Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


    Cloudron Forum

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    Solved Make iptables changes persistent

    Support
    firewall iptables
    2
    4
    63
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      justjulian last edited by girish

      Hi, I would need to whitelist incoming traffic from certain IP ranges and block all other traffic. Reading through documentation and forum, the recommended approach is configuring the security group of the server and not iptables directly. However, in our setup there is no separat security group by the cloud provider that could be configured, it is a dedicated server.
      What is the recommended approach by Cloudron to configure iptables so that Cloudron won't override those changes to iptables?

      1 Reply Last reply Reply Quote 1
      • girish
        girish Staff last edited by

        Currently, this is not easy to do. Ubuntu has iptables-persistent but we found that docker, which also manipulates iptables, will have a "race" with that service and sometimes iptables becomes all jumbled. For this reason, we have our own cloudron-firewall service into which we integrate the necessary firewalling features.

        An idea that I want to point out before suggesting iptables is that if you use something like Cloudflare already, you can do whitelisting there.

        We are also looking into wireguard/openvpn integration next release to seal off servers because IP based restrictions are usually fragile. Maybe we can look into whitelisting specific IPs as part of this feature. Note that you can already block IPs - https://docs.cloudron.io/networking/#blocklist

        1 Reply Last reply Reply Quote 2
        • J
          justjulian last edited by

          Thanks @girish much appreciated.
          That is unfortunately the answer I expected after reading similar posts here.

          I am using something similar to Clouflare, however, as with all those services, that whitelisting can be easily bypassed.
          I would just need to set up a local resolver rule for my Cloudron domain and my request to Cloudron never passes through Cloudflare but reaches Cloudron directly without any filtering.

          I am also not a huge fan of IP based access restriction and would also prefer to see access restriction based on for example Wireguard, as you suggested.

          When it comes to Wireguard I am using this great project here to configure and maintain a Wireguard server:
          https://github.com/trailofbits/algo
          How could an integration with Wireguard look like? Would one add a list of Wireguard user to the Cloudron settings or what would you suggest?

          girish 1 Reply Last reply Reply Quote 0
          • girish
            girish Staff @justjulian last edited by

            @justjulian said in Make iptables changes persistent:

            How could an integration with Wireguard look like? Would one add a list of Wireguard user to the Cloudron settings or what would you suggest?

            I don't have the design for this (yet). It's quite a big project, so I will leave my notes in the main 7.4 release thread as we implement them.

            1 Reply Last reply Reply Quote 0
            • Topic has been marked as solved  girish girish 
            • First post
              Last post
            Powered by NodeBB