In my DigitalOcean (DO) droplet I installed this image: Ubuntu Docker 17.12.0~ce on 16.04 (which is available on ** DO website > droplet> destroy> rebuild droplet**) , in ssh (after user configuration), I run
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw enable
sudo ufw status verbose
and get:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), allow (routed)
New profiles: skip
To Action From
-- ------ ----
22 LIMIT IN Anywhere
2375/tcp ALLOW IN Anywhere
2376/tcp ALLOW IN Anywhere
22 (v6) LIMIT IN Anywhere (v6)
2375/tcp (v6) ALLOW IN Anywhere (v6)
2376/tcp (v6) ALLOW IN Anywhere (v6)
As you see, I don't allow any connections on port 80 (http). Ok to test that firewall really works I run following docker:
sudo docker run -d -p 80:80 -e ENABLE_IPV6=true -v /var/run/docker.sock:/tmp/docker.sock:ro jwilder/nginx-proxy:alpine
But when I go to chrome and type my droplet IP I see nginx response (!!!)
I try this also for Ubuntu 17 image (with docker installation by hand) but still get the same problem.
Conclusion: ufw firewall doesn't work at all in Ubuntu
Question: how to configure ufw/Ubuntu to fix this problem?
Docker and UFW don't work together too well as they both modify iptables but there's a way to fix this.
You'll need to configure Docker to not use iptables. Add
DOCKER_OPTS="--iptables=false"
to /etc/default/docker and restart your host (or restart the Docker daemon and UFW).
These two links have a lot more information about the issue:
https://blog.viktorpetersson.com/2014/11/03/the-dangers-of-ufw-docker.html
https://www.techrepublic.com/article/how-to-fix-the-docker-and-ufw-security-flaw/
Doing this DOCKER_OPTS="--iptables=false" didn't work for me.
I suggest to add these lines at the end of /etc/ufw/after.rules
# BEGIN UFW AND DOCKER
*filter
:ufw-user-forward - [0:0]
:ufw-docker-logging-deny - [0:0]
:DOCKER-USER - [0:0]
-A DOCKER-USER -j ufw-user-forward
-A DOCKER-USER -j RETURN -s 10.0.0.0/8
-A DOCKER-USER -j RETURN -s 172.16.0.0/12
-A DOCKER-USER -j RETURN -s 192.168.0.0/16
-A DOCKER-USER -p udp -m udp --sport 53 --dport 1024:65535 -j RETURN
-A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 192.168.0.0/16
-A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 10.0.0.0/8
-A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 172.16.0.0/12
-A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 192.168.0.0/16
-A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 10.0.0.0/8
-A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 172.16.0.0/12
-A DOCKER-USER -j RETURN
-A ufw-docker-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW DOCKER BLOCK] "
-A ufw-docker-logging-deny -j DROP
COMMIT
# END UFW AND DOCKER
Here the source.
Alternative solution: Drop UFW and instead use Network Firewall available in digital ocean control panel (on website).
Related
As I know, macOS doesn't have iptables but has pf(packet filter) which is similar to iptables. But when I see istio-init container's log, I see istio envoy proxy is running command about initializing nat table of iptables.
the log looks like this
2022-05-26T08:51:19.067180Z info Istio iptables environment:
ENVOY_PORT=
INBOUND_CAPTURE_PORT=
ISTIO_INBOUND_INTERCEPTION_MODE=
ISTIO_INBOUND_TPROXY_ROUTE_TABLE=
ISTIO_INBOUND_PORTS=
ISTIO_OUTBOUND_PORTS=
ISTIO_LOCAL_EXCLUDE_PORTS=
ISTIO_EXCLUDE_INTERFACES=
ISTIO_SERVICE_CIDR=
ISTIO_SERVICE_EXCLUDE_CIDR=
ISTIO_META_DNS_CAPTURE=
INVALID_DROP=
2022-05-26T08:51:19.069632Z info Istio iptables variables:
PROXY_PORT=15001
PROXY_INBOUND_CAPTURE_PORT=15006
PROXY_TUNNEL_PORT=15008
PROXY_UID=1337
PROXY_GID=1337
INBOUND_INTERCEPTION_MODE=REDIRECT
INBOUND_TPROXY_MARK=1337
INBOUND_TPROXY_ROUTE_TABLE=133
INBOUND_PORTS_INCLUDE=*
INBOUND_PORTS_EXCLUDE=15090,15021,15020
OUTBOUND_IP_RANGES_INCLUDE=*
OUTBOUND_IP_RANGES_EXCLUDE=
OUTBOUND_PORTS_INCLUDE=
OUTBOUND_PORTS_EXCLUDE=
KUBE_VIRT_INTERFACES=
ENABLE_INBOUND_IPV6=false
DNS_CAPTURE=false
DROP_INVALID=false
CAPTURE_ALL_DNS=false
DNS_SERVERS=[],[]
OUTPUT_PATH=
NETWORK_NAMESPACE=
CNI_MODE=false
EXCLUDE_INTERFACES=
2022-05-26T08:51:19.071962Z info Writing following contents to rules file: /tmp/iptables-rules-1653555079071333887.txt2006549362
* nat
-N ISTIO_INBOUND
-N ISTIO_REDIRECT
