Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse

Cloudron Forum

Apps | Demo | Docs | Install

Make iptables changes persistent

Scheduled Pinned Locked Moved Solved Support
firewalliptables
4 Posts 2 Posters 73 Views
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J Offline
    J Offline
    justjulian
    wrote on last edited by girish
    #1

    Hi, I would need to whitelist incoming traffic from certain IP ranges and block all other traffic. Reading through documentation and forum, the recommended approach is configuring the security group of the server and not iptables directly. However, in our setup there is no separat security group by the cloud provider that could be configured, it is a dedicated server.
    What is the recommended approach by Cloudron to configure iptables so that Cloudron won't override those changes to iptables?

    1 Reply Last reply
    1
  • girishG Offline
    girishG Offline
    girish Staff
    wrote on last edited by
    #2

    Currently, this is not easy to do. Ubuntu has iptables-persistent but we found that docker, which also manipulates iptables, will have a "race" with that service and sometimes iptables becomes all jumbled. For this reason, we have our own cloudron-firewall service into which we integrate the necessary firewalling features.

    An idea that I want to point out before suggesting iptables is that if you use something like Cloudflare already, you can do whitelisting there.

    We are also looking into wireguard/openvpn integration next release to seal off servers because IP based restrictions are usually fragile. Maybe we can look into whitelisting specific IPs as part of this feature. Note that you can already block IPs - https://docs.cloudron.io/networking/#blocklist

    1 Reply Last reply
    2
  • J Offline
    J Offline
    justjulian
    wrote on last edited by
    #3

    Thanks @girish much appreciated.
    That is unfortunately the answer I expected after reading similar posts here.

    I am using something similar to Clouflare, however, as with all those services, that whitelisting can be easily bypassed.
    I would just need to set up a local resolver rule for my Cloudron domain and my request to Cloudron never passes through Cloudflare but reaches Cloudron directly without any filtering.

    I am also not a huge fan of IP based access restriction and would also prefer to see access restriction based on for example Wireguard, as you suggested.

    When it comes to Wireguard I am using this great project here to configure and maintain a Wireguard server:
    https://github.com/trailofbits/algo
    How could an integration with Wireguard look like? Would one add a list of Wireguard user to the Cloudron settings or what would you suggest?

    girishG 1 Reply Last reply
    0
  • girishG Offline
    girishG Offline
    girish Staff
    replied to justjulian on last edited by
    #4

    @justjulian said in Make iptables changes persistent:

    How could an integration with Wireguard look like? Would one add a list of Wireguard user to the Cloudron settings or what would you suggest?

    I don't have the design for this (yet). It's quite a big project, so I will leave my notes in the main 7.4 release thread as we implement them.

    1 Reply Last reply
    0
  • girishG girish has marked this topic as solved on

  • Login

  • Don't have an account? Register

  • Login or register to search.
  • First post
    Last post
0
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Login

  • Don't have an account? Register

  • Login or register to search.