Score:1

Blocking all ports except 80 and 443 with cloudflare

jp flag

I try to block all ports except 22, 80, and 443. I added the following rules to iptables.

*filter
:INPUT ACCEPT [36878:18003219]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [33947:26518456]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -s MY_IP -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT 
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT 
-A INPUT -j DROP
COMMIT

Port 22 is working, but Cloudflare cannot connect to the webserver. -A INPUT -j DROP causes the problem. In fact, 443 connection does not match a rule until the end of the list.

Michael Hampton avatar
cz flag
Which specific error did CloudFlare give?
jp flag
@MichaelHampton 504 Gateway time-out.
Michael Hampton avatar
cz flag
I see that you still have not enabled ICMP in your firewall. You really should do that.
jp flag
@MichaelHampton the common CloudFlare error that we are connected to the Cloudflare server, but Cloudflare cannot connect to the host.
jp flag
@MichaelHampton I assumed that I have already done it. How should I do this?
Michael Hampton avatar
cz flag
You only enabled pings. You should enable all ICMP, not just one specific type.
jp flag
@MichaelHampton you mean `iptables -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT`? It had no effect!
Michael Hampton avatar
cz flag
OK, now we're making progress. The only other major problem I see in the firewall is that you have not allowed localhost traffic. This will break a wide variety of services (such as apache or nginx talking to a web application server). It also results in the 504 Gateway Timeout error.
jp flag
@MichaelHampton you mean `iptables -A INPUT -i lo -j ACCEPT`. If yes, I feel stupid. I had tried this and it worked, but I remove it as I thought it reverts the effect of `-A INPUT -j DROP` because of `ACCEPT all -- anywhere anywhere DROP all -- anywhere anywhere ` Now that I think, `DROP` rule is after the `ACCEPT` rule, and should block everything else.
jp flag
@MichaelHampton I did not encounter a page stressing the necessity of ACCEPTing localhost traffic. If you post your advice as an answer, it may help someone else too.
Score:1
cz flag

So after a lengthy comment session, here is what we've put together:

When you enabled your custom firewall, CloudFlare reported a 504 Gateway Timeout. But notably, it said that that was the error it received from your server, not that it timed out trying to reach your server. The difference is subtle but important: This means CloudFlare was talking to your server fine, but your server was not talking to itself.

You have a web server that proxies to an internal web application running on localhost. But your custom firewall did not allow localhost connections. This is required for the web server to talk to the web app, as well as for so many other internal services to talk to each other, that every professional firewall builder you ever may use will simply allow localhost traffic without question.

(PS: You should leave ICMP enabled to prevent other sorts of breakage, such as Path MTU Discovery.)

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.