SOLVED Cloudron overrides iptables-persistent

stoccafisso

Hi all

I need to have a few extra ports open on my home theater computer, which has cloudron installed as the "brain" for web-apps (nextcloud).

(So far I could not detect any conflict between cloudron and the other extra serverapps that is in need of these ekstra open ports (Virtualbox and its VM's))

I have added these ekstra ports in iptables and saved the configuration with iptables-persistent

But when server/cloudron is restarted, cloudron overrides my iptables-persistent settings and clean out my extra iptablerules.

How can I get cloudron to respect my extra iptables rules, and not wipe them every reboot/restart?

murgero

@stoccafisso Cloudron manages iptables on it's own. I am not sure of a proper way around this other than forking the app you use for media and modifying the CloudronManifest.json file to include the ports you need.

Though that's not really recommended. @nebulon might have some answers though!

stoccafisso

I came to think about something like this:

1. Run a script that monitors when cloudron is finished loading, and finished configuring iptables (after each restart/bootup)
2. Then, when cloudron is complete restarted, script insert the needed custom iptables entries, and then run iptables-persistent.

There are probably much better ways to do it, but at least I am trying to think out a possible solution. But how to code that script and get it to do the stuff I want? Anyone able to help?

necrevistonnezr

@stoccafisso
I run Plex on the same server as Cloudron (there's no official Plex app yet for Cloudron, although it's planned.)
I set up a script via cron that opens the necessary ports every XX minutes.

iptables -I INPUT -p tcp -m tcp --dport 32400 -j ACCEPT
iptables -I INPUT -p tcp -m tcp --dport 32469 -j ACCEPT

nebulon

You might have forgotten to dump the changed iptables configuration with:

iptables-save >/etc/iptables/rules.v4

stoccafisso

@nebulon said in Cloudron overrides iptables-persistent:

iptables-save >/etc/iptables/rules.v4

Thanks @nebulon , that may be the problem, as I initially only ran the command

iptables-save

instead of

iptables-save >/etc/iptables/rules.v4

(I followed this guide: https://linuxconfig.org/how-to-make-iptables-rules-persistent-after-reboot-on-linux)

Now the iptables rules (inkl custom rules) persist after reboot, but then again...cloudron has had no reason to do changes.

So I provoked it by installing another app (wordpress-app). A few seconds after installation it said wordpress was running, but I could not access it. A few seconds later I could. So it seems it is working. (Maybe I should have tried another app, with other ports)

@necrevistonnezr maybe you could also benefit from looking at iptables-persistent? https://linuxconfig.org/how-to-make-iptables-rules-persistent-after-reboot-on-linux

girish

@stoccafisso https://cloudron.io/documentation/security/#block-ips has the necessary commands to make iptable changes persist.

necrevistonnezr

Now that we can whitelist ports (even though it might not work as expected?), does it interfere with iptables-persistent? Should one remove the package and / or entries in /etc/iptables/rules.v4 or /etc/iptables/rules.v6?

girish

It's better to use Cloudron's built-in IP block list and port white list. I think maybe iptables persistent probably still works OK but we don't really test it actively.

necrevistonnezr

So can we delete /etc/iptables/rules.v4 and /etc/iptables/rules.v6?

girish

@necrevistonnezr yes

necrevistonnezr

@girish Great, everything worked as expected.