[Feature] Enable firewall on bootstrap not for DNAT
mulbc opened this issue · 2 comments
Currently the firewall is disabled on the bootstrap node. Therefore it is not possible to share services in the deployed Openshift cluster with your local workstation (or the Red Hat VPN network)
By enabling the firewall and configuring NAT, you can share services (like the Kubernetes API) with the 10.0.0.0/8 network and thus don't need to work on the bootstrap node.
For me the following commands were necessary to get to this point - Port 30521 is a remote desktop connection to a Windows VM.
nmcli c mod baremetal connection.zone internal
nmcli c mod provisioning connection.zone internal
nmcli c mod eno3 connection.zone external
nmcli c mod ens7f0 connection.zone external
firewall-cmd --zone=external --add-masquerade --permanent
firewall-cmd --zone=external --add-masquerade
firewall-cmd --zone=internal --add-masquerade --permanent
firewall-cmd --zone=internal --add-masquerade
firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o eno3 -j MASQUERADE
firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i baremetal -o eno3 -j ACCEPT
firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i eno3 -o baremetal -m state --state RELATED,ESTABLISHED -j ACCEPT
firewall-cmd --add-service=dns --zone=internal
firewall-cmd --add-service=dhcp --zone=internal
firewall-cmd --add-service=http --zone=internal
firewall-cmd --add-service=dns --zone=internal --permanent
firewall-cmd --add-service=dhcp --zone=internal --permanent
firewall-cmd --add-service=http --zone=internal --permanent
firewall-cmd --zone=external --add-forward-port=port=6443:proto=tcp:toport=6443:toaddr=192.168.222.10
firewall-cmd --zone=external --add-forward-port=port=30521:proto=tcp:toport=30521:toaddr=192.168.222.10eno3 in this case is the interface with the 10.0.0.0/8 IP
This worked for me in the Alias lab
Apparently sometimes the eno3 interface is named System eno3 by NetworkManager....
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days