Manage network

Associate public IP

If you're associating an public IP address with your instance to enable communication with the internet, please note that your instance is in a public subnet.

Permissions

Only Project Admin can associate or disassociate public IPs.

Go to KakaoCloud Console > Beyond Compute Service > Bare Metal Server.
In the Instance menu, select the [More] icon > Associate public IP of the instance.
In the pop-up window, review the details and select a public IP. Then, click the [OK] button.

Associate public IP

Disassociate public IP

You can disassociate the associated public IP from specific instance.

Permissions

Only Project Admin can associate or disassociate public IPs.

caution

If you only disassociate the public IP without deleting it, the actual resources will not be released back to the resource pool. Therefore, you'll continue to be charged unless you delete the instance.

Go to KakaoCloud Console > Beyond Compute Service > Bare Metal Server.
In the Instance menu, select the [More] icon > Disassociate public IP of the instance.
Check the information in the pop-up window, and select Disassociate and delete the public IP.
Click the [Disassociate] button.

When using multi-network interface

In Bare Metal Server instances, multiple network interfaces can be configured on a single instance; however, this configuration is not recommended due to potential network routing issues.
Connecting more than two network interfaces from the same subnet to an instance can lead to networking problems, such as asymmetric routing. Therefore, it's advisable to ensure that each network interface is connected to a different subnet.
Here’s how to manage gateways for multi-network interfaces.

info

Make sure to use sudo when running commands that need root user privileges.

Run the command to view the instance's routing settings.

Check instance routing settings
sudo route -n

Examples
sudo route -n

Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 198.168.0.1 0.0.0.0 UG 100 0 0 eth0
0.0.0.0 10.10.0.1 0.0.0.0 UG 100 0 0 eth1
198.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.10.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1

Execute the command to keep the gateway connected to the network interface for external communication and delete the gateways connected to other network interface.
- e.g. Delete the gateway connected to (eth1) rather than the gateway connected to the network interface (eth0) to communicate externally.
Delete gateway connected to eth1
```
sudo route del default gw IP Address Adapter
```
Examples
```
sudo route del default gw 10.10.0.1 dev eth1

 Destination Gateway Genmask Flags Metric Ref Use Iface
 0.0.0.0 198.168.0.1 0.0.0.0 UG 100 0 0 eth0
 198.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
 10.10.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
```

Configure IPtables

IPtables is a firewall feature in Linux that allows system administrators to manage incoming and outgoing traffic via a set of rules. Until security groups are available, you can configure these rules directly in the IPtables of the OS image.

info

For more details of IPtables, refer to the Netfilter IPtables project.

The basic terms and commands of IPtables are as follows.

Terminology	Description
Target	Action executed when IP packet matches rule - ACCEPT: Allow packet - DROP: Block packet, do not send error message to user - REJECT: Block packet, error message to user Send message
Chain	Determine target by applying preset rules to IP packets - INPUT: Policy rule for packets coming into the system - OUTPUT: Policy rule for packets going out of the system - FORWARD: Policy rules for packets going out of the system Policy Rule of Packet sent to System

Full command

Terminology	Description
-A (–append)	Add new rule - added after the current rule
-D (–delete)	Delete rule
-C (–check)	Packet Test
-R (–replace)	Replace with new Rule
-I (–insert)	Insert new rule - added before the current rule
-L (–list)	Rule query
-S (–list-rules)	Rule output
-F (–flush)	Delete all Rules from Chain
-Z (–zero)	Set packet and byte counter values of all chains to 0
-N (–new)	Create a new Chain
-X (–delete-chain)	Delete Chain
-P (–policy)	Change basic policy
-s (source IP)	Source IP
-d (destination IP)	Destination IP
–sport (source port)	Origin port
–dport (destination port)	destination port
j (–jump target)	Specific policy settings
p (protocol)	Use TCP, UDP, ICMP, etc.
i (in-interface)	Used to set the interface through which packets come in from the INPUT, OUTPUT chain
o (out-interface)	Used to specify the network device from which packets go out in the OUTPUT, FORWARD chain
t (tables)	Selectable among filter, nat, and mangle - Default: `filter`

Configure policy

The Bare Metal Server in the KakaoCloud Console comes with IPtables v1.6.1 and SSHGUARD pre-installed. SSHGUARD protects hosts from brute force attacks against ssh, such as multiple login failures within seconds. SSHGUARD does not serve the role of a typical IPtables rule, instead, users must configure rules directly according to the user's policy standards.
Here's how users can set rules in IPtables in the KakaoCloud Bare Metal Server Ubuntu environment.

info

For a details of SSHGUARD, please refer to SSHGUARD.

