Skip to main content

Manage network

The following describes how to manage networking in the Bare Metal Server service.

Associate public IP

You can associate a public IP to an instance.

Permission note

Only project administrators can connect a public IP.

  1. Go to Compute > Beyond Compute Service > Bare Metal Server in the KakaoCloud console.
  2. In the Instance menu, select [⋮] button > Associate public IP.
  3. In the pop-up window, review the information, select the public IP to assign, and click the [Confirm] button.

Disassociate public IP

You can disconnect a connected public IP.

Permission note

Only project administrators can connect and disconnect a public IP.

caution

If you disconnect only the public IP without deleting it, the actual resource is not released. Therefore, charges continue even if the instance is no longer in use.

  1. Go to Compute > Beyond Compute Service > Bare Metal Server in the KakaoCloud console.
  2. In the Instance menu, select [⋮] button > Disassociate public IP.
  3. In the pop-up window, review the information, then select Automatically delete the public IP after disconnecting it from the instance.
  4. Click the [Disconnect] button.

Use multiple network interfaces

A Bare Metal Server instance supports multiple network interfaces on a single instance, but this configuration is not recommended because it can cause network routing issues.
If two or more network interfaces are connected to the same subnet on an instance, networking issues such as asymmetric routing may occur. Therefore, it is recommended to configure each network interface to connect to a different subnet.

If all multiple network interfaces on one instance must be connected to the same subnet, additional configuration is required. In other words, you must delete the gateways connected to the other network interfaces so that only the gateway connected to the network interface intended for external communication remains.
The following describes how to delete gateways connected to other network interfaces to use multiple network interfaces.

info

Run commands with sudo using root user privileges.

  1. Run the command to check the instance routing configuration.

    Check instance routing configuration
    sudo route -n
    Example of checking instance routing configuration
    sudo route -n

    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    0.0.0.0         198.168.0.1     0.0.0.0         UG    100    0        0 eth0
    0.0.0.0         10.10.0.1       0.0.0.0         UG    100    0        0 eth1
    198.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
    10.10.0.0       0.0.0.0         255.255.255.0   U     0      0        0 eth1

  2. Run the command to keep the gateway connected to the network interface for external communication and delete the other gateway connected to the other network interface.

    • Example: Delete the gateway connected to (eth1), not the gateway connected to the external communication network interface (eth0)

      Delete gateway connected to eth1
      sudo route del default gw IP Address Adapter
      Example of deleting gateway connected to eth1
      sudo route del default gw 10.10.0.1 dev eth1

      Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
      0.0.0.0         198.168.0.1     0.0.0.0         UG    100    0        0 eth0
      198.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
      10.10.0.0       0.0.0.0         255.255.255.0   U     0      0        0 eth1

Configure iptables

iptables is a table used by system administrators on Linux to apply filtering for firewall configuration. Until security groups are provided, users can configure policies directly in the operating system image iptables.

info

For more information about iptables, see iptables on the Netfilter official site.

Understand basic terminology and commands

Understand basic terminology

The basic terminology and commands for iptables are as follows.

TermDescription
TargetAction performed when an IP packet matches a rule
- ACCEPT: Allow packet
- DROP: Block packet without sending an error message to the user
- REJECT: Block packet and send an error message to the user
ChainDetermine target by applying predefined rules to IP packets
- INPUT: Rules for packets coming into the system
- OUTPUT: Rules for packets going out from the system
- FORWARD: Rules for packets sent from the system to another system

Command

TermDescription
-A (–append)Add a new rule
- Added after the current rules
-D (–delete)Delete a rule
-C (–check)Test a packet
-R (–replace)Replace with a new rule
-I (–insert)Insert a new rule
- Added before the current rules
-L (–list)View rules
-S (–list-rules)Print rules
-F (–flush)Delete all rules from a chain
-Z (–zero)Set the packet and byte counters of all chains to 0
-N (–new)Create a new chain
-X (–delete-chain)Delete a chain
-P (–policy)Change the default policy
-s (source IP)Source IP
-d (destination IP)Destination IP
–sport (source port)Source port
–dport (destination port)Destination port
j (–jump target)Set a specific policy
p (protocol)Use TCP, UDP, ICMP, and so on
i (in-interface)Used to set the interface where packets enter in the INPUT and OUTPUT chains
o (out-interface)Used to specify the network device where packets leave in the OUTPUT and FORWARD chains
t (tables)One of filter, nat, or mangle can be selected
- Default: filter

