Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Navigation

    Cloudron Forum

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    SOLVED Cloudron overrides iptables-persistent

    Support
    firewall home computer
    5
    12
    161
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      stoccafisso last edited by girish

      Hi all

      I need to have a few extra ports open on my home theater computer, which has cloudron installed as the "brain" for web-apps (nextcloud).

      (So far I could not detect any conflict between cloudron and the other extra serverapps that is in need of these ekstra open ports (Virtualbox and its VM's))

      I have added these ekstra ports in iptables and saved the configuration with iptables-persistent

      But when server/cloudron is restarted, cloudron overrides my iptables-persistent settings and clean out my extra iptablerules.

      How can I get cloudron to respect my extra iptables rules, and not wipe them every reboot/restart?

      M 1 Reply Last reply Reply Quote 0
      • M
        murgero App Dev @stoccafisso last edited by

        @stoccafisso Cloudron manages iptables on it's own. I am not sure of a proper way around this other than forking the app you use for media and modifying the CloudronManifest.json file to include the ports you need.

        Though that's not really recommended. @nebulon might have some answers though!

        1 Reply Last reply Reply Quote 1
        • S
          stoccafisso last edited by

          I came to think about something like this:

          1. Run a script that monitors when cloudron is finished loading, and finished configuring iptables (after each restart/bootup)
          2. Then, when cloudron is complete restarted, script insert the needed custom iptables entries, and then run iptables-persistent.

          There are probably much better ways to do it, but at least I am trying to think out a possible solution. But how to code that script and get it to do the stuff I want? Anyone able to help?

          necrevistonnezr 1 Reply Last reply Reply Quote 0
          • necrevistonnezr
            necrevistonnezr @stoccafisso last edited by

            @stoccafisso
            I run Plex on the same server as Cloudron (there's no official Plex app yet for Cloudron, although it's planned.)
            I set up a script via cron that opens the necessary ports every XX minutes.

            iptables -I INPUT -p tcp -m tcp --dport 32400 -j ACCEPT
            iptables -I INPUT -p tcp -m tcp --dport 32469 -j ACCEPT
            
            1 Reply Last reply Reply Quote 0
            • nebulon
              nebulon Staff last edited by

              You might have forgotten to dump the changed iptables configuration with:

              iptables-save >/etc/iptables/rules.v4
              
              S 1 Reply Last reply Reply Quote 2
              • S
                stoccafisso @nebulon last edited by stoccafisso

                @nebulon said in Cloudron overrides iptables-persistent:

                iptables-save >/etc/iptables/rules.v4

                Thanks @nebulon , that may be the problem, as I initially only ran the command

                iptables-save
                

                instead of

                iptables-save >/etc/iptables/rules.v4
                

                (I followed this guide: https://linuxconfig.org/how-to-make-iptables-rules-persistent-after-reboot-on-linux)

                Now the iptables rules (inkl custom rules) persist after reboot, but then again...cloudron has had no reason to do changes.

                So I provoked it by installing another app (wordpress-app). A few seconds after installation it said wordpress was running, but I could not access it. A few seconds later I could. So it seems it is working. (Maybe I should have tried another app, with other ports)

                @necrevistonnezr maybe you could also benefit from looking at iptables-persistent? https://linuxconfig.org/how-to-make-iptables-rules-persistent-after-reboot-on-linux

                1 Reply Last reply Reply Quote 1
                • girish
                  girish Staff last edited by

                  @stoccafisso https://cloudron.io/documentation/security/#block-ips has the necessary commands to make iptable changes persist.

                  1 Reply Last reply Reply Quote 0
                  • necrevistonnezr
                    necrevistonnezr last edited by

                    Now that we can whitelist ports (even though it might not work as expected?), does it interfere with iptables-persistent? Should one remove the package and / or entries in /etc/iptables/rules.v4 or /etc/iptables/rules.v6?

                    1 Reply Last reply Reply Quote 1
                    • girish
                      girish Staff last edited by

                      It's better to use Cloudron's built-in IP block list and port white list. I think maybe iptables persistent probably still works OK but we don't really test it actively.

                      1 Reply Last reply Reply Quote 1
                      • necrevistonnezr
                        necrevistonnezr last edited by

                        So can we delete /etc/iptables/rules.v4 and /etc/iptables/rules.v6?

                        girish 1 Reply Last reply Reply Quote 0
                        • girish
                          girish Staff @necrevistonnezr last edited by

                          @necrevistonnezr yes

                          necrevistonnezr 1 Reply Last reply Reply Quote 1
                          • necrevistonnezr
                            necrevistonnezr @girish last edited by

                            @girish Great, everything worked as expected.

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post