Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Navigation

    Cloudron Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    SOLVED Networking - Whitelist ports does not work as expected

    Support
    firewall
    4
    12
    87
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • BrutalBirdie
      BrutalBirdie App Dev last edited by girish

      Referring Question: Zabbix Agent on Cloudron

      Docs: Networking - Whitelist ports

      TL;DR

      Create/Edit file /home/yellowtent/boxdata/firewall-config.json

      Add your Ports:

      {
    "allowed_tcp_ports": [ 10050 ]
}

      Restart the firewall to apply the configuration:

      systemctl restart cloudron-firewall

      Expected outcome:

      The Port 10050 should now be allowed inbound for TCP.

      Real outcome:

      No entry in iptables about port 10050.

      Trackback

      Checking my work.
      Cloudron Version v5.6.3

      $ cat /home/yellowtent/boxdata/firewall-config.json
{
    "allowed_tcp_ports": [ 10050 ]
}

# restart the firewall
systemctl restart cloudron-firewall

# view iptalbes for port 10050
$ iptables -L -n | grep -i 10050

# tcpdump shows only inbound traffic 
$ tcpdump -i any -n tcp port 10050
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
09:03:27.641147 IP X.X.X.X > X.X.X.X: Flags [S], seq 3765228499, win 64240, options [mss 1460,sackOK,TS val 2196509506 ecr 0,nop,wscale 9], length 0
09:03:28.647277 IP X.X.X.X > X.X.X.X: Flags [S], seq 3765228499, win 64240, options [mss 1460,sackOK,TS val 2196510512 ecr 0,nop,wscale 9], length 0

# nc from my client to cloudron after waiting 30 sec
$ nc -vt my.domain.tld 10050  
^CExiting.
# to be sure lets try the zabbix server himself
$ nc -vt monitoring.domain.tld 10050
monitoring.domain.tld [X.X.X.X] 10050 (zabbix-agent) open

      Zabbix Error

      Hotfix

      # Check CLOUDRON table first
$ iptables -L CLOUDRON
Chain CLOUDRON (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             match-set cloudron_blocklist src
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp multiport dports ssh,smtp,http,at-nbp,https
ACCEPT     tcp  --  anywhere             anywhere             multiport dports 3478,5349
ACCEPT     udp  --  anywhere             anywhere             multiport dports 3478,5349
ACCEPT     udp  --  anywhere             anywhere             multiport dports 50000:51000
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ACCEPT     icmp --  anywhere             anywhere             icmp echo-reply
ACCEPT     udp  --  anywhere             anywhere             udp spt:domain
ACCEPT     all  --  172.18.0.0/16        anywhere            
ACCEPT     all  --  anywhere             anywhere            
LOG        all  --  anywhere             anywhere             limit: avg 2/min burst 5 LOG level debug prefix "IPTables Packet Dropped: "

      Add the port on position two:

      $ iptables -I CLOUDRON 2 -p tcp -m tcp --dport 10050 -j ACCEPT

# nc again from my localhost
nc -vt my.domain.tld 10050             
my.domain.tld [X.X.X.X] 10050 (zabbix-agent) open
      1 Reply Last reply Reply Quote 1
      • girish
        girish Staff last edited by girish

        @BrutalBirdie Whoops, the filename is wrong. The correct filename is /home/yellowtent/boxdata/firewall/ports.json.

        # cat /home/yellowtent/boxdata/firewall/ports.json
{
    "allowed_tcp_ports": [ 10050 ]
}

# systemctl restart cloudron-firewall
# iptables -L -n | grep -i 10050
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp multiport dports 10050
        BrutalBirdie D 2 Replies Last reply Reply Quote 3
        • BrutalBirdie
          BrutalBirdie App Dev @girish last edited by BrutalBirdie

          @girish said in Networking - Whitelist ports does not work as expected:

          @BrutalBirdie Whoops, the filename is wrong. The correct filename is /home/yellowtent/boxdata/firewall/ports.json.

          # cat /home/yellowtent/boxdata/firewall/ports.json
{
    "allowed_tcp_ports": [ 10050 ]
}

# systemctl restart cloudron-firewall
# iptables -L -n | grep -i 10050
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp multiport dports 10050

          Now it's working as intended.
          I will create a PR for the docs.

          edit:
          https://git.cloudron.io/cloudron/docs/-/commit/fd7c5d31f5fbd02e65589e06d5f9ee50322269eb
          Has been done already, because it's not live yet I thought I could do that.

          Thanks 👍

          1 Reply Last reply Reply Quote 0
          • robi
            robi last edited by

            This only works for TCP right now.

            1 Reply Last reply Reply Quote 0
            • D
              drml @girish last edited by

              @girish How would be the syntax to open several ports? I'd need RStudio server (8787) and Geoserver (8080).

              Is it comma separated, semicolon separated or a line per port?

              Thanks a lot for the support!

              girish 1 Reply Last reply Reply Quote 0
              • girish
                girish Staff @drml last edited by

                @drml It's JSON, so it would be something like

                {
    "allowed_tcp_ports": [ 8787, 8080 ]
}
                robi 1 Reply Last reply Reply Quote 0
                • robi
                  robi @girish last edited by

                  @girish are udp ports added to Cloudron 6.x?

                  girish 1 Reply Last reply Reply Quote 0
                  • girish
                    girish Staff @robi last edited by

                    @robi No, we haven't added it. What is the use case for UDP ports?

                    robi BrutalBirdie 2 Replies Last reply Reply Quote 0
                    • robi
                      robi @girish last edited by

                      @girish mosh, video streams, etc any other app using udp

                      1 Reply Last reply Reply Quote 0
                      • BrutalBirdie
                        BrutalBirdie App Dev @girish last edited by

                        I would also enjoy UDP being supported this way.
                        Since I can still just do it manual via iptables why not give the user a easier way.

                        1 Reply Last reply Reply Quote 0
                        • girish
                          girish Staff last edited by

                          @robi @BrutalBirdie done! https://git.cloudron.io/cloudron/box/-/commit/4287642308081d27dcc160f845fd5dedb27eb481

                          BrutalBirdie 1 Reply Last reply Reply Quote 2
                          • BrutalBirdie
                            BrutalBirdie App Dev @girish last edited by

                            @girish said in Networking - Whitelist ports does not work as expected:

                            @robi @BrutalBirdie done! https://git.cloudron.io/cloudron/box/-/commit/4287642308081d27dcc160f845fd5dedb27eb481

                            That was fast. ♥

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post