현재 iptables를 사용하여 특정 포트를 차단하여 Kubernetes 서버를 보호하는 작업을 진행하고 있습니다. 특정 포트의 트래픽을 삭제하기 위해 다음 규칙을 적용했습니다.
-A INPUT -p tcp -m tcp --dport 30880 -j DROP
-A INPUT -p tcp -m tcp --dport 30088 -j DROP
-A INPUT -p tcp -m tcp --dport 30080 -j DROP
-A INPUT -p tcp -m tcp --dport 30000:32000 -j DROP
그러나 이러한 규칙을 추가했음에도 불구하고 다른 서버에서 Nmap 스캔을 실행할 때 차단된 것으로 추정되는 포트를 계속 볼 수 있습니다.
Nmap scan report for 192.168.201.79
Host is up (0.0026s latency).
Not shown: 65528 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
30080/tcp open unknown
30088/tcp open unknown
30500/tcp open unknown
30880/tcp closed unknown
출력은 다음과 같습니다 iptables -S
.
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N KUBE-EXTERNAL-SERVICES
-N KUBE-FIREWALL
-N KUBE-FORWARD
-N KUBE-KUBELET-CANARY
-N KUBE-NODEPORTS
-N KUBE-PROXY-CANARY
-N KUBE-PROXY-FIREWALL
-N KUBE-SERVICES
-A INPUT -p tcp -m tcp --dport 30880 -j DROP
-A INPUT -p tcp -m tcp --dport 30088 -j DROP
-A INPUT -p tcp -m tcp --dport 30080 -j DROP
-A INPUT -p tcp -m tcp --dport 30000:32000 -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j KUBE-FIREWALL
-A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes load balancer firewall" -j KUBE-PROXY-FIREWALL
-A INPUT -m comment --comment "kubernetes health check service ports" -j KUBE-NODEPORTS
-A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes externally-visible service portals" -j KUBE-EXTERNAL-SERVICES
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A FORWARD -m conntrack --ctstate NEW -m comment --comment "kubernetes load balancer firewall" -j KUBE-PROXY-FIREWALL
-A FORWARD -m comment --comment "kubernetes forwarding rules" -j KUBE-FORWARD
-A FORWARD -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A FORWARD -m conntrack --ctstate NEW -m comment --comment "kubernetes externally-visible service portals" -j KUBE-EXTERNAL-SERVICES
-A OUTPUT -j KUBE-FIREWALL
-A OUTPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes load balancer firewall" -j KUBE-PROXY-FIREWALL
-A OUTPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A KUBE-EXTERNAL-SERVICES -p tcp -m comment --comment "kubernetes-dashboard/kubernetes-dashboard-svc has no endpoints" -m addrtype --dst-type LOCAL -m tcp --dport 30443 -j REJECT --reject-with icmp-port-unreachable
-A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
-A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A KUBE-SERVICES -d 10.96.0.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns has no endpoints" -m udp --dport 53 -j REJECT --reject-with icmp-port-unreachable
-A KUBE-SERVICES -d 10.104.22.122/32 -p tcp -m comment --comment "kubernetes-dashboard/kubernetes-dashboard has no endpoints" -m tcp --dport 80 -j REJECT --reject-with icmp-port-unreachable
-A KUBE-SERVICES -d 10.100.159.144/32 -p tcp -m comment --comment "kubernetes-dashboard/kubernetes-dashboard-svc has no endpoints" -m tcp --dport 9090 -j REJECT --reject-with icmp-port-unreachable
-A KUBE-SERVICES -d 10.96.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp has no endpoints" -m tcp --dport 53 -j REJECT --reject-with icmp-port-unreachable
-A KUBE-SERVICES -d 10.96.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:metrics has no endpoints" -m tcp --dport 9153 -j REJECT --reject-with icmp-port-unreachable
-A KUBE-SERVICES -d 10.103.232.189/32 -p tcp -m comment --comment "kube-system/metrics-server:https has no endpoints" -m tcp --dport 443 -j REJECT --reject-with icmp-port-unreachable
포트가 예상대로 차단되지 않는 이유가 확실하지 않습니다. 이 동작의 원인이 무엇인지 이해하도록 도와줄 수 있는 사람이 있습니까? 이러한 포트를 효과적으로 차단하기 위해 iptables 규칙이나 서버 구성을 수정해야 합니까?