Results 1 to 9 of 9

Thread: what is correct way to setup firewall rules?

  1. #1

    Default what is correct way to setup firewall rules?

    Hello Everyone,

    I've upgrade from OpenSuse Leap 15.2 to 15.3. I'm confused about how to set up firewall.

    In 15.2, I can set firewall either using yast, firewall-cmd or iptable (eg. open tcp port 80). All of these commands can synchronize with each others. In other way to say, if I open tcp 80 port in yast, it shows up also in "firewall-cmd --list-all" and "iptables -S"
    automatically.

    But in 15.3, if I setup firewall in yast (open tcp 80 port), it shows not in iptables. Then I use iptables command to add a new rule, for example, open 443/tcp port, it overwrite the setting from yast before, so 80/tcp is closed, only 443/tcp port is open.

    I'm confused, because I also use docker. Docke inserts iptables rules. I also have custom bash script using firewall-cmd commands to setup firewall. In 15.3, the firewall setting is messed up in my situation.


    Can someone have good suggestions? Thank you.

    Best regards,

  2. #2
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    24,111
    Blog Entries
    1

    Default Re: what is correct way to setup firewall rules?

    Quote Originally Posted by suseoes View Post
    Hello Everyone,

    I've upgrade from OpenSuse Leap 15.2 to 15.3. I'm confused about how to set up firewall.

    In 15.2, I can set firewall either using yast, firewall-cmd or iptable (eg. open tcp port 80). All of these commands can synchronize with each others. In other way to say, if I open tcp 80 port in yast, it shows up also in "firewall-cmd --list-all" and "iptables -S"
    automatically.

    But in 15.3, if I setup firewall in yast (open tcp 80 port), it shows not in iptables. Then I use iptables command to add a new rule, for example, open 443/tcp port, it overwrite the setting from yast before, so 80/tcp is closed, only 443/tcp port is open.

    Firewalld is now using nftables by default. (However you can change that if desired.)
    https://firewalld.org/2018/07/nftables-backend

    openSUSE Leap 15.4; KDE Plasma 5

  3. #3
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    24,111
    Blog Entries
    1

    Default Re: what is correct way to setup firewall rules?

    BTW, if you prefer GUI configuration, consider using firewall-config.
    openSUSE Leap 15.4; KDE Plasma 5

  4. #4
    Join Date
    Feb 2010
    Location
    Germany
    Posts
    4,932

    Default Re: what is correct way to setup firewall rules?

    @suseoes:

    Please take a look at the “iptables-nft” package and, this Blog entry – <https://ehlers.berlin/blog/nftables-and-docker/>.
    • It seems that, currently, Docker doesn't support nftables directly …

  5. #5

    Lightbulb Re: what is correct way to setup firewall rules?

    Quote Originally Posted by deano_ferrari View Post
    Firewalld is now using nftables by default. (However you can change that if desired.)
    https://firewalld.org/2018/07/nftables-backend

    [/FONT]
    Thank you, guys.

    As https://firewalld.org/2018/07/nftables-backend said:

    firewall rules created outside of firewalld (e.g. libvirt, docker, user, etc) will take precedence over firewalld’s rules.
    I made several tests, added iptables rules manually, and found that:


    1. Rule 1
    It looks "iptables" like an independent firewall. If a packet passes through "iptables", it must then go through "firewalld's rules", if two firewall both pass, then it will reach its destination.

    In other words, if a packet gets rejected by any of these two independent firewalls, it cannot reach its destination.

    This rule works on service on local host, for example I install nginx on locahost with port 80.

    2. Rule 2
    If I use docker on host, it looks docker will take over "iptables" and "firewalld's rules". So Rule 1 will not work at all.

    For example, I run nginx at port 8080 on host with command "docker run -d -p 8080:80 nginx". Now, no matter how I setup iptables (also "DOCKER-USER" chain) or firewalld to block 8080 port, other machine can still visit 8080 port on the host.

    For the local services, for example nginx on localhost with port 80 mentioned in rule 1, which do not use docker, will continue with Rule 1.


    Above all:
    I will set
    Code:
    iptables -P INPUT ACCEPT
    as default. And then, I will only use "firewall-cmd" to set up firewalls, without use "iptabless" any more, and ignore "iptables -S" output.

    Am I right?

    Hoping that docker will embrace nftables soon.

  6. #6

    Default Re: what is correct way to setup firewall rules?

    Other useful links:

    https://www.puzzle.ch/de/blog/articles/2021/07/05/containers-netfilter-iptables-nftables-teil-1
    https://ungleich.ch/en-us/cms/blog/2018/08/18/iptables-vs-nftables/
    https://developers.redhat.com/blog/2020/08/18/iptables-the-two-variants-and-their-relationship-with-nftables

    HTML Code:
    +--------------+     +--------------+     +--------------+
    |   iptables   |     |   iptables   |     |     nft      |   USER
    |    legacy    |     |     nft      |     |  (nftables)  |   SPACE
    +--------------+     +--------------+     +--------------+
           |                          |         |
    ====== | ===== KERNEL API ======= | ======= | =====================
           |                          |         |
    +--------------+               +--------------+
    |   iptables   |               |   nftables   |              KERNEL
    |      API     |               |     API      |              SPACE
    +--------------+               +--------------+
                 |                    |         |
                 |                    |         |
              +--------------+        |         |     +--------------+
              |   xtables    |--------+         +-----|   nftables   |
              |    match     |                        |    match     |
              +--------------+                        +--------------+

  7. #7
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    30,906

    Default Re: what is correct way to setup firewall rules?

    Please post real links by using the Globe (Link) from the toolbar.

    https://www.puzzle.ch/de/blog/articl...ftables-teil-1
    https://ungleich.ch/en-us/cms/blog/2...s-vs-nftables/
    https://developers.redhat.com/blog/2...-with-nftables

    And those HTML tags work OK in this case, but what you show is not HTML, better use CODE (The # in the toolbar) in the future.
    Last edited by hcvv; 30-Oct-2021 at 03:52.
    Henk van Velden

  8. #8
    Join Date
    Sep 2012
    Posts
    7,838

    Default Re: what is correct way to setup firewall rules?

    Quote Originally Posted by suseoes View Post
    For example, I run nginx at port 8080 on host with command "docker run -d -p 8080:80 nginx". Now, no matter how I setup iptables (also "DOCKER-USER" chain) or firewalld to block 8080 port, other machine can still visit 8080 port on the host.
    Show your actual configuration, not your vague description of how you interpret it.
    Code:
    iptables -L -n -v
    nft list ruleset
    And explain, where "other machine" is located and how it accesses your docker application.

    P.S. output will likely be long, upload to https://susepaste.org/

  9. #9

    Default Re: what is correct way to setup firewall rules?

    Quote Originally Posted by arvidjaar View Post
    Show your actual configuration, not your vague description of how you interpret it.
    Code:
    iptables -L -n -v
    nft list ruleset
    And explain, where "other machine" is located and how it accesses your docker application.

    P.S. output will likely be long, upload to https://susepaste.org/
    Sorry I made a mistake.

    I tried it again today, and the port from docker application can be blocked by

    Code:
    # iptables -I DOCKER-USER -p tcp --dport 8080 -j DROP


    The test is made with a VM in Virtualbox
    with "Host-only Adapter".
    "Other machine" means my host machine which running this Virtualbox VM.

    After adding this iptables rule, I cannot visit 8080 port of this VM port from my host machine.


Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •