Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


SOLVED Networking - Whitelist ports does not work as expected


  • App Dev

    Referring Question: Zabbix Agent on Cloudron

    Docs: Networking - Whitelist ports

    TL;DR

    Create/Edit file /home/yellowtent/boxdata/firewall-config.json

    Add your Ports:

    {
        "allowed_tcp_ports": [ 10050 ]
    }
    

    Restart the firewall to apply the configuration:

    systemctl restart cloudron-firewall
    

    Expected outcome:

    The Port 10050 should now be allowed inbound for TCP.

    Real outcome:

    No entry in iptables about port 10050.

    Trackback

    Checking my work.
    Cloudron Version v5.6.3

    $ cat /home/yellowtent/boxdata/firewall-config.json
    {
        "allowed_tcp_ports": [ 10050 ]
    }
    
    # restart the firewall
    systemctl restart cloudron-firewall
    
    # view iptalbes for port 10050
    $ iptables -L -n | grep -i 10050
    
    # tcpdump shows only inbound traffic 
    $ tcpdump -i any -n tcp port 10050
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
    09:03:27.641147 IP X.X.X.X > X.X.X.X: Flags [S], seq 3765228499, win 64240, options [mss 1460,sackOK,TS val 2196509506 ecr 0,nop,wscale 9], length 0
    09:03:28.647277 IP X.X.X.X > X.X.X.X: Flags [S], seq 3765228499, win 64240, options [mss 1460,sackOK,TS val 2196510512 ecr 0,nop,wscale 9], length 0
    
    # nc from my client to cloudron after waiting 30 sec
    $ nc -vt my.domain.tld 10050  
    ^CExiting.
    # to be sure lets try the zabbix server himself
    $ nc -vt monitoring.domain.tld 10050
    monitoring.domain.tld [X.X.X.X] 10050 (zabbix-agent) open
    

    Zabbix Error

    Hotfix

    # Check CLOUDRON table first
    $ iptables -L CLOUDRON
    Chain CLOUDRON (1 references)
    target     prot opt source               destination         
    DROP       all  --  anywhere             anywhere             match-set cloudron_blocklist src
    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
    ACCEPT     tcp  --  anywhere             anywhere             tcp multiport dports ssh,smtp,http,at-nbp,https
    ACCEPT     tcp  --  anywhere             anywhere             multiport dports 3478,5349
    ACCEPT     udp  --  anywhere             anywhere             multiport dports 3478,5349
    ACCEPT     udp  --  anywhere             anywhere             multiport dports 50000:51000
    ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
    ACCEPT     icmp --  anywhere             anywhere             icmp echo-reply
    ACCEPT     udp  --  anywhere             anywhere             udp spt:domain
    ACCEPT     all  --  172.18.0.0/16        anywhere            
    ACCEPT     all  --  anywhere             anywhere            
    LOG        all  --  anywhere             anywhere             limit: avg 2/min burst 5 LOG level debug prefix "IPTables Packet Dropped: "
    

    Add the port on position two:

    $ iptables -I CLOUDRON 2 -p tcp -m tcp --dport 10050 -j ACCEPT
    
    # nc again from my localhost
    nc -vt my.domain.tld 10050             
    my.domain.tld [X.X.X.X] 10050 (zabbix-agent) open
    

  • Staff

    @BrutalBirdie Whoops, the filename is wrong. The correct filename is /home/yellowtent/boxdata/firewall/ports.json.

    # cat /home/yellowtent/boxdata/firewall/ports.json
    {
        "allowed_tcp_ports": [ 10050 ]
    }
    
    # systemctl restart cloudron-firewall
    # iptables -L -n | grep -i 10050
    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp multiport dports 10050
    

  • App Dev

    @girish said in Networking - Whitelist ports does not work as expected:

    @BrutalBirdie Whoops, the filename is wrong. The correct filename is /home/yellowtent/boxdata/firewall/ports.json.

    # cat /home/yellowtent/boxdata/firewall/ports.json
    {
        "allowed_tcp_ports": [ 10050 ]
    }
    
    # systemctl restart cloudron-firewall
    # iptables -L -n | grep -i 10050
    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp multiport dports 10050
    

    Now it's working as intended.
    I will create a PR for the docs.

    edit:
    https://git.cloudron.io/cloudron/docs/-/commit/fd7c5d31f5fbd02e65589e06d5f9ee50322269eb
    Has been done already, because it's not live yet I thought I could do that.

    Thanks 👍



  • This only works for TCP right now.


Log in to reply