SOLVED Cloudron overrides iptables-persistent
-
Hi all
I need to have a few extra ports open on my home theater computer, which has cloudron installed as the "brain" for web-apps (nextcloud).
(So far I could not detect any conflict between cloudron and the other extra serverapps that is in need of these ekstra open ports (Virtualbox and its VM's))
I have added these ekstra ports in iptables and saved the configuration with iptables-persistent
But when server/cloudron is restarted, cloudron overrides my iptables-persistent settings and clean out my extra iptablerules.
How can I get cloudron to respect my extra iptables rules, and not wipe them every reboot/restart?
-
@stoccafisso Cloudron manages iptables on it's own. I am not sure of a proper way around this other than forking the app you use for media and modifying the CloudronManifest.json file to include the ports you need.
Though that's not really recommended. @nebulon might have some answers though!
-
I came to think about something like this:
- Run a script that monitors when cloudron is finished loading, and finished configuring iptables (after each restart/bootup)
- Then, when cloudron is complete restarted, script insert the needed custom iptables entries, and then run iptables-persistent.
There are probably much better ways to do it, but at least I am trying to think out a possible solution. But how to code that script and get it to do the stuff I want? Anyone able to help?
-
@stoccafisso
I run Plex on the same server as Cloudron (there's no official Plex app yet for Cloudron, although it's planned.)
I set up a script via cron that opens the necessary ports every XX minutes.iptables -I INPUT -p tcp -m tcp --dport 32400 -j ACCEPT iptables -I INPUT -p tcp -m tcp --dport 32469 -j ACCEPT
-
You might have forgotten to dump the changed iptables configuration with:
iptables-save >/etc/iptables/rules.v4
-
@nebulon said in Cloudron overrides iptables-persistent:
iptables-save >/etc/iptables/rules.v4
Thanks @nebulon , that may be the problem, as I initially only ran the command
iptables-save
instead of
iptables-save >/etc/iptables/rules.v4
(I followed this guide: https://linuxconfig.org/how-to-make-iptables-rules-persistent-after-reboot-on-linux)
Now the iptables rules (inkl custom rules) persist after reboot, but then again...cloudron has had no reason to do changes.
So I provoked it by installing another app (wordpress-app). A few seconds after installation it said wordpress was running, but I could not access it. A few seconds later I could. So it seems it is working. (Maybe I should have tried another app, with other ports)
@necrevistonnezr maybe you could also benefit from looking at iptables-persistent? https://linuxconfig.org/how-to-make-iptables-rules-persistent-after-reboot-on-linux
-
@stoccafisso https://cloudron.io/documentation/security/#block-ips has the necessary commands to make iptable changes persist.
-
Now that we can whitelist ports (even though it might not work as expected?), does it interfere with iptables-persistent? Should one remove the package and / or entries in
/etc/iptables/rules.v4
or/etc/iptables/rules.v6
? -
It's better to use Cloudron's built-in IP block list and port white list. I think maybe iptables persistent probably still works OK but we don't really test it actively.
-
So can we delete
/etc/iptables/rules.v4
and/etc/iptables/rules.v6
? -
@necrevistonnezr yes
-
@girish Great, everything worked as expected.