Configuring the Host Firewall

By default, the Container-Optimized OS host firewall allows only outgoing connections, and accepts incoming connections only through the SSH service. To accept incoming connections on a Container-Optimized OS instance, you must open the ports your services are listening on.

For example, to accept connections from other instances within the same Compute Engine project, run the following commands on both your development workstation, and on your Container-Optimized OS instance:

# On your workstation:
SUBNETWORK_URI=$(gcloud compute instances describe ${COS_INSTANCE_NAME} | grep -w 'subnetwork:' | awk '{ print $2 }')
SUBNET_PREFIX=$(gcloud compute networks subnets describe ${SUBNETWORK_URI} | grep -w 'ipCidrRange:' | awk '{ print $2 }')

# On your Container-Optimized OS instance:
sudo iptables -w -A INPUT -p tcp -s ${SUBNET_PREFIX} -j ACCEPT
sudo iptables -w -A INPUT -p udp -s ${SUBNET_PREFIX} -j ACCEPT

As another example, if you need to accept HTTP (port 80) connections from any source IP address, run the following commands on your Container-Optimzied OS instance:

# On your Container-Optimized OS instance:
sudo iptables -w -A INPUT -p tcp --dport 80 -j ACCEPT

In general, it is recommended you configure the host firewall as a systemd service through cloud-init.

Monitor your resources on the go

Get the Google Cloud Console app to help you manage your projects.

Send feedback about...

Container-Optimized OS