SOLVED Networking - Whitelist ports does not work as expected
-
Referring Question: Zabbix Agent on Cloudron
Docs: Networking - Whitelist ports
TL;DR
Create/Edit file
/home/yellowtent/boxdata/firewall-config.jsonAdd your Ports:
{ "allowed_tcp_ports": [ 10050 ] }Restart the firewall to apply the configuration:
systemctl restart cloudron-firewallExpected outcome:
The Port 10050 should now be allowed inbound for TCP.
Real outcome:
No entry in iptables about port 10050.
Trackback
Checking my work.
Cloudron Version v5.6.3$ cat /home/yellowtent/boxdata/firewall-config.json { "allowed_tcp_ports": [ 10050 ] } # restart the firewall systemctl restart cloudron-firewall # view iptalbes for port 10050 $ iptables -L -n | grep -i 10050 # tcpdump shows only inbound traffic $ tcpdump -i any -n tcp port 10050 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 09:03:27.641147 IP X.X.X.X > X.X.X.X: Flags [S], seq 3765228499, win 64240, options [mss 1460,sackOK,TS val 2196509506 ecr 0,nop,wscale 9], length 0 09:03:28.647277 IP X.X.X.X > X.X.X.X: Flags [S], seq 3765228499, win 64240, options [mss 1460,sackOK,TS val 2196510512 ecr 0,nop,wscale 9], length 0 # nc from my client to cloudron after waiting 30 sec $ nc -vt my.domain.tld 10050 ^CExiting. # to be sure lets try the zabbix server himself $ nc -vt monitoring.domain.tld 10050 monitoring.domain.tld [X.X.X.X] 10050 (zabbix-agent) open
Hotfix
# Check CLOUDRON table first $ iptables -L CLOUDRON Chain CLOUDRON (1 references) target prot opt source destination DROP all -- anywhere anywhere match-set cloudron_blocklist src ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp multiport dports ssh,smtp,http,at-nbp,https ACCEPT tcp -- anywhere anywhere multiport dports 3478,5349 ACCEPT udp -- anywhere anywhere multiport dports 3478,5349 ACCEPT udp -- anywhere anywhere multiport dports 50000:51000 ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT icmp -- anywhere anywhere icmp echo-reply ACCEPT udp -- anywhere anywhere udp spt:domain ACCEPT all -- 172.18.0.0/16 anywhere ACCEPT all -- anywhere anywhere LOG all -- anywhere anywhere limit: avg 2/min burst 5 LOG level debug prefix "IPTables Packet Dropped: "Add the port on position two:
$ iptables -I CLOUDRON 2 -p tcp -m tcp --dport 10050 -j ACCEPT # nc again from my localhost nc -vt my.domain.tld 10050 my.domain.tld [X.X.X.X] 10050 (zabbix-agent) open
-
@BrutalBirdie Whoops, the filename is wrong. The correct filename is
/home/yellowtent/boxdata/firewall/ports.json.# cat /home/yellowtent/boxdata/firewall/ports.json { "allowed_tcp_ports": [ 10050 ] } # systemctl restart cloudron-firewall # iptables -L -n | grep -i 10050 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp multiport dports 10050
-
@girish said in Networking - Whitelist ports does not work as expected:
@BrutalBirdie Whoops, the filename is wrong. The correct filename is
/home/yellowtent/boxdata/firewall/ports.json.# cat /home/yellowtent/boxdata/firewall/ports.json { "allowed_tcp_ports": [ 10050 ] } # systemctl restart cloudron-firewall # iptables -L -n | grep -i 10050 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp multiport dports 10050Now it's working as intended.
I will create a PR for the docs.edit:
https://git.cloudron.io/cloudron/docs/-/commit/fd7c5d31f5fbd02e65589e06d5f9ee50322269eb
Has been done already, because it's not live yet I thought I could do that.Thanks
-
This only works for TCP right now.
