Skip to main content

Manage network

Here is how to manage network settings in the Bare Metal Server service.

Associate public IP

You can associate a public IP with an instance.

info

Only Project Admin can associate public IPs.

  1. Go to the KakaoCloud Console > Beyond compute service > Bare metal server menu.

  2. In the Instance menu, click the [More] icon on the instance to associate a public IP, then click Associate public IP.

  3. In the Associate public IP pop-up, review the information, select a public IP to assign, and click [Confirm].

    Image. Configure public IP association Associate public IP

Disassociate public IP

You can disassociate a public IP from an instance.

info

Only Project Admin can associate and disassociate public IPs.

caution

If you only disassociate the public IP without deleting it, the resource is not released and charges will continue to accrue even if the instance is not in use.

  1. Go to the KakaoCloud Console > Beyond compute service > Bare metal server menu.
  2. In the Instance menu, click the [More] icon on the instance to disassociate a public IP, then click Disassociate public IP.
  3. In the Disassociate public IP pop-up, review the information and select Automatically delete the disassociated public IP.
  4. Click [Disassociate].

When using multi-network interface

Bare Metal Server instances support multiple network interfaces per instance, but we do not recommend this configuration due to potential network routing issues.
If more than one network interface is connected to the same subnet, problems such as asymmetric routing may occur. Therefore, we recommend configuring each interface to connect to a different subnet.

If you must connect multiple interfaces to the same subnet, additional configuration is required. You must remove default gateways from interfaces that are not used for external communication.

info

Execute all commands with sudo using root privileges.

  1. Run the following command to check the routing table:

    Check instance routing configuration
    sudo route -n

    Example output:

    Example routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    0.0.0.0 198.168.0.1 0.0.0.0 UG 100 0 0 eth0
    0.0.0.0 10.10.0.1 0.0.0.0 UG 100 0 0 eth1
    198.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
    10.10.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
  2. Keep the gateway connected to the interface used for external communication and delete others:

    Delete gateway for eth1
    sudo route del default gw 10.10.0.1 dev eth1

    Resulting routing table:

    Routing table after deletion
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    0.0.0.0 198.168.0.1 0.0.0.0 UG 100 0 0 eth0
    198.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
    10.10.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1

Configure iptables

iptables is a firewall table on Linux used by system administrators to define packet filtering policies.
Until security groups are supported, users must configure firewall policies directly within their OS using iptables.

info

For more about iptables, refer to the Netfilter iptables project.

Terminology and commands

Basic terms

TermDescription
TargetAction taken when a rule is matched
- ACCEPT: Allow the packet
- DROP: Block without error message
- REJECT: Block with error message
ChainRule group applied to different traffic directions
- INPUT: Incoming packets
- OUTPUT: Outgoing packets
- FORWARD: Packets being routed

Full commands

OptionDescription
-A (–append)Append new rule
-D (–delete)Delete rule
-C (–check)Test packet against rule
-R (–replace)Replace with new rule
-I (–insert)Insert rule before existing
-L (–list)List rules
-S (–list-rules)Output all rules
-F (–flush)Delete all rules in a chain
-Z (–zero)Reset counters
-N (–new)Create new chain
-X (–delete-chain)Delete chain
-P (–policy)Set default policy
-sSource IP
-dDestination IP
--sportSource port
--dportDestination port
-jJump target
-pProtocol (e.g. TCP, UDP, ICMP)
-iInput interface
-oOutput interface
-tTable type (filter, nat, mangle); default: filter

Configure policy

KakaoCloud’s Bare Metal Server images come with iptables v1.6.1 and SSHGUARD preinstalled.
SSHGUARD protects against brute force attacks (e.g., multiple failed login attempts). It does not replace iptables, and users must define rules based on their own security needs.

info

For more about SSHGUARD, refer to the SSHGUARD official site.

Check iptables version

Check iptables version
sudo iptables -V
Example
iptables v1.6.1

View current rules

View rules
sudo iptables -nL --line-numbers --verbose
Example output
Chain INPUT (policy ACCEPT 451 packets, 44136 bytes)
num pkts bytes target prot opt in out source destination
1 773 77557 sshguard all -- * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

Chain OUTPUT (policy ACCEPT 278 packets, 30411 bytes)

Chain sshguard (1 references)

Output all rules

You can output all rules.
The output is formatted in a way that is directly reusable, as it follows the iptables-save format, which differs from the output of the sudo iptables -L command.

Output all rules
sudo iptables -S -v
Example
-P INPUT ACCEPT -c 511 50127
-P FORWARD ACCEPT -c 0 0
-P OUTPUT ACCEPT -c 323 36247
-N sshguard
-A INPUT -c 833 83548 -j sshguard

Create rule

caution

When defining iptables rules, be careful not to block essential ports (e.g., SSH or service ports).
KakaoCloud is not responsible for issues caused by user-defined iptables policies. In such cases, you must reinstall the image using the Rebuild feature under [More options].

Add rule
sudo iptables -A

Examples:

# Allow all traffic on localhost
sudo iptables -A INPUT -i lo -j ACCEPT

# Allow external access on TCP port 22
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# Allow external access on TCP port 80
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT

# Allow external access on TCP port 443
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# Allow access from any source to specific server port
sudo iptables -A INPUT -d 000.000.00.00 -p tcp --dport 22 -j ACCEPT

Delete rule

Delete rule
sudo iptables -D

Examples:

# Delete rule number 4 in INPUT chain
sudo iptables -D INPUT 4

# Delete TCP port 22 reject rule
sudo iptables -D INPUT -p tcp -m tcp --dport 22 -j REJECT

# Delete TCP port 443 accept rule
sudo iptables -D INPUT -p tcp --dport 443 -j ACCEPT

Save rule settings

iptables rules are not persistent after reboot. Save them to /etc/iptables.rules.

Save rules
sudo iptables-save
View saved rules
sudo cat /etc/iptables.rules

Example output:

filter
:INPUT ACCEPT [1438:151829]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [845:93350]
:sshguard - [0:0]
-A INPUT -j sshguard
COMMIT

Explanation of example rules

Base commandOptionChainSource IPDestination IPProtocolPortMatchAction
iptables-AINPUT-s-d-p--dport-jACCEPT
iptables-DOUTPUT-s-d-p--dport-jDROP
iptables-IFORWARD-s-d-p--dport-jREJECT