Configure policy

The Bare Metal Server service in the KakaoCloud console includes iptables v1.6.1 and SSHGUARD installed by default. SSHGUARD protects the host from brute-force attacks against SSH, such as repeated login failures within a few seconds. SSHGUARD does not serve the same role as general iptables rules, so you must configure rules directly according to your own policy criteria.
The following describes how users can configure iptables rules in the KakaoCloud Bare Metal Server Ubuntu environment.

info

For more information about SSHGUARD, see the SSHGUARD official site.

Check iptables version

You can check the installed iptables version.

Check iptables version
sudo iptables -V
Example command for checking iptables version
iptables v1.6.1

View current rule

You can view the rules currently configured in iptables.

View current rule
sudo iptables -nL --line-numbers --verbose

SSHGUARD is installed, and no rules are applied.

Example output of view current rule command
sudo iptables -nL --line-numbers --verbose command output (example)
Chain INPUT (policy ACCEPT 451 packets, 44136 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1      773 77557 sshguard   all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 278 packets, 30411 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain sshguard (1 references)
num   pkts bytes target     prot opt in     out     source               destination

Output all rules

You can print all rules. Unlike the iptables rule view command sudo iptables -L, the output is generated in iptables-save format, so it can be reused directly.

Output all rules
sudo iptables -S -v
Example command for output all rules
sudo iptables -S -v command output (example)
-P INPUT ACCEPT -c 511 50127
-P FORWARD ACCEPT -c 0 0
-P OUTPUT ACCEPT -c 323 36247
-N sshguard
-A INPUT -c 833 83548 -j sshguard

Create rule

You can create a new rule.

caution
  • When configuring policies in iptables, be careful not to block IP ports related to user access and services. In particular, for outbound packets, if only specific ports are allowed, access to all other ports becomes unavailable, so use caution.
  • Problems caused by users directly controlling iptables cannot be resolved by the service provider (Kakao Enterprise). Users must resolve them by reinstalling the image and initializing the instance themselves. Image reinstallation can be performed through the Rebuild feature in the [⋮] button menu.
Create rule
sudo iptables -A

Examples of create rule command

#case1. Create a rule that allows all packets entering through the localhost interface.
sudo iptables -A INPUT -i lo -j ACCEPT

#case2. Create a rule that allows access from outside to tcp/22 port on all destinations.
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

#case3. Create a rule that allows access from outside to tcp/80 port on all destinations.
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT

#case4. Create a rule that allows access from outside to tcp/443 port on all destinations.
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

#case5. Create a rule that allows access from all external sources to tcp/22 port on the internal destination server 000.000.00.00.
sudo iptables -A INPUT -d 000.000.00.00 -p tcp --dport 22 -j ACCEPT

Delete rule

You can delete a rule that is no longer needed.

Delete rule
sudo iptables -D
Examples of delete rule command
#case1. Delete rule number 4 in the INPUT chain.
sudo iptables -D INPUT 4

#case2. Delete the rule that blocks tcp 22 port access.
sudo iptables -D INPUT -p tcp -m tcp --dport 22 -j REJECT

#case3. Delete the rule that allows access to tcp/443 port on all internal servers.
sudo iptables -D INPUT -p tcp --dport 443 -j ACCEPT

Save rule settings

Because all iptables rules disappear when the system restarts, save the changed rule settings in a separate etc/iptables.rules file.

Save rule settings
sudo iptables-save
Check saved file etc/iptables.rules
sudo cat /etc/iptables.rules
sudo cat /etc/iptables.rules
# Result of running sudo cat /etc/iptables.rules
filter
:INPUT ACCEPT [1438:151829]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [845:93350]
:sshguard - [0:0]
-A INPUT -j sshguard
COMMIT
Explain each item in iptables command examples
BasicCommandChainSource IPDestination IPProtocolPortMatchAction
iptables-A   INPUT-s    -d-p-dport    -j    ACCEPT
iptables-DOUTPUT-s-d-p-dport-jDROP
iptables-IFORWARD-s-d-p-dport-jREJECT