This message was deleted.
# k3sa
adamant-kite-43734
10/05/2023, 7:21 PMThis message was deleted.
g
gentle-midnight-93731
10/05/2023, 7:24 PMAre you by any chance using Hetzner "firewall" for robot servers ? It is NOT statefull and could be causing this..
b
blue-angle-72433
10/05/2023, 7:26 PMI am.... I don't want to allow any ingress to these servers so it seemed prudent. But it sounds like I shot myself in the foot there?
g
gentle-midnight-93731
10/05/2023, 7:29 PMThat is the main reason why I dropped k3s om robot servers !
They are implemented as simple switch ACL's and you can only have 10 of them. Try disabling the rules to determine if this is the main reason...
gentle-midnight-93731
10/05/2023, 7:34 PMLong story short : Normally you would create rules to allow traffic to empheral ports in your hetzner "firewall".
To see your empheral ports :
Copy code
sysctl net.ipv4.ip_local_port_rangegentle-midnight-93731
10/05/2023, 7:38 PMUgly workaround : Create rules like this
1 : Allow any traffic from your ip
2: Allow between internal (vswitch) networks - i.e. 10.0.0.0/8
3: Drop traffic to SSH
4: Drop traffic to 6443
5: Drop traffic to 10250
6: Drop traffic to 9100 ( if using node-exporter )
7: Drop traffic to any other services
8: Allow all
b
blue-angle-72433
10/05/2023, 7:44 PMRight now my incoming rules are:
blue-angle-72433
10/05/2023, 7:45 PM(ssh template with an allow all from the private network ips)
blue-angle-72433
10/05/2023, 7:46 PMAnd outgoing is simply:
blue-angle-72433
10/05/2023, 7:47 PMCould that really be stopping outgoing data from the pods?
g
gentle-midnight-93731
10/05/2023, 7:47 PMAnd that works nicely if NOT using iptables. Rule 3 normally allows the return traffic - but iptables are picking ports below 32768
gentle-midnight-93731
10/05/2023, 7:47 PMNo - it stops the return traffic
gentle-midnight-93731
10/05/2023, 7:48 PMYou can verify by connecting to a host with tcpdump from any pod
b
blue-angle-72433
10/05/2023, 7:48 PMDamn, i had forgotten how primitive a non-stateful firewall is.
g
gentle-midnight-93731
10/05/2023, 7:49 PMtrue !
gentle-midnight-93731
10/05/2023, 7:49 PMAnd combining this with iptables not complying to the default settings does not make it any better
gentle-midnight-93731
10/05/2023, 7:52 PMgentle-midnight-93731
10/05/2023, 7:53 PMFound it 🙂
b
blue-angle-72433
10/05/2023, 8:01 PMYou are a life-saver, thank you very much. Its probably too late in the day for me to mess with firewall routes, but tomorrow I will give it a go. You have saved me so much frustration.
g
gentle-midnight-93731
10/06/2023, 10:12 AMYou're welcome.