp    open   ssh          OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)

80/tcp    open   http         Golang net/http server (Go-IPFS json-rpc or InfluxDB API)

443/tcp   open   ssl/https

514/tcp   open   shell?

6514/tcp  open   ssl/syslog-tls?

8078/tcp  open   ssl/http      Golang net/http server (Go-IPFS json-rpc or InfluxDB API)

Nmap Scan Output on the Active Node on a Multi-node Setup

Host is up (0.0020s latency).

Not shown: 65515 closed ports

PORT      STATE  SERVICE      VERSION

22/tcp    open   ssh          OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)

80/tcp    open   http         Golang net/http server (Go-IPFS json-rpc or InfluxDB API)

111/tcp   open   rpcbind      2-4 (RPC #100000)

443/tcp   open   ssl/https

514/tcp   open   shell?

3306/tcp  open   mysql?

4567/tcp  open   tram?

6514/tcp  open   ssl/syslog-tls?

8078/tcp  open   ssl/http     Golang net/http server (Go-IPFS json-rpc or InfluxDB API)

8079/tcp  open   ssl/http     Golang net/http server (Go-IPFS json-rpc or InfluxDB API)

8080/tcp  open   ssl/http     Golang net/http server (Go-IPFS json-rpc or InfluxDB API)

8088/tcp  open   http         Golang net/http server (Go-IPFS json-rpc or InfluxDB API)

8091/tcp  open   http         Golang net/http server (Go-IPFS json-rpc or InfluxDB API)

8092/tcp  open   http         Golang net/http server (Go-IPFS json-rpc or InfluxDB API)

10250/tcp open   ssl/http     Golang net/http server (Go-IPFS json-rpc or InfluxDB API)

24007/tcp open   rpcbind

49152/tcp open   rpcbind

49153/tcp open   rpcbind

49154/tcp open   rpcbind