diff --git a/setup/start/cloudron-firewall.sh b/setup/start/cloudron-firewall.sh index a91bacdcd..288d5d2fd 100755 --- a/setup/start/cloudron-firewall.sh +++ b/setup/start/cloudron-firewall.sh @@ -6,18 +6,7 @@ echo "==> Setting up firewall" iptables -t filter -N CLOUDRON || true iptables -t filter -F CLOUDRON # empty any existing rules -# NOTE: keep these in sync with src/apps.js validatePortBindings -# allow ssh, http, https, ping, dns -iptables -t filter -I CLOUDRON -m state --state RELATED,ESTABLISHED -j ACCEPT -# ssh is allowed alternately on port 202 -iptables -A CLOUDRON -p tcp -m tcp -m multiport --dports 22,25,80,202,443 -j ACCEPT - -# user firewall -user_firewall_json="/home/yellowtent/boxdata/firewall-config.json" -if allowed_tcp_ports=$(node -e "console.log(JSON.parse(fs.readFileSync('${user_firewall_json}', 'utf8')).allowed_tcp_ports.join(','))" 2>/dev/null); then - [[ -n "${allowed_tcp_ports}" ]] && iptables -A CLOUDRON -p tcp -m tcp -m multiport --dports "${allowed_tcp_ports}" -j ACCEPT -fi - +# first setup any user IP block lists ipset create cloudron_blocklist hash:net || true /home/yellowtent/box/src/scripts/setblocklist.sh @@ -26,6 +15,16 @@ if ! iptables -t filter -C FORWARD -m set --match-set cloudron_blocklist src -j iptables -t filter -I FORWARD -m set --match-set cloudron_blocklist src -j DROP fi +# allow related and establisted connections +iptables -t filter -I CLOUDRON -m state --state RELATED,ESTABLISHED -j ACCEPT +iptables -A CLOUDRON -p tcp -m tcp -m multiport --dports 22,25,80,202,443 -j ACCEPT # 202 is the alternate ssh port + +# whitelist any user ports +user_firewall_json="/home/yellowtent/boxdata/firewall-config.json" +if allowed_tcp_ports=$(node -e "console.log(JSON.parse(fs.readFileSync('${user_firewall_json}', 'utf8')).allowed_tcp_ports.join(','))" 2>/dev/null); then + [[ -n "${allowed_tcp_ports}" ]] && iptables -A CLOUDRON -p tcp -m tcp -m multiport --dports "${allowed_tcp_ports}" -j ACCEPT +fi + # turn and stun service iptables -t filter -A CLOUDRON -p tcp -m multiport --dports 3478,5349 -j ACCEPT iptables -t filter -A CLOUDRON -p udp -m multiport --dports 3478,5349 -j ACCEPT