-N ISTIO_IN_REDIRECT
-N ISTIO_OUTPUT
-A ISTIO_INBOUND -p tcp --dport 15008 -j RETURN
-A ISTIO_REDIRECT -p tcp -j REDIRECT --to-ports 15001
-A ISTIO_IN_REDIRECT -p tcp -j REDIRECT --to-ports 15006
-A PREROUTING -p tcp -j ISTIO_INBOUND
-A ISTIO_INBOUND -p tcp --dport 15090 -j RETURN
-A ISTIO_INBOUND -p tcp --dport 15021 -j RETURN
-A ISTIO_INBOUND -p tcp --dport 15020 -j RETURN
-A ISTIO_INBOUND -p tcp -j ISTIO_IN_REDIRECT
-A OUTPUT -p tcp -j ISTIO_OUTPUT
-A ISTIO_OUTPUT -o lo -s 127.0.0.6/32 -j RETURN
-A ISTIO_OUTPUT -o lo ! -d 127.0.0.1/32 -m owner --uid-owner 1337 -j ISTIO_IN_REDIRECT
-A ISTIO_OUTPUT -o lo -m owner ! --uid-owner 1337 -j RETURN
-A ISTIO_OUTPUT -m owner --uid-owner 1337 -j RETURN
-A ISTIO_OUTPUT -o lo ! -d 127.0.0.1/32 -m owner --gid-owner 1337 -j ISTIO_IN_REDIRECT
-A ISTIO_OUTPUT -o lo -m owner ! --gid-owner 1337 -j RETURN
-A ISTIO_OUTPUT -m owner --gid-owner 1337 -j RETURN
-A ISTIO_OUTPUT -d 127.0.0.1/32 -j RETURN
-A ISTIO_OUTPUT -j ISTIO_REDIRECT
COMMIT
2022-05-26T08:51:19.072193Z info Running command: iptables-restore --noflush /tmp/iptables-rules-1653555079071333887.txt2006549362
2022-05-26T08:51:19.097324Z error Command error output: xtables parameter problem: iptables-restore: unable to initialize table 'nat'
Error occurred at line: 1
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
2022-05-26T08:51:19.097801Z error Failed to execute: iptables-restore --noflush /tmp/iptables-rules-1653555079071333887.txt2006549362, exit status 2
I have questions about this.
What OS the envoy proxy is running?
I'm running k8s with minikube on M1
If it's running on macOS, how can it run command like iptables-restore?
even if macOS doesnt have iptables
have a good day
I have to allow port 9000 so sonarqube can be accessible, so I flushed the IPTABLE and add the below configuration, but from then below things happening:
no external URL connecting
unable to FTP connect via filezilla (but
NFtp working)
Below is the configuration:
# Generated by iptables-save v1.4.7 on Thu Feb 1 08:11:50 2018
*filter
:INPUT DROP [19:1566]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [9:928]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9090 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED -m comment --comment "Allow ftp connections on port 21" -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20 -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "Allow ftp connections on port 20" -j ACCEPT
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m conntrack --ctstate ESTABLISHED -m comment --comment "Allow passive inbound connections" -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED -m comment --comment "Allow ftp connections on port 21" -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 20 -m conntrack --ctstate ESTABLISHED -m comment --comment "Allow ftp connections on port 20" -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "Allow passive inbound connections" -j ACCEPT
COMMIT
# Completed on Thu Feb 1 08:11:50 2018
Please help.
Centos 6.9
I finally able to configure where all things git, composer, jenkins are able to coomunicate to external world and I can able to ssh via mingw git bash, and the configuration script is:
#!/bin/bash
iptables -F
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
iptables -A INPUT -p tcp --dport 9090 -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/service iptables save
/sbin/service iptables restart
/sbin/service network restart
iptables -L -v
My error:
# psql -U postgres -h 10.230.5.51
psql: could not connect to server: Connection refused
Is the server running on host "10.230.5.51" and accepting
TCP/IP connections on port 5432?
in postgresql.conf:
listen_addresses = '*'
port = 5432 # (change requires restart)
I have added the client server in pg_hba.conf (username/database replaced by X)
host X X 10.230.5.21 md5
host X X 10.230.5.22 md5
Before I added those in the pg_hba.conf, it gave me this error:
# psql -U postgres -h 10.230.5.51
psql: FATAL: no pg_hba.conf entry for host "10.230.5.22", user "X", database "X", SSL on
FATAL: no pg_hba.conf entry for host "10.230.5.22", user "X", database "X", SSL off
So I assume the first steps I have taken are correct?
