Skip to main content

Manage network

Associate public IP

If you're associating an public IP address with your instance to enable communication with the internet, please note that your instance is in a public subnet.

Permissions

Only Project Admin can associate or disassociate public IPs.

  1. Go to KakaoCloud Console > Beyond Compute Service > Bare Metal Server.

  2. In the Instance menu, select the [More] icon > Associate public IP of the instance.

  3. In the pop-up window, review the details and select a public IP. Then, click the [OK] button.

    image. Associate public IP settings Associate public IP

Disassociate public IP

You can disassociate the associated public IP from specific instance.

Permissions

Only Project Admin can associate or disassociate public IPs.

caution

If you only disassociate the public IP without deleting it, the actual resources will not be released back to the resource pool. Therefore, you'll continue to be charged unless you delete the instance.

  1. Go to KakaoCloud Console > Beyond Compute Service > Bare Metal Server.

  2. In the Instance menu, select the [More] icon > Disassociate public IP of the instance.

  3. Check the information in the pop-up window, and select Disassociate and delete the public IP.

  4. Click the [Disassociate] button.

Use multiple network interfaces

In Bare Metal Server instances, multiple network interfaces can be configured on a single instance; however, this setup is not recommended due to potential network routing issues.
Connecting more than one network interface to the same subnet can lead to networking issues such as asymmetric routing. Therefore, it is recommended to connect each network interface to a different subnet.

If it is necessary to connect multiple network interfaces on a single instance to the same subnet, additional configuration is required. Specifically, you must delete the gateway associated with other network interfaces, leaving only the gateway for the network interface intended for external communication.
Follow these steps to delete the gateway on other network interfaces when using multiple network interfaces.

info

Run commands with sudo as a root user.

  1. Run the command to check the instance’s routing configuration.

    Check instance routing configuration
    sudo route -n
    Example of instance routing configuration check
    sudo route -n

    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    0.0.0.0         198.168.0.1     0.0.0.0         UG    100    0        0 eth0
    0.0.0.0         10.10.0.1       0.0.0.0         UG    100    0        0 eth1
    198.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
    10.10.0.0       0.0.0.0         255.255.255.0   U     0      0        0 eth1

  2. Run the command to retain the gateway connected to the network interface for external communication, and delete gateways on other network interfaces.

    • Example: Delete the gateway connected to eth1, leaving only the gateway for the network interface (eth0) intended for external communication.

      Delete gateway connected to eth1
      sudo route del default gw IP Address Adapter
      Example of deleting gateway connected to eth1
      sudo route del default gw 10.10.0.1 dev eth1

      Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
      0.0.0.0         198.168.0.1     0.0.0.0         UG    100    0        0 eth0
      198.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
      10.10.0.0       0.0.0.0         255.255.255.0   U     0      0        0 eth1

When using multi-network interface

In Bare Metal Server instances, multiple network interfaces can be configured on a single instance; however, this configuration is not recommended due to potential network routing issues.
Connecting more than two network interfaces from the same subnet to an instance can lead to networking problems, such as asymmetric routing. Therefore, it's advisable to ensure that each network interface is connected to a different subnet.
Here’s how to manage gateways for multi-network interfaces.

info

Make sure to use sudo when running commands that need root user privileges.

  1. Run the command to view the instance's routing settings.

    Check instance routing settings
    sudo route -n
    Examples
    sudo route -n

    Destination Gateway Genmask Flags Metric Ref Use Iface
    0.0.0.0 198.168.0.1 0.0.0.0 UG 100 0 0 eth0
    0.0.0.0 10.10.0.1 0.0.0.0 UG 100 0 0 eth1
    198.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
    10.10.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1

  2. Execute the command to keep the gateway connected to the network interface for external communication and delete the gateways connected to other network interface.

    • e.g. Delete the gateway connected to (eth1) rather than the gateway connected to the network interface (eth0) to communicate externally.
    Delete gateway connected to eth1
    sudo route del default gw IP Address Adapter
    Examples
    sudo route del default gw 10.10.0.1 dev eth1

     Destination Gateway Genmask Flags Metric Ref Use Iface
     0.0.0.0 198.168.0.1 0.0.0.0 UG 100 0 0 eth0
     198.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
     10.10.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1

Configure IPtables

IPtables is a firewall feature in Linux that allows system administrators to manage incoming and outgoing traffic via a set of rules. Until security groups are available, you can configure these rules directly in the IPtables of the OS image.

info

For more details of IPtables, refer to the Netfilter IPtables project.

The basic terms and commands of IPtables are as follows.

