Networking - Whitelist ports does not work as expected

BrutalBirdie

Referring Question: Zabbix Agent on Cloudron

Docs: Networking - Whitelist ports

TL;DR

Create/Edit file /home/yellowtent/boxdata/firewall-config.json

Add your Ports:

{
    "allowed_tcp_ports": [ 10050 ]
}

Restart the firewall to apply the configuration:

systemctl restart cloudron-firewall

Expected outcome:

The Port 10050 should now be allowed inbound for TCP.

Real outcome:

No entry in iptables about port 10050.

Trackback

Checking my work.
Cloudron Version v5.6.3

$ cat /home/yellowtent/boxdata/firewall-config.json
{
    "allowed_tcp_ports": [ 10050 ]
}

# restart the firewall
systemctl restart cloudron-firewall

# view iptalbes for port 10050
$ iptables -L -n | grep -i 10050

# tcpdump shows only inbound traffic 
$ tcpdump -i any -n tcp port 10050
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
09:03:27.641147 IP X.X.X.X > X.X.X.X: Flags [S], seq 3765228499, win 64240, options [mss 1460,sackOK,TS val 2196509506 ecr 0,nop,wscale 9], length 0
09:03:28.647277 IP X.X.X.X > X.X.X.X: Flags [S], seq 3765228499, win 64240, options [mss 1460,sackOK,TS val 2196510512 ecr 0,nop,wscale 9], length 0

# nc from my client to cloudron after waiting 30 sec
$ nc -vt my.domain.tld 10050  
^CExiting.
# to be sure lets try the zabbix server himself
$ nc -vt monitoring.domain.tld 10050
monitoring.domain.tld [X.X.X.X] 10050 (zabbix-agent) open

Hotfix

# Check CLOUDRON table first
$ iptables -L CLOUDRON
Chain CLOUDRON (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             match-set cloudron_blocklist src
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp multiport dports ssh,smtp,http,at-nbp,https
ACCEPT     tcp  --  anywhere             anywhere             multiport dports 3478,5349
ACCEPT     udp  --  anywhere             anywhere             multiport dports 3478,5349
ACCEPT     udp  --  anywhere             anywhere             multiport dports 50000:51000
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ACCEPT     icmp --  anywhere             anywhere             icmp echo-reply
ACCEPT     udp  --  anywhere             anywhere             udp spt:domain
ACCEPT     all  --  172.18.0.0/16        anywhere            
ACCEPT     all  --  anywhere             anywhere            
LOG        all  --  anywhere             anywhere             limit: avg 2/min burst 5 LOG level debug prefix "IPTables Packet Dropped: "

Add the port on position two:

$ iptables -I CLOUDRON 2 -p tcp -m tcp --dport 10050 -j ACCEPT

# nc again from my localhost
nc -vt my.domain.tld 10050             
my.domain.tld [X.X.X.X] 10050 (zabbix-agent) open

girish

@BrutalBirdie Whoops, the filename is wrong. The correct filename is /home/yellowtent/boxdata/firewall/ports.json.

# cat /home/yellowtent/boxdata/firewall/ports.json
{
    "allowed_tcp_ports": [ 10050 ]
}

# systemctl restart cloudron-firewall
# iptables -L -n | grep -i 10050
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp multiport dports 10050

BrutalBirdie

@girish said in Networking - Whitelist ports does not work as expected:

@BrutalBirdie Whoops, the filename is wrong. The correct filename is /home/yellowtent/boxdata/firewall/ports.json.

# cat /home/yellowtent/boxdata/firewall/ports.json
{
    "allowed_tcp_ports": [ 10050 ]
}

# systemctl restart cloudron-firewall
# iptables -L -n | grep -i 10050
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp multiport dports 10050

Now it's working as intended.
I will create a PR for the docs.

edit:
https://git.cloudron.io/cloudron/docs/-/commit/fd7c5d31f5fbd02e65589e06d5f9ee50322269eb
Has been done already, because it's not live yet I thought I could do that.

Thanks

robi

This only works for TCP right now.

drml

@girish How would be the syntax to open several ports? I'd need RStudio server (8787) and Geoserver (8080).

Is it comma separated, semicolon separated or a line per port?

Thanks a lot for the support!

girish

@drml It's JSON, so it would be something like

{
    "allowed_tcp_ports": [ 8787, 8080 ]
}

robi

@girish are udp ports added to Cloudron 6.x?

girish

@robi No, we haven't added it. What is the use case for UDP ports?

robi

@girish mosh, video streams, etc any other app using udp

BrutalBirdie

I would also enjoy UDP being supported this way.
Since I can still just do it manual via iptables why not give the user a easier way.

girish

@robi @BrutalBirdie done! https://git.cloudron.io/cloudron/box/-/commit/4287642308081d27dcc160f845fd5dedb27eb481

BrutalBirdie

@girish said in Networking - Whitelist ports does not work as expected:

@robi @BrutalBirdie done! https://git.cloudron.io/cloudron/box/-/commit/4287642308081d27dcc160f845fd5dedb27eb481

That was fast.