jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

add some debugs to the firewall script

Browse Source
This commit is contained in:
Girish Ramakrishnan
2023-12-08 11:05:55 +01:00
parent 620e3af525
commit 793c4ac017
1 changed files with 8 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
setup/start/cloudron-firewall.sh
+8
View File
@@ -40,10 +40,12 @@ $ip6tables -t filter -A CLOUDRON -m set --match-set cloudron_blocklist6 src -j D
$ip6tables -I FORWARD 1 -m set --match-set cloudron_blocklist6 src -j DROP # there is no DOCKER-USER chain in ip6tables, bug?
# allow related and establisted connections
echo "==> Opening standard ports"
ipxtables -t filter -A CLOUDRON -m state --state RELATED,ESTABLISHED -j ACCEPT
ipxtables -t filter -A CLOUDRON -p tcp -m tcp -m multiport --dports 22,80,202,443 -j ACCEPT # 202 is the alternate ssh port
# whitelist any user ports. we used to use --dports but it has a 15 port limit (XT_MULTI_PORTS)
echo "==> Opening up user specified ports"
ports_json="/home/yellowtent/platformdata/firewall/ports.json"
if allowed_tcp_ports=$(node -e "console.log(JSON.parse(fs.readFileSync('${ports_json}', 'utf8')).allowed_tcp_ports.join(' '))" 2>/dev/null); then
for p in $allowed_tcp_ports; do
@@ -58,6 +60,7 @@ if allowed_udp_ports=$(node -e "console.log(JSON.parse(fs.readFileSync('${ports_
fi
# LDAP user directory allow list
echo "==> Configuring LDAP allow list"
if ! ipset list cloudron_ldap_allowlist >/dev/null 2>&1; then
echo "==> Creating the cloudron_ldap_allowlist ipset"
ipset create cloudron_ldap_allowlist hash:net
@@ -95,11 +98,13 @@ if [[ -f "${ldap_allowlist_json}" ]]; then
fi
# turn and stun service
echo "==> Opening ports for TURN and STUN"
ipxtables -t filter -A CLOUDRON -p tcp -m multiport --dports 3478,5349 -j ACCEPT
ipxtables -t filter -A CLOUDRON -p udp -m multiport --dports 3478,5349 -j ACCEPT
ipxtables -t filter -A CLOUDRON -p udp -m multiport --dports 50000:51000 -j ACCEPT
# ICMPv6 is very fundamental to IPv6 connectivity unlike ICMPv4
echo "==> Allow ICMP"
$iptables -t filter -A CLOUDRON -p icmp --icmp-type echo-request -j ACCEPT
$iptables -t filter -A CLOUDRON -p icmp --icmp-type echo-reply -j ACCEPT
$ip6tables -t filter -A CLOUDRON -p ipv6-icmp -j ACCEPT
@@ -113,14 +118,17 @@ ipxtables -t filter -A CLOUDRON -m limit --limit 2/min -j LOG --log-prefix "Pack
ipxtables -t filter -A CLOUDRON -j DROP
# prepend our chain to the filter table
echo "==> Adding cloudron chain"
$iptables -t filter -C INPUT -j CLOUDRON 2>/dev/null || $iptables -t filter -I INPUT -j CLOUDRON
$ip6tables -t filter -C INPUT -j CLOUDRON 2>/dev/null || $ip6tables -t filter -I INPUT -j CLOUDRON
# Setup rate limit chain (the recent info is at /proc/net/xt_recent)
echo "==> Setup rate limit chain"
ipxtables -t filter -N CLOUDRON_RATELIMIT || true
ipxtables -t filter -F CLOUDRON_RATELIMIT # empty any existing rules
# log dropped incoming. keep this at the end of all the rules
echo "==> Setup logging"
ipxtables -t filter -N CLOUDRON_RATELIMIT_LOG || true
ipxtables -t filter -F CLOUDRON_RATELIMIT_LOG # empty any existing rules
ipxtables -t filter -A CLOUDRON_RATELIMIT_LOG -m limit --limit 2/min -j LOG --log-prefix "IPTables RateLimit: " --log-level 7