Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


    Cloudron Forum

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    Solved Networking - Whitelist ports does not work as expected

    Support
    firewall
    4
    12
    488
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • BrutalBirdie
      BrutalBirdie Staff last edited by girish

      Referring Question: Zabbix Agent on Cloudron

      Docs: Networking - Whitelist ports

      TL;DR

      Create/Edit file /home/yellowtent/boxdata/firewall-config.json

      Add your Ports:

      {
          "allowed_tcp_ports": [ 10050 ]
      }
      

      Restart the firewall to apply the configuration:

      systemctl restart cloudron-firewall
      

      Expected outcome:

      The Port 10050 should now be allowed inbound for TCP.

      Real outcome:

      No entry in iptables about port 10050.

      Trackback

      Checking my work.
      Cloudron Version v5.6.3

      $ cat /home/yellowtent/boxdata/firewall-config.json
      {
          "allowed_tcp_ports": [ 10050 ]
      }
      
      # restart the firewall
      systemctl restart cloudron-firewall
      
      # view iptalbes for port 10050
      $ iptables -L -n | grep -i 10050
      
      # tcpdump shows only inbound traffic 
      $ tcpdump -i any -n tcp port 10050
      tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
      listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
      09:03:27.641147 IP X.X.X.X > X.X.X.X: Flags [S], seq 3765228499, win 64240, options [mss 1460,sackOK,TS val 2196509506 ecr 0,nop,wscale 9], length 0
      09:03:28.647277 IP X.X.X.X > X.X.X.X: Flags [S], seq 3765228499, win 64240, options [mss 1460,sackOK,TS val 2196510512 ecr 0,nop,wscale 9], length 0
      
      # nc from my client to cloudron after waiting 30 sec
      $ nc -vt my.domain.tld 10050  
      ^CExiting.
      # to be sure lets try the zabbix server himself
      $ nc -vt monitoring.domain.tld 10050
      monitoring.domain.tld [X.X.X.X] 10050 (zabbix-agent) open
      

      Zabbix Error

      Hotfix

      # Check CLOUDRON table first
      $ iptables -L CLOUDRON
      Chain CLOUDRON (1 references)
      target     prot opt source               destination         
      DROP       all  --  anywhere             anywhere             match-set cloudron_blocklist src
      ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
      ACCEPT     tcp  --  anywhere             anywhere             tcp multiport dports ssh,smtp,http,at-nbp,https
      ACCEPT     tcp  --  anywhere             anywhere             multiport dports 3478,5349
      ACCEPT     udp  --  anywhere             anywhere             multiport dports 3478,5349
      ACCEPT     udp  --  anywhere             anywhere             multiport dports 50000:51000
      ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
      ACCEPT     icmp --  anywhere             anywhere             icmp echo-reply
      ACCEPT     udp  --  anywhere             anywhere             udp spt:domain
      ACCEPT     all  --  172.18.0.0/16        anywhere            
      ACCEPT     all  --  anywhere             anywhere            
      LOG        all  --  anywhere             anywhere             limit: avg 2/min burst 5 LOG level debug prefix "IPTables Packet Dropped: "
      

      Add the port on position two:

      $ iptables -I CLOUDRON 2 -p tcp -m tcp --dport 10050 -j ACCEPT
      
      # nc again from my localhost
      nc -vt my.domain.tld 10050             
      my.domain.tld [X.X.X.X] 10050 (zabbix-agent) open
      

      Like my work? Consider donating a beer 🍻 Cheers!

      1 Reply Last reply Reply Quote 1
      • girish
        girish Staff last edited by girish

        @BrutalBirdie Whoops, the filename is wrong. The correct filename is /home/yellowtent/boxdata/firewall/ports.json.

        # cat /home/yellowtent/boxdata/firewall/ports.json
        {
            "allowed_tcp_ports": [ 10050 ]
        }
        
        # systemctl restart cloudron-firewall
        # iptables -L -n | grep -i 10050
        ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp multiport dports 10050
        
        BrutalBirdie D 2 Replies Last reply Reply Quote 3
        • BrutalBirdie
          BrutalBirdie Staff @girish last edited by BrutalBirdie

          @girish said in Networking - Whitelist ports does not work as expected:

          @BrutalBirdie Whoops, the filename is wrong. The correct filename is /home/yellowtent/boxdata/firewall/ports.json.

          # cat /home/yellowtent/boxdata/firewall/ports.json
          {
              "allowed_tcp_ports": [ 10050 ]
          }
          
          # systemctl restart cloudron-firewall
          # iptables -L -n | grep -i 10050
          ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp multiport dports 10050
          

          Now it's working as intended.
          I will create a PR for the docs.

          edit:
          https://git.cloudron.io/cloudron/docs/-/commit/fd7c5d31f5fbd02e65589e06d5f9ee50322269eb
          Has been done already, because it's not live yet I thought I could do that.

          Thanks 👍

          Like my work? Consider donating a beer 🍻 Cheers!

          1 Reply Last reply Reply Quote 0
          • robi
            robi last edited by

            This only works for TCP right now.

            Life of Advanced Technology

            1 Reply Last reply Reply Quote 0
            • D
              drml @girish last edited by

              @girish How would be the syntax to open several ports? I'd need RStudio server (8787) and Geoserver (8080).

              Is it comma separated, semicolon separated or a line per port?

              Thanks a lot for the support!

              girish 1 Reply Last reply Reply Quote 0
              • girish
                girish Staff @drml last edited by

                @drml It's JSON, so it would be something like

                {
                    "allowed_tcp_ports": [ 8787, 8080 ]
                }
                
                robi 1 Reply Last reply Reply Quote 0
                • robi
                  robi @girish last edited by

                  @girish are udp ports added to Cloudron 6.x?

                  Life of Advanced Technology

                  girish 1 Reply Last reply Reply Quote 0
                  • girish
                    girish Staff @robi last edited by

                    @robi No, we haven't added it. What is the use case for UDP ports?

                    robi BrutalBirdie 2 Replies Last reply Reply Quote 0
                    • robi
                      robi @girish last edited by

                      @girish mosh, video streams, etc any other app using udp

                      Life of Advanced Technology

                      1 Reply Last reply Reply Quote 0
                      • BrutalBirdie
                        BrutalBirdie Staff @girish last edited by

                        I would also enjoy UDP being supported this way.
                        Since I can still just do it manual via iptables why not give the user a easier way.

                        Like my work? Consider donating a beer 🍻 Cheers!

                        1 Reply Last reply Reply Quote 0
                        • girish
                          girish Staff last edited by

                          @robi @BrutalBirdie done! https://git.cloudron.io/cloudron/box/-/commit/4287642308081d27dcc160f845fd5dedb27eb481

                          BrutalBirdie 1 Reply Last reply Reply Quote 2
                          • BrutalBirdie
                            BrutalBirdie Staff @girish last edited by

                            @girish said in Networking - Whitelist ports does not work as expected:

                            @robi @BrutalBirdie done! https://git.cloudron.io/cloudron/box/-/commit/4287642308081d27dcc160f845fd5dedb27eb481

                            That was fast. ♥

                            Like my work? Consider donating a beer 🍻 Cheers!

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Powered by NodeBB