Hi
I have Calico installed with the Tigra Operator and the following config:
kubectl get felixconfigurations default -o json | jq .spec
{
"bpfLogLevel": "",
"iptablesBackend": "NFT",
"logSeverityScreen": "Info",
"reportingInterval": "0s",
"vxlanEnabled": true
}
I would like to add some nft rules to protect this test node (internet facing), but as soon as my nft rules are present, pod to pod communication and egress traffic from the pods are broken.
I am using the following nft rules
#!/usr/sbin/nft -f
table inet filter {
chain input {
type filter hook input priority 0; policy drop
iif lo accept comment "Accept any localhost traffic"
ct state established,related accept comment "Accept traffic originated from us"
ct state invalid drop comment "Drop invalid connections"
# ICMP is OK with rate limiting
ip protocol icmp limit rate 4/second accept
ip6 nexthdr ipv6-icmp limit rate 4/second accept
# various port accepts
tcp dport {22, 80, 443} accept comment "ssh, http(s)"
tcp dport 22 ct state new limit rate 15/minute accept comment "Avoid brute force on SSH"
}
chain output {
# Accept every outbound connection
type filter hook output priority 0; policy accept;
}
}
What is exactly missing in this ruleset so that I block incoming traffic without blocking Calico ?