The last step I feel like I may be missing, could be iptables. they look like this:
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable
-A INPUT -s 10.230.4.0/22 -j LOCAL
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8010 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 10443 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p gre -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A LOCAL -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A LOCAL -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A LOCAL -p udp -m state --state NEW -m udp --dport 123 -j ACCEPT
-A LOCAL -p tcp -m state --state NEW -m tcp --dport 2181 -j ACCEPT
-A LOCAL -p tcp -m state --state NEW -m tcp --dport 2888 -j ACCEPT
-A LOCAL -p tcp -m state --state NEW -m tcp --dport 3888 -j ACCEPT
-A LOCAL -p tcp -m state --state NEW -m tcp --dport 5432 -j ACCEPT
-A LOCAL -p tcp -m state --state NEW -m tcp --dport 7000 -j ACCEPT
-A LOCAL -p tcp -m state --state NEW -m tcp --dport 7001 -j ACCEPT
-A LOCAL -p tcp -m state --state NEW -m tcp --dport 9042 -j ACCEPT
-A LOCAL -p tcp -m state --state NEW -m tcp --dport 9160 -j ACCEPT
Is the iptables ok? I can see that port 5432 is on the list. Is the connection being refused by another rule before that? iptable commands are weird.
General information:
Both computers are running linux. I did not originally setup the database. The database is running fine, but only locally, even though this happened when running the command on the server with postgres database:
# psql -U postgres -h localhost
psql: could not connect to server: Connection refused
Is the server running on host "localhost" (::1) and accepting
TCP/IP connections on port 5432?
could not connect to server: Connection refused
Is the server running on host "localhost" (127.0.0.1) and accepting
TCP/IP connections on port 5432?
I faced the same problem in PostgreSQL 9.6 and I resolved in the following way.
sudo nano /etc/postgresql/9.6/main/postgresql.conf
put '*' instead of localhost on the following line and removed comment sign(#)
listen_addresses = '*'
Add the following line in pg_hba.conf
#TYPE DATABASE USER CIDR-ADDRESS METHOD
host all all 0.0.0.0/0 md5
Restart the service:
(Ubuntu) sudo service postgresql restart
Do following
Update : /var/lib/pgsql/<version>/data/postgresql.conf
change : #listen_addresses = 'localhost' to listen_addresses = '*'
restart service
Check if you did not switch DATABASE with USERNAME.
This also happened to me and this fixed it. The correct syntax is:
host DATABASE USERNAME ADDRESS METHOD
I have a CentOS 6 as VM on a Windows box. I can use Putty to connect to the machine (on port 22) but can't connect via client applications (pgAdmin) or via telnet mytargetvmip 5432 to the postgresql (I did modify the pg_hba.conf file).
Here is what I have done: I changed the ip tables file and then do a service iptables restart command but to no good.
Please note, in the given iptables file, I had also tried iptables -I INPUT 1 -m tcp -p tcp --dport 5432 -j ACCEPT just before COMMIT but no luck. I want to be able to connect via any remote IP.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p tcp -m state --state NEW -m tcp --dport 5432 -j ACCEPT
COMMIT
Thanks.
Never mind, in addition to pg_hba.conf file, I also had to modify the postgresql.conf file to uncomment and make the listen_address to "*". After that, I removed my entry for port 5432 from the iptables file and then the following commands:
iptables -I INPUT 1 -m tcp -p tcp --dport 5432 -j ACCEPT
service iptables save
service iptables restart
Everything works.
HTH
I've got a machine, running Centos and it's connected to a windows network. When I try to view the network I'm getting the error "unable to connect share list from server". Once I turned iptables off everything works fine. How ca I fix this problem. My current iptables configuration is
# Generated by iptables-save v1.4.7 on Sat Nov 16 11:06:35 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [6:360]
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.2.0/24 -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
-A INPUT -s 192.168.2.0/24 -m state --state NEW -m udp -p udp --dport 445 -j ACCEPT
-A INPUT -s 192.168.2.0/24 -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
-A INPUT -s 192.168.2.0/24 -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
-A INPUT -s 192.168.2.0/24 -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Sat Nov 16 11:06:35 2013
You can temporary add the log rule for rejected traffic:
-A INPUT -j LOG --log-prefix "Rejected: "
before your:
-A INPUT -j REJECT --reject-with icmp-host-prohibited
And you`ll see which traffic is rejected..
a] First log the dropped ip tables for example like this
#----------
# Logs to messages.log
#----------
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: INPUT " --log-level 4
-A OUTPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: OUTPUT " --log-level 4
-A FORWARD -m limit --limit 5/min -j LOG --log-prefix "iptables denied: FORWARD " --log-level 4
b] tail dropped tables from messages
tomas#raspirarium:~ $ tail -f /var/log/messages |grep "iptables denied"
c] write ip tables rules beyond the denied rules in message.log on the fly as is the example bottom
#----------
# Windows Samba
#----------
# incoming request
-A INPUT -i eth0 -p tcp -s 192.168.79.0/24 -m multiport --dports 139,445 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp -d 192.168.79.0/24 -m multiport --sports 1024:65535 -m state --state ESTABLISHED -j ACCEPT
# outgoing laso handler
-A OUTPUT -o eth0 -p tcp -s 192.168.79.0/24 -m multiport --dports 139,445 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -s 192.168.79.0/24 -m multiport --sports 1024:65535 -m state --state ESTABLISHED -j ACCEPT