Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum

Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. Support
  3. Make iptables changes persistent

Make iptables changes persistent

Scheduled Pinned Locked Moved Solved Support
firewalliptables
4 Posts 2 Posters 759 Views 2 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J Offline
      J Offline
      justjulian
      wrote on last edited by girish
      #1

      Hi, I would need to whitelist incoming traffic from certain IP ranges and block all other traffic. Reading through documentation and forum, the recommended approach is configuring the security group of the server and not iptables directly. However, in our setup there is no separat security group by the cloud provider that could be configured, it is a dedicated server.
      What is the recommended approach by Cloudron to configure iptables so that Cloudron won't override those changes to iptables?

      1 Reply Last reply
      1
      • girishG Offline
        girishG Offline
        girish
        Staff
        wrote on last edited by
        #2

        Currently, this is not easy to do. Ubuntu has iptables-persistent but we found that docker, which also manipulates iptables, will have a "race" with that service and sometimes iptables becomes all jumbled. For this reason, we have our own cloudron-firewall service into which we integrate the necessary firewalling features.

        An idea that I want to point out before suggesting iptables is that if you use something like Cloudflare already, you can do whitelisting there.

        We are also looking into wireguard/openvpn integration next release to seal off servers because IP based restrictions are usually fragile. Maybe we can look into whitelisting specific IPs as part of this feature. Note that you can already block IPs - https://docs.cloudron.io/networking/#blocklist

        1 Reply Last reply
        2
        • J Offline
          J Offline
          justjulian
          wrote on last edited by
          #3

          Thanks @girish much appreciated.
          That is unfortunately the answer I expected after reading similar posts here.

          I am using something similar to Clouflare, however, as with all those services, that whitelisting can be easily bypassed.
          I would just need to set up a local resolver rule for my Cloudron domain and my request to Cloudron never passes through Cloudflare but reaches Cloudron directly without any filtering.

          I am also not a huge fan of IP based access restriction and would also prefer to see access restriction based on for example Wireguard, as you suggested.

          When it comes to Wireguard I am using this great project here to configure and maintain a Wireguard server:
          https://github.com/trailofbits/algo
          How could an integration with Wireguard look like? Would one add a list of Wireguard user to the Cloudron settings or what would you suggest?

          girishG 1 Reply Last reply
          0
          • J justjulian

            Thanks @girish much appreciated.
            That is unfortunately the answer I expected after reading similar posts here.

            I am using something similar to Clouflare, however, as with all those services, that whitelisting can be easily bypassed.
            I would just need to set up a local resolver rule for my Cloudron domain and my request to Cloudron never passes through Cloudflare but reaches Cloudron directly without any filtering.

            I am also not a huge fan of IP based access restriction and would also prefer to see access restriction based on for example Wireguard, as you suggested.

            When it comes to Wireguard I am using this great project here to configure and maintain a Wireguard server:
            https://github.com/trailofbits/algo
            How could an integration with Wireguard look like? Would one add a list of Wireguard user to the Cloudron settings or what would you suggest?

            girishG Offline
            girishG Offline
            girish
            Staff
            wrote on last edited by
            #4

            @justjulian said in Make iptables changes persistent:

            How could an integration with Wireguard look like? Would one add a list of Wireguard user to the Cloudron settings or what would you suggest?

            I don't have the design for this (yet). It's quite a big project, so I will leave my notes in the main 7.4 release thread as we implement them.

            1 Reply Last reply
            0
            • girishG girish has marked this topic as solved on
            Reply
            • Reply as topic
            Log in to reply
            • Oldest to Newest
            • Newest to Oldest
            • Most Votes


              • Login

              • Don't have an account? Register

              • Login or register to search.
              • First post
                Last post
              0
              • Categories
              • Recent
              • Tags
              • Popular
              • Bookmarks
              • Search