Check IPtables version

You can check the version of IPtables installed.

Check IPtables version
sudo iptables -V

IPtables version check command example

iptables v1.6.1

View current rule

You can view the rules currently set in IPtables.

Rule query
sudo iptables -nL --line-numbers --verbose

SSHGUARD is installed, and no rules are applied.

Example of rule search command execution results
sudo iptables -nL --line-numbers --verbose Command execution result (example)
Chain INPUT (policy ACCEPT 451 packets, 44136 bytes)
num pkts bytes target prot opt in out source destination
1 773 77557 sshguard all -- * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 278 packets, 30411 bytes)
num pkts bytes target prot opt in out source destination

Chain sshguard (1 references)
num pkts bytes target prot opt in out source destination

Output all rules

The entire rule can be printed. It is different from the IPtables rule query command sudo iptables -L in that the output results are generated using the IPtables-save method and are in a format that can be immediately reused.

Rule output
sudo iptables -S -v

Rule output command example
sudo iptables -S -v command execution result (example)
-P INPUT ACCEPT -c 511 50127
-P FORWARD ACCEPT -c 0 0
-P OUTPUT ACCEPT -c 323 36247
-N sshguard
-A INPUT -c 833 83548 -j sshguard

Create rule

You can create a new rule.

caution

When setting policies in iptables, it's important to ensure that IP ports related to user access and services are not accidentally blocked. Be particularly cautious with outgoing packets; if you only allow specific ports, access to all other ports will be blocked. Problems caused by direct user manipulation of iptables cannot be resolved by the service provider and must be addressed by the user through reinstallation of the instance image.

Create rule
sudo iptables -A

Examples of creating rules
#case1. Create a rule that allows all incoming packets to the localhost interface.
sudo iptables -A INPUT -i lo -j ACCEPT

#case2. Create a rule that allows access to the TCP/22 port of all destinations from the outside.
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

#case3. Create a rule that allows access to the TCP/80 port of all destinations from the outside.
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT

#case4. Create a rule that allows access to the tcp/443 port of all destinations from the outside.
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

#case5. Create a rule that allows access from all external origins to tcp/port 22 of the internal 000.000.00.00 destination server.
sudo iptables -A INPUT -d 000.000.00.00 -p tcp --dport 22 -j ACCEPT

Delete rule

You can Delete rules that are no longer in use.

Delete rule
sudo iptables -D

Examples of deleting rules
#case1. Delete rule number 4 of the INPUT chain.
sudo iptables -D INPUT 4

#case2. Delete the tcp 22 Port access blocking rule.
sudo iptables -D INPUT -p tcp -m tcp --dport 22 -j REJECT

#case3. Delete the rule that allows access to tcp/443 port of all internal servers.
sudo iptables -D INPUT -p tcp --dport 443 -j ACCEPT

Save rule settings

Since all iptables rules disappear when the system is restarted, save changed rule settings as a separate etc/iptables.rules file.

Save rule settings

sudo iptables-save

Check stored files etc/iptables.rules
sudo cat /etc/iptables.rules

sudo cat /etc/iptables.rules
# sudo cat /etc/iptables.rules command execution result
filter
:INPUT ACCEPT [1438:151829]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [845:93350]
:sshguard - [0:0]
-A INPUT -j sshguard
COMMIT

IPtables command examples

Basic	Command	Chain	Source IP	Destination IP	Protocol	Port	Matching	Action
IPtables	-A	INPUT	-s	-d	-p	-dport	-j	ACCEPT
IPtables	-D	OUTPUT	-s	-d	-p	-dport	-j	DROP
IPtables	-I	FORWARD	-s	-d	-p	-dport	-j	REJECT

Associate public IP​

Disassociate public IP​

When using multi-network interface​

Configure IPtables​

Full command​

Configure policy​

Check IPtables version​

View current rule​

Output all rules​

Create rule​

Delete rule​

Save rule settings​

IPtables command examples​

Associate public IP

Disassociate public IP

When using multi-network interface

Configure IPtables

Full command

Configure policy

Check IPtables version

View current rule

Output all rules

Create rule

Delete rule

Save rule settings

IPtables command examples