IP Tables config

From WilliamsNet Wiki
Jump to navigation Jump to search

IP Tables Config[edit]

Configure the host to use IP Tables for routing packets. As root: 

echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "net.bridge.bridge-nf-call-iptables = 1" >> /etc/sysctl.conf
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
iptables -P FORWARD ACCEPT

Systemd Service on boot[edit]

To set up a refresh at boot time, create a systemd service: 

[Unit]
Description=Common on-boot commands
After=kubelet.service

[Service]
Type=oneshot
ExecStart=/usr/sbin/iptables -P FORWARD ACCEPT
ExecStart=/bin/bash -c "/usr/bin/date > /etc/systemd/system/onboot.tag"

[Install]
WantedBy=multi-user.target

Save this in the /etc/systemd/system directory (as onboot.service)

Then issue the systemctl commands to load and enable it: 

systemctl enable onboot
systemctl start onboot

This also creates a file called 'onboot.tag' with the date of the last execution of this command ...

For Distros using iptables v1.8+[edit]

This includes (at least):

  • Debian 10 (buster)
  • RHEL 8
  • CentOS 8

Someone in the Linux world decided that it was time to change from 'iptables' packet processing rules to the newer 'nf_tables' (or nft) packet processing rules. iptables v1.8.* is supposed to be a transition version that could do both the iptables method of packet routing and nft method. The problem is that the kubernetes application pods (e.g. kube-proxy) use the older version that messes with the iptables rules ... while the command-line version is messing with nft rules by default. This causes "weird and wonderful" problems.

The short answer (until someone gets this worked out and updates the kube-proxy containers to use the nft rule sets) is to force the host to use the iptables rules. Fortunately, iptables is loaded as an 'alternative' app, so we can just flip it: 

update-alternatives --set iptables /usr/sbin/iptables-legacy
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
update-alternatives --set arptables /usr/sbin/arptables-legacy
update-alternatives --set ebtables /usr/sbin/ebtables-legacy

The first one is all that is strictly necessary, but it is best to keep all the iptables stuff together.

There is an extensive discussion including both practical and philosophical issues on the kubernetes github issue board: https://github.com/kubernetes/kubernetes/issues/71305

Retrieved from "http://wiki.williams-net.org/index.php?title=IP_Tables_config&oldid=9"