Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


    Cloudron Forum

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    Solved Cloudron overrides iptables-persistent

    Support
    home computer firewall
    6
    14
    836
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      stoccafisso last edited by girish

      Hi all

      I need to have a few extra ports open on my home theater computer, which has cloudron installed as the "brain" for web-apps (nextcloud).

      (So far I could not detect any conflict between cloudron and the other extra serverapps that is in need of these ekstra open ports (Virtualbox and its VM's))

      I have added these ekstra ports in iptables and saved the configuration with iptables-persistent

      But when server/cloudron is restarted, cloudron overrides my iptables-persistent settings and clean out my extra iptablerules.

      How can I get cloudron to respect my extra iptables rules, and not wipe them every reboot/restart?

      murgero 1 Reply Last reply Reply Quote 0
      • murgero
        murgero App Dev @stoccafisso last edited by

        @stoccafisso Cloudron manages iptables on it's own. I am not sure of a proper way around this other than forking the app you use for media and modifying the CloudronManifest.json file to include the ports you need.

        Though that's not really recommended. @nebulon might have some answers though!

        --
        https://urgero.org
        ~ Professional Nerd. Freelance Programmer. ~
        Matrix: @murgero:urgero.org

        1 Reply Last reply Reply Quote 2
        • S
          stoccafisso last edited by

          I came to think about something like this:

          1. Run a script that monitors when cloudron is finished loading, and finished configuring iptables (after each restart/bootup)
          2. Then, when cloudron is complete restarted, script insert the needed custom iptables entries, and then run iptables-persistent.

          There are probably much better ways to do it, but at least I am trying to think out a possible solution. But how to code that script and get it to do the stuff I want? Anyone able to help?

          necrevistonnezr 1 Reply Last reply Reply Quote 0
          • necrevistonnezr
            necrevistonnezr @stoccafisso last edited by

            @stoccafisso
            I run Plex on the same server as Cloudron (there's no official Plex app yet for Cloudron, although it's planned.)
            I set up a script via cron that opens the necessary ports every XX minutes.

            iptables -I INPUT -p tcp -m tcp --dport 32400 -j ACCEPT
            iptables -I INPUT -p tcp -m tcp --dport 32469 -j ACCEPT
            
            1 Reply Last reply Reply Quote 0
            • nebulon
              nebulon Staff last edited by

              You might have forgotten to dump the changed iptables configuration with:

              iptables-save >/etc/iptables/rules.v4
              
              S 1 Reply Last reply Reply Quote 2
              • S
                stoccafisso @nebulon last edited by stoccafisso

                @nebulon said in Cloudron overrides iptables-persistent:

                iptables-save >/etc/iptables/rules.v4

                Thanks @nebulon , that may be the problem, as I initially only ran the command

                iptables-save
                

                instead of

                iptables-save >/etc/iptables/rules.v4
                

                (I followed this guide: https://linuxconfig.org/how-to-make-iptables-rules-persistent-after-reboot-on-linux)

                Now the iptables rules (inkl custom rules) persist after reboot, but then again...cloudron has had no reason to do changes.

                So I provoked it by installing another app (wordpress-app). A few seconds after installation it said wordpress was running, but I could not access it. A few seconds later I could. So it seems it is working. (Maybe I should have tried another app, with other ports)

                @necrevistonnezr maybe you could also benefit from looking at iptables-persistent? https://linuxconfig.org/how-to-make-iptables-rules-persistent-after-reboot-on-linux

                1 Reply Last reply Reply Quote 2
                • girish
                  girish Staff last edited by

                  @stoccafisso https://cloudron.io/documentation/security/#block-ips has the necessary commands to make iptable changes persist.

                  N 1 Reply Last reply Reply Quote 0
                  • necrevistonnezr
                    necrevistonnezr last edited by

                    Now that we can whitelist ports (even though it might not work as expected?), does it interfere with iptables-persistent? Should one remove the package and / or entries in /etc/iptables/rules.v4 or /etc/iptables/rules.v6?

                    1 Reply Last reply Reply Quote 1
                    • girish
                      girish Staff last edited by

                      It's better to use Cloudron's built-in IP block list and port white list. I think maybe iptables persistent probably still works OK but we don't really test it actively.

                      1 Reply Last reply Reply Quote 1
                      • necrevistonnezr
                        necrevistonnezr last edited by

                        So can we delete /etc/iptables/rules.v4 and /etc/iptables/rules.v6?

                        girish 1 Reply Last reply Reply Quote 0
                        • girish
                          girish Staff @necrevistonnezr last edited by

                          @necrevistonnezr yes

                          necrevistonnezr 1 Reply Last reply Reply Quote 1
                          • necrevistonnezr
                            necrevistonnezr @girish last edited by

                            @girish Great, everything worked as expected.

                            1 Reply Last reply Reply Quote 0
                            • N
                              niko @girish last edited by

                              @girish
                              i have followed this guide but it didn't work for me so i had to manually add ports to iptables in the end.

                              i used to to this editing the ports.json file before and it worked as expected.

                              nebulon 1 Reply Last reply Reply Quote 0
                              • nebulon
                                nebulon Staff @niko last edited by

                                @niko was there any error restarting cloudron-firewall service or such? This should still work as expected, so maybe you hit a bug somewhere?

                                Also could you share your ports.json config here so we can try to reproduce this? If you don't want to expose your port settings here, you can also send them to support@cloudron.io

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Powered by NodeBB