Make iptables changes persistent
-
Hi, I would need to whitelist incoming traffic from certain IP ranges and block all other traffic. Reading through documentation and forum, the recommended approach is configuring the security group of the server and not iptables directly. However, in our setup there is no separat security group by the cloud provider that could be configured, it is a dedicated server.
What is the recommended approach by Cloudron to configure iptables so that Cloudron won't override those changes to iptables? -
Currently, this is not easy to do. Ubuntu has iptables-persistent but we found that docker, which also manipulates iptables, will have a "race" with that service and sometimes iptables becomes all jumbled. For this reason, we have our own cloudron-firewall service into which we integrate the necessary firewalling features.
An idea that I want to point out before suggesting iptables is that if you use something like Cloudflare already, you can do whitelisting there.
We are also looking into wireguard/openvpn integration next release to seal off servers because IP based restrictions are usually fragile. Maybe we can look into whitelisting specific IPs as part of this feature. Note that you can already block IPs - https://docs.cloudron.io/networking/#blocklist
-
Thanks @girish much appreciated.
That is unfortunately the answer I expected after reading similar posts here.I am using something similar to Clouflare, however, as with all those services, that whitelisting can be easily bypassed.
I would just need to set up a local resolver rule for my Cloudron domain and my request to Cloudron never passes through Cloudflare but reaches Cloudron directly without any filtering.I am also not a huge fan of IP based access restriction and would also prefer to see access restriction based on for example Wireguard, as you suggested.
When it comes to Wireguard I am using this great project here to configure and maintain a Wireguard server:
https://github.com/trailofbits/algo
How could an integration with Wireguard look like? Would one add a list of Wireguard user to the Cloudron settings or what would you suggest? -
Thanks @girish much appreciated.
That is unfortunately the answer I expected after reading similar posts here.I am using something similar to Clouflare, however, as with all those services, that whitelisting can be easily bypassed.
I would just need to set up a local resolver rule for my Cloudron domain and my request to Cloudron never passes through Cloudflare but reaches Cloudron directly without any filtering.I am also not a huge fan of IP based access restriction and would also prefer to see access restriction based on for example Wireguard, as you suggested.
When it comes to Wireguard I am using this great project here to configure and maintain a Wireguard server:
https://github.com/trailofbits/algo
How could an integration with Wireguard look like? Would one add a list of Wireguard user to the Cloudron settings or what would you suggest?@justjulian said in Make iptables changes persistent:
How could an integration with Wireguard look like? Would one add a list of Wireguard user to the Cloudron settings or what would you suggest?
I don't have the design for this (yet). It's quite a big project, so I will leave my notes in the main 7.4 release thread as we implement them.
-
G girish has marked this topic as solved on