Whitelist APIServer

Overview

By default, APIServer NAT rules live in:

Path: /var/lib/frigate/pre-rules

frigate component applies these rules.

Typically you will see:

A FORWARD allow rule (accept traffic to the internal APIServer).
NAT rules (PREROUTING DNAT + POSTROUTING SNAT) to publish :6443 from the public IP to the internal APIServer IP.

Default rules (example)

Forward (allow)

-A FORWARD -p tcp -m tcp -d 172.30.70.100 --dport 6443 -j ACCEPT -m comment --comment "uid: nat:81.12.26.33:apiserver:6443"

NAT (publish 6443)

DNAT (public -> internal):

-A PREROUTING -p tcp -m tcp -i ens192 -d 81.12.26.112/32 --dport 6443 -j DNAT --to-destination 172.30.70.100:6443 -m comment --comment "uid: nat:81.12.26.112:apiserver:6443"

SNAT (internal routing helper):

-A POSTROUTING -p tcp -m tcp -o ens160 -s 172.30.70.1/24 -d 172.30.70.1/24 --dport 6443 -j SNAT --to-source 172.30.70.1 -m comment --comment "uid: nat:81.12.26.33:apiserver:6443"

Whitelist specific source IPs

To whitelist specific sources, you must add a DNAT rule with -s (source match). The -s is what makes the source IP/range “whitelisted”.

Add a source-restricted DNAT rule

Example (allow only 80.191.50.128/29 to reach the APIServer via 81.12.26.33:6443):

-A PREROUTING -p tcp -m tcp -i ens192 -s 80.191.50.128/29 -d 81.12.26.33/32 --dport 6443 -j DNAT --to-destination 172.30.70.100:6443 -m comment --comment "uid: nat:81.12.26.33:apiserver:6443"

Remove the “open to all sources” DNAT rule

Delete the DNAT rule without -s (otherwise everyone can reach it):

-A PREROUTING -p tcp -m tcp -i ens192 -d 81.12.26.112/32 --dport 6443 -j DNAT --to-destination 172.30.70.100:6443 -m comment --comment "uid: nat:81.12.26.112:apiserver:6443"

Overview​

Default rules (example)​

Forward (allow)​

NAT (publish 6443)​

Whitelist specific source IPs​

Add a source-restricted DNAT rule​

Remove the “open to all sources” DNAT rule​