Skip to main content
Version: 2.4.15

Opening Ports with firewalld

> We recommend disabling firewalld. For Kubernetes 1.19, firewalld must be turned off.

Some distributions of Linux derived from RHEL, including Oracle Linux, may have default firewall rules that block communication with Helm.

For example, one Oracle Linux image in AWS has REJECT rules that stop Helm from communicating with Tiller:

Chain INPUT (policy ACCEPT)target     prot opt source               destinationACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHEDACCEPT     icmp --  anywhere             anywhereACCEPT     all  --  anywhere             anywhereACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:sshREJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)target     prot opt source               destinationREJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)target     prot opt source               destination

You can check the default firewall rules with this command:

sudo iptables --list

This section describes how to use firewalld to apply the firewall port rules for nodes in a high-availability Rancher server cluster.

Prerequisite

Install v7.x or later ofvfirewalld:

yum install firewalldsystemctl start firewalldsystemctl enable firewalld

Applying Firewall Port Rules

In the Rancher high-availability installation instructions, the Rancher server is set up on three nodes that have all three Kubernetes roles: etcd, controlplane, and worker. If your Rancher server nodes have all three roles, run the following commands on each node:

firewall-cmd --permanent --add-port=22/tcpfirewall-cmd --permanent --add-port=80/tcpfirewall-cmd --permanent --add-port=443/tcpfirewall-cmd --permanent --add-port=2376/tcpfirewall-cmd --permanent --add-port=2379/tcpfirewall-cmd --permanent --add-port=2380/tcpfirewall-cmd --permanent --add-port=6443/tcpfirewall-cmd --permanent --add-port=8472/udpfirewall-cmd --permanent --add-port=9099/tcpfirewall-cmd --permanent --add-port=10250/tcpfirewall-cmd --permanent --add-port=10254/tcpfirewall-cmd --permanent --add-port=30000-32767/tcpfirewall-cmd --permanent --add-port=30000-32767/udp

If your Rancher server nodes have separate roles, use the following commands based on the role of the node:

# For etcd nodes, run the following commands:firewall-cmd --permanent --add-port=2376/tcpfirewall-cmd --permanent --add-port=2379/tcpfirewall-cmd --permanent --add-port=2380/tcpfirewall-cmd --permanent --add-port=8472/udpfirewall-cmd --permanent --add-port=9099/tcpfirewall-cmd --permanent --add-port=10250/tcp
# For control plane nodes, run the following commands:firewall-cmd --permanent --add-port=80/tcpfirewall-cmd --permanent --add-port=443/tcpfirewall-cmd --permanent --add-port=2376/tcpfirewall-cmd --permanent --add-port=6443/tcpfirewall-cmd --permanent --add-port=8472/udpfirewall-cmd --permanent --add-port=9099/tcpfirewall-cmd --permanent --add-port=10250/tcpfirewall-cmd --permanent --add-port=10254/tcpfirewall-cmd --permanent --add-port=30000-32767/tcpfirewall-cmd --permanent --add-port=30000-32767/udp
# For worker nodes, run the following commands:firewall-cmd --permanent --add-port=22/tcpfirewall-cmd --permanent --add-port=80/tcpfirewall-cmd --permanent --add-port=443/tcpfirewall-cmd --permanent --add-port=2376/tcpfirewall-cmd --permanent --add-port=8472/udpfirewall-cmd --permanent --add-port=9099/tcpfirewall-cmd --permanent --add-port=10250/tcpfirewall-cmd --permanent --add-port=10254/tcpfirewall-cmd --permanent --add-port=30000-32767/tcpfirewall-cmd --permanent --add-port=30000-32767/udp

After the firewall-cmd commands have been run on a node, use the following command to enable the firewall rules:

firewall-cmd --reload

Result: The firewall is updated so that Helm can communicate with the Rancher server nodes.