TerminologyDescription
TargetAction executed when IP packet matches rule
- ACCEPT: Allow packet
- DROP: Block packet, do not send error message to user
- REJECT: Block packet, error message to user Send message
ChainDetermine target by applying preset rules to IP packets
- INPUT: Policy rule for packets coming into the system
- OUTPUT: Policy rule for packets going out of the system
- FORWARD: Policy rules for packets going out of the system Policy Rule of Packet sent to System

Full command

TerminologyDescription
-A (–append)Add new rule
- added after the current rule
-D (–delete)Delete rule
-C (–check)Packet Test
-R (–replace)Replace with new Rule
-I (–insert)Insert new rule
- added before the current rule
-L (–list)Rule query
-S (–list-rules)Rule output
-F (–flush)Delete all Rules from Chain
-Z (–zero)Set packet and byte counter values of all chains to 0
-N (–new)Create a new Chain
-X (–delete-chain)Delete Chain
-P (–policy)Change basic policy
-s (source IP)Source IP
-d (destination IP)Destination IP
–sport (source port)Origin port
–dport (destination port)destination port
j (–jump target)Specific policy settings
p (protocol)Use TCP, UDP, ICMP, etc.
i (in-interface)Used to set the interface through which packets come in from the INPUT, OUTPUT chain
o (out-interface)Used to specify the network device from which packets go out in the OUTPUT, FORWARD chain
t (tables)Selectable among filter, nat, and mangle
- Default: filter

Configure policy

The Bare Metal Server in the KakaoCloud Console comes with IPtables v1.6.1 and SSHGUARD pre-installed. SSHGUARD protects hosts from brute force attacks against ssh, such as multiple login failures within seconds. SSHGUARD does not serve the role of a typical IPtables rule, instead, users must configure rules directly according to the user's policy standards.
Here's how users can set rules in IPtables in the KakaoCloud Bare Metal Server Ubuntu environment.

info

For a details of SSHGUARD, please refer to SSHGUARD.

Check IPtables version

You can check the version of IPtables installed.

Check IPtables version
sudo iptables -V
IPtables version check command example
iptables v1.6.1

View current rule

You can view the rules currently set in IPtables.

Rule query
sudo iptables -nL --line-numbers --verbose

SSHGUARD is installed, and no rules are applied.

Example of rule search command execution results
sudo iptables -nL --line-numbers --verbose Command execution result (example)
Chain INPUT (policy ACCEPT 451 packets, 44136 bytes)
num pkts bytes target prot opt in out source destination
1 773 77557 sshguard all -- * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 278 packets, 30411 bytes)
num pkts bytes target prot opt in out source destination

Chain sshguard (1 references)
num pkts bytes target prot opt in out source destination

Output all rules

The entire rule can be printed. It is different from the IPtables rule query command sudo iptables -L in that the output results are generated using the IPtables-save method and are in a format that can be immediately reused.

Rule output
sudo iptables -S -v
Rule output command example
sudo iptables -S -v command execution result (example)
-P INPUT ACCEPT -c 511 50127
-P FORWARD ACCEPT -c 0 0
-P OUTPUT ACCEPT -c 323 36247
-N sshguard
-A INPUT -c 833 83548 -j sshguard

Create rule

You can create a new rule.

caution

When setting policies in iptables, it's important to ensure that IP ports related to user access and services are not accidentally blocked. Be particularly cautious with outgoing packets; if you only allow specific ports, access to all other ports will be blocked. Problems caused by direct user manipulation of iptables cannot be resolved by the service provider and must be addressed by the user through reinstallation of the instance image.

Create rule
sudo iptables -A
Examples of creating rules
#case1. Create a rule that allows all incoming packets to the localhost interface.
sudo iptables -A INPUT -i lo -j ACCEPT

#case2. Create a rule that allows access to the TCP/22 port of all destinations from the outside.
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

#case3. Create a rule that allows access to the TCP/80 port of all destinations from the outside.
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT

#case4. Create a rule that allows access to the tcp/443 port of all destinations from the outside.
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

#case5. Create a rule that allows access from all external origins to tcp/port 22 of the internal 000.000.00.00 destination server.
sudo iptables -A INPUT -d 000.000.00.00 -p tcp --dport 22 -j ACCEPT

Delete rule

You can Delete rules that are no longer in use.

Delete rule
sudo iptables -D
Examples of deleting rules
#case1. Delete rule number 4 of the INPUT chain.
sudo iptables -D INPUT 4

#case2. Delete the tcp 22 Port access blocking rule.
sudo iptables -D INPUT -p tcp -m tcp --dport 22 -j REJECT

#case3. Delete the rule that allows access to tcp/443 port of all internal servers.
sudo iptables -D INPUT -p tcp --dport 443 -j ACCEPT

Save rule settings

Since all iptables rules disappear when the system is restarted, save changed rule settings as a separate etc/iptables.rules file.

Save rule settings
sudo iptables-save
Check stored files etc/iptables.rules
sudo cat /etc/iptables.rules
sudo cat /etc/iptables.rules
# sudo cat /etc/iptables.rules command execution result
filter
:INPUT ACCEPT [1438:151829]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [845:93350]
:sshguard - [0:0]
-A INPUT -j sshguard
COMMIT
IPtables command examples
BasicCommandChainSource IPDestination IPProtocolPortMatchingAction
IPtables-A    INPUT-s     -d         -p-dport    -j    ACCEPT
IPtables-DOUTPUT-s-d-p-dport-jDROP
IPtables-IFORWARD-s-d-p-dport-jREJECT