Cloudron overrides iptables-persistent

stoccafisso

I came to think about something like this:

1. Run a script that monitors when cloudron is finished loading, and finished configuring iptables (after each restart/bootup)
2. Then, when cloudron is complete restarted, script insert the needed custom iptables entries, and then run iptables-persistent.

There are probably much better ways to do it, but at least I am trying to think out a possible solution. But how to code that script and get it to do the stuff I want? Anyone able to help?

necrevistonnezr

@stoccafisso
I run Plex on the same server as Cloudron (there's no official Plex app yet for Cloudron, although it's planned.)
I set up a script via cron that opens the necessary ports every XX minutes.

iptables -I INPUT -p tcp -m tcp --dport 32400 -j ACCEPT
iptables -I INPUT -p tcp -m tcp --dport 32469 -j ACCEPT

nebulon

You might have forgotten to dump the changed iptables configuration with:

iptables-save >/etc/iptables/rules.v4

stoccafisso

@nebulon said in Cloudron overrides iptables-persistent:

iptables-save >/etc/iptables/rules.v4

Thanks @nebulon , that may be the problem, as I initially only ran the command

iptables-save

instead of

iptables-save >/etc/iptables/rules.v4

(I followed this guide: https://linuxconfig.org/how-to-make-iptables-rules-persistent-after-reboot-on-linux)

Now the iptables rules (inkl custom rules) persist after reboot, but then again...cloudron has had no reason to do changes.

So I provoked it by installing another app (wordpress-app). A few seconds after installation it said wordpress was running, but I could not access it. A few seconds later I could. So it seems it is working. (Maybe I should have tried another app, with other ports)

@necrevistonnezr maybe you could also benefit from looking at iptables-persistent? https://linuxconfig.org/how-to-make-iptables-rules-persistent-after-reboot-on-linux

girish

@stoccafisso https://cloudron.io/documentation/security/#block-ips has the necessary commands to make iptable changes persist.

necrevistonnezr

Now that we can whitelist ports (even though it might not work as expected?), does it interfere with iptables-persistent? Should one remove the package and / or entries in /etc/iptables/rules.v4 or /etc/iptables/rules.v6?

girish

It's better to use Cloudron's built-in IP block list and port white list. I think maybe iptables persistent probably still works OK but we don't really test it actively.

necrevistonnezr

So can we delete /etc/iptables/rules.v4 and /etc/iptables/rules.v6?

girish

@necrevistonnezr yes

necrevistonnezr

@girish Great, everything worked as expected.

niko

@girish
i have followed this guide but it didn't work for me so i had to manually add ports to iptables in the end.

i used to to this editing the ports.json file before and it worked as expected.

nebulon

@niko was there any error restarting cloudron-firewall service or such? This should still work as expected, so maybe you hit a bug somewhere?

Also could you share your ports.json config here so we can try to reproduce this? If you don't want to expose your port settings here, you can also send them to support@cloudron.io