Solved Cloudron overrides iptables-persistent
-
Hi all
I need to have a few extra ports open on my home theater computer, which has cloudron installed as the "brain" for web-apps (nextcloud).
(So far I could not detect any conflict between cloudron and the other extra serverapps that is in need of these ekstra open ports (Virtualbox and its VM's))
I have added these ekstra ports in iptables and saved the configuration with iptables-persistent
But when server/cloudron is restarted, cloudron overrides my iptables-persistent settings and clean out my extra iptablerules.
How can I get cloudron to respect my extra iptables rules, and not wipe them every reboot/restart?
-
@stoccafisso Cloudron manages iptables on it's own. I am not sure of a proper way around this other than forking the app you use for media and modifying the CloudronManifest.json file to include the ports you need.
Though that's not really recommended. @nebulon might have some answers though!
-
I came to think about something like this:
- Run a script that monitors when cloudron is finished loading, and finished configuring iptables (after each restart/bootup)
- Then, when cloudron is complete restarted, script insert the needed custom iptables entries, and then run iptables-persistent.
There are probably much better ways to do it, but at least I am trying to think out a possible solution. But how to code that script and get it to do the stuff I want? Anyone able to help?
-
@stoccafisso
I run Plex on the same server as Cloudron (there's no official Plex app yet for Cloudron, although it's planned.)
I set up a script via cron that opens the necessary ports every XX minutes.iptables -I INPUT -p tcp -m tcp --dport 32400 -j ACCEPT iptables -I INPUT -p tcp -m tcp --dport 32469 -j ACCEPT -
You might have forgotten to dump the changed iptables configuration with:
iptables-save >/etc/iptables/rules.v4 -
@nebulon said in Cloudron overrides iptables-persistent:
iptables-save >/etc/iptables/rules.v4
Thanks @nebulon , that may be the problem, as I initially only ran the command
iptables-saveinstead of
iptables-save >/etc/iptables/rules.v4(I followed this guide: https://linuxconfig.org/how-to-make-iptables-rules-persistent-after-reboot-on-linux)
Now the iptables rules (inkl custom rules) persist after reboot, but then again...cloudron has had no reason to do changes.
So I provoked it by installing another app (wordpress-app). A few seconds after installation it said wordpress was running, but I could not access it. A few seconds later I could. So it seems it is working. (Maybe I should have tried another app, with other ports)
@necrevistonnezr maybe you could also benefit from looking at iptables-persistent? https://linuxconfig.org/how-to-make-iptables-rules-persistent-after-reboot-on-linux
-
@stoccafisso https://cloudron.io/documentation/security/#block-ips has the necessary commands to make iptable changes persist.
-
Now that we can whitelist ports (even though it might not work as expected?), does it interfere with iptables-persistent? Should one remove the package and / or entries in
/etc/iptables/rules.v4or/etc/iptables/rules.v6? -
It's better to use Cloudron's built-in IP block list and port white list. I think maybe iptables persistent probably still works OK but we don't really test it actively.
-
So can we delete
/etc/iptables/rules.v4and/etc/iptables/rules.v6? -
@necrevistonnezr yes
-
@girish Great, everything worked as expected.
-
@girish
i have followed this guide but it didn't work for me so i had to manually add ports to iptables in the end.i used to to this editing the ports.json file before and it worked as expected.
-
@niko was there any error restarting cloudron-firewall service or such? This should still work as expected, so maybe you hit a bug somewhere?
Also could you share your ports.json config here so we can try to reproduce this? If you don't want to expose your port settings here, you can also send them to support@cloudron.io
