Cloudron overrides iptables-persistent

Reply to Cloudron overrides iptables-persistent on Mon, 18 Apr 2022 10:51:18 GMT

nebulon — Mon, 18 Apr 2022 10:51:18 GMT

@niko was there any error restarting cloudron-firewall service or such? This should still work as expected, so maybe you hit a bug somewhere?

Also could you share your ports.json config here so we can try to reproduce this? If you don't want to expose your port settings here, you can also send them to support@cloudron.io

Reply to Cloudron overrides iptables-persistent on Sun, 17 Apr 2022 20:42:07 GMT

niko — Sun, 17 Apr 2022 20:42:07 GMT

@girish
i have followed this guide but it didn't work for me so i had to manually add ports to iptables in the end.

i used to to this editing the ports.json file before and it worked as expected.

Reply to Cloudron overrides iptables-persistent on Sat, 17 Oct 2020 12:17:51 GMT

necrevistonnezr — Sat, 17 Oct 2020 12:17:51 GMT

@girish Great, everything worked as expected.

Reply to Cloudron overrides iptables-persistent on Fri, 16 Oct 2020 18:40:44 GMT

girish — Fri, 16 Oct 2020 18:40:44 GMT

@necrevistonnezr yes

Reply to Cloudron overrides iptables-persistent on Fri, 16 Oct 2020 18:33:39 GMT

necrevistonnezr — Fri, 16 Oct 2020 18:33:39 GMT

So can we delete /etc/iptables/rules.v4 and /etc/iptables/rules.v6?

Reply to Cloudron overrides iptables-persistent on Fri, 16 Oct 2020 16:59:09 GMT

girish — Fri, 16 Oct 2020 16:59:09 GMT

It's better to use Cloudron's built-in IP block list and port white list. I think maybe iptables persistent probably still works OK but we don't really test it actively.

Reply to Cloudron overrides iptables-persistent on Fri, 16 Oct 2020 10:11:31 GMT

necrevistonnezr — Fri, 16 Oct 2020 10:11:31 GMT

Now that we can whitelist ports (even though it might not work as expected?), does it interfere with iptables-persistent? Should one remove the package and / or entries in /etc/iptables/rules.v4 or /etc/iptables/rules.v6?

Reply to Cloudron overrides iptables-persistent on Sat, 25 May 2019 00:16:57 GMT

girish — Sat, 25 May 2019 00:16:57 GMT

@stoccafisso https://cloudron.io/documentation/security/#block-ips has the necessary commands to make iptable changes persist.

Reply to Cloudron overrides iptables-persistent on Thu, 23 May 2019 20:51:39 GMT

stoccafisso — Thu, 23 May 2019 20:51:39 GMT

@nebulon said in Cloudron overrides iptables-persistent:

iptables-save >/etc/iptables/rules.v4

Thanks @nebulon , that may be the problem, as I initially only ran the command

iptables-save

instead of

iptables-save >/etc/iptables/rules.v4

(I followed this guide: https://linuxconfig.org/how-to-make-iptables-rules-persistent-after-reboot-on-linux)

Now the iptables rules (inkl custom rules) persist after reboot, but then again...cloudron has had no reason to do changes.

So I provoked it by installing another app (wordpress-app). A few seconds after installation it said wordpress was running, but I could not access it. A few seconds later I could. So it seems it is working. (Maybe I should have tried another app, with other ports)

@necrevistonnezr maybe you could also benefit from looking at iptables-persistent? https://linuxconfig.org/how-to-make-iptables-rules-persistent-after-reboot-on-linux

Reply to Cloudron overrides iptables-persistent on Thu, 23 May 2019 20:09:46 GMT

nebulon — Thu, 23 May 2019 20:09:46 GMT

You might have forgotten to dump the changed iptables configuration with:

iptables-save >/etc/iptables/rules.v4

Reply to Cloudron overrides iptables-persistent on Thu, 23 May 2019 16:15:22 GMT

necrevistonnezr — Thu, 23 May 2019 16:15:22 GMT

@stoccafisso
I run Plex on the same server as Cloudron (there's no official Plex app yet for Cloudron, although it's planned.)
I set up a script via cron that opens the necessary ports every XX minutes.

iptables -I INPUT -p tcp -m tcp --dport 32400 -j ACCEPT
iptables -I INPUT -p tcp -m tcp --dport 32469 -j ACCEPT

Reply to Cloudron overrides iptables-persistent on Thu, 23 May 2019 15:11:01 GMT

stoccafisso — Thu, 23 May 2019 15:11:01 GMT

I came to think about something like this:

Run a script that monitors when cloudron is finished loading, and finished configuring iptables (after each restart/bootup)
Then, when cloudron is complete restarted, script insert the needed custom iptables entries, and then run iptables-persistent.

There are probably much better ways to do it, but at least I am trying to think out a possible solution. But how to code that script and get it to do the stuff I want? Anyone able to help?

Reply to Cloudron overrides iptables-persistent on Thu, 23 May 2019 13:52:57 GMT

murgero — Thu, 23 May 2019 13:52:57 GMT

@stoccafisso Cloudron manages iptables on it's own. I am not sure of a proper way around this other than forking the app you use for media and modifying the CloudronManifest.json file to include the ports you need.

Though that's not really recommended. @nebulon might have some answers though!