Join Log in
Score:1
avatar Server

Blocking all ports except 80 and 443 with cloudflare

jp flag
Googlebot

I try to block all ports except 22, 80, and 443. I added the following rules to iptables.

*filter
:INPUT ACCEPT [36878:18003219]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [33947:26518456]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -s MY_IP -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT 
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT 
-A INPUT -j DROP
COMMIT

Port 22 is working, but Cloudflare cannot connect to the webserver. -A INPUT -j DROP causes the problem. In fact, 443 connection does not match a rule until the end of the list.

249
1 + 10
Michael Hampton avatar
cz flag
Michael Hampton
Which specific error did CloudFlare give?
0
Reply
jp flag
Googlebot
@MichaelHampton 504 Gateway time-out.
0
Reply
Michael Hampton avatar
cz flag
Michael Hampton
I see that you still have not enabled ICMP in your firewall. You really should do that.
0
Reply
jp flag
Googlebot
@MichaelHampton the common CloudFlare error that we are connected to the Cloudflare server, but Cloudflare cannot connect to the host.
0
Reply
jp flag
Googlebot
@MichaelHampton I assumed that I have already done it. How should I do this?
0
Reply
Michael Hampton avatar
cz flag
Michael Hampton
You only enabled pings. You should enable all ICMP, not just one specific type.
0
Reply
jp flag
Googlebot
@MichaelHampton you mean `iptables -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT`? It had no effect!
0
Reply
Michael Hampton avatar
cz flag
Michael Hampton
OK, now we're making progress. The only other major problem I see in the firewall is that you have not allowed localhost traffic. This will break a wide variety of services (such as apache or nginx talking to a web application server). It also results in the 504 Gateway Timeout error.
0
Reply
jp flag
Googlebot
@MichaelHampton you mean `iptables -A INPUT -i lo -j ACCEPT`. If yes, I feel stupid. I had tried this and it worked, but I remove it as I thought it reverts the effect of `-A INPUT -j DROP` because of `ACCEPT all -- anywhere anywhere DROP all -- anywhere anywhere ` Now that I think, `DROP` rule is after the `ACCEPT` rule, and should block everything else.
0
Reply
jp flag
Googlebot
@MichaelHampton I did not encounter a page stressing the necessity of ACCEPTing localhost traffic. If you post your advice as an answer, it may help someone else too.
0
Reply
Score:1
Michael Hampton avatar Server
cz flag
Michael Hampton

So after a lengthy comment session, here is what we've put together:

When you enabled your custom firewall, CloudFlare reported a 504 Gateway Timeout. But notably, it said that that was the error it received from your server, not that it timed out trying to reach your server. The difference is subtle but important: This means CloudFlare was talking to your server fine, but your server was not talking to itself.

You have a web server that proxies to an internal web application running on localhost. But your custom firewall did not allow localhost connections. This is required for the web server to talk to the web app, as well as for so many other internal services to talk to each other, that every professional firewall builder you ever may use will simply allow localhost traffic without question.

(PS: You should leave ICMP enabled to prevent other sorts of breakage, such as Path MTU Discovery.)

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.