Hi,
I have installed awx-on-k3s as described by kurokobo on https://github.com/kurokobo/awx-on-k3s.
My postgres database is external and no longer inside a pod/container.
Now I want to add firewall rules to harden the system.
How can I add iptables rules at the host level to close ports that are open from outside while they do not have to be accessible from outside?
Any help ?
Regards Hans
If you are talking about setting up a firewall on your external database, this is probably not the best place to ask. You should only need open up the postgres port you specified (default is 5432).
If that is not the case, could you clarify your question?
Thanks,
AWX Team
No I want to add rules to close ports (5432 postgres, 53 Dnsmasq and others) from outside.
Imho, since my setup is a single node all ports used for awx and k3s can be closed e.g. 10250 etc. Only 22 for ash and 443 are necessary.
Correct?
Hi
I have clarified the question.
Do you have any updates?
Regards Hans
Did you ever resolve this? This dose not feel like an AWX question directly as you should be able to close whatever ports you want to on the host but if you close too much you may loose functionality. Our best suggestion would be to try it and see what happens.
-The AWX Team
HI,
No I have not yet been able to do this.
But I am researching
Regards Hans-Peter
Hi
I finally got it working on Redhat!!
Remove iptables/firewalld (if installed)
Install nftables
Since nftables is based on eBPF you will not see a process running. You will see the service as active when you do systemctl status nftables.
K3S will add the rules to nftables.
Create a script to add a new table that meet your requirements
I have attached my script.
Apart from ssh, 443 and 9090 it allows connections to 5432 for postgres (in my case it is unmanaged)
inet.nft (1.33 KB)