Hello all,
Have a newly installed nethserver 7 beta 2 using internal LDAP with nextcloud as only application. Running in server mode as only have one ethernet port, which nethserver install configured as green interface. I can connect to nextcloud internally, but all external traffic is dropped by default shorewall rules. I see the drops in firewall.log, but need help changing rules to allow access to nextcloud via https.
Hi Larry,
Do you want access to Nextcloud/NS from WAN?
In this case, you can try this (if my scenario is correct):
If your NS server has only one NIC configured as GREEN, that mean your NS server is behind a router/firewall, placed in LAN.
In this case, you don’t need the firewall module of NS. Or, if is installed, you can set a firewall rule like this:
Create rule at top
Action: Accept
Source: Any
Destination: Any
Service: Any
Time condition: Always
To have access to your NS/Nextcloud from WAN through your router, you can configure on router/firewall, port forwarding to your Nextcloud.
firewall module is not installed (and I have no management interface for it in the webgui), yet shorewall still runs and blocks WAN access.Router is already configured to allow https access. I see in nethserver log viewer that all wan traffic is dropped. So if I don’t install the firewall module, how to I edit the rule that is blocking access from WAN? I only wish to allow access to nextcloud from WAN, not management portal or any other services at this time. Not sure where/how to modify existing shorewall rules.
Suggestions?
can you check if the access to the httpd service is allowed from green and red?
From Security -> Network services
is set to "ACCEPT:red, green " even though I only have green…
Can you provide the output of the following commands, if you don’t mind:
iptables -nvL | grep 'httpd[^-]'
cat /etc/shorewall/rules
cat /etc/shorewall/policy
[root@nethserver ~]# iptables -nvL | grep 'httpd[^-]' 1 60 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 /* httpd */ 3129 163K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 /* httpd */ [root@nethserver ~]# ----------------------------------------------------------------------------- [root@nethserver ~]# cat /etc/shorewall/rules # ================= DO NOT MODIFY THIS FILE ================= # # Manual changes will be lost when this file is regenerated. # # Please read the developer's guide, which is available # at https://dev.nethesis.it/projects/nethserver/wiki/NethServer # original work from http://www.contribs.org/development/ # # Copyright (C) 2013 Nethesis S.r.l. # http://www.nethesis.it - support@nethesis.it # # # Shorewall version 4 - Rules File # # For information on the settings in this file, type "man shorewall-rules" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-rules.html # ###################################################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH # PORT PORT(S) DEST LIMIT GROUP #SECTION ALL # # # SECTION ESTABLISHED # ?SECTION ESTABLISHED # # SECTION RELATED # ?SECTION RELATED # # SECTION NEW # ?SECTION NEW # # Accept Ping from the "bad" net zone. # Ping/ACCEPT net $FW # # Make ping work bi-directionally between the dmz, net, Firewall and local zone # (assumes that the loc-> net policy is ACCEPT). # Ping/ACCEPT loc $FW # # Accept DNS connections from the firewall to the Internet # DNS/ACCEPT $FW net # # 50pf -- PORT FORWARDING # # # 60rules # # # Service: chronyd Access: green # ?COMMENT chronyd ACCEPT loc $FW udp 123 # # Service: dnsmasq Access: green # ?COMMENT dnsmasq ACCEPT loc $FW tcp 53 ?COMMENT dnsmasq ACCEPT loc $FW udp 53 ?COMMENT dnsmasq ACCEPT loc $FW udp 67 ?COMMENT dnsmasq ACCEPT loc $FW udp 69 # # Service: httpd Access: red,green # ?COMMENT httpd ACCEPT loc $FW tcp 80 ?COMMENT httpd ACCEPT loc $FW tcp 443 # # Service: httpd-admin Access: green # ?COMMENT httpd-admin ACCEPT loc $FW tcp 980 # # Service: mysqld Access: green # ?COMMENT mysqld ACCEPT loc $FW tcp 3306 # # Service: slapd Access: green # ?COMMENT slapd ACCEPT loc $FW tcp 389 # # Service: sshd Access: green # ?COMMENT sshd ACCEPT loc $FW tcp 2222 # # 90dns_blue # [root@nethserver ~]# ------------------------------------------------------------ [root@nethserver ~]# cat /etc/shorewall/policy # ================= DO NOT MODIFY THIS FILE ================= # # Manual changes will be lost when this file is regenerated. # # Please read the developer's guide, which is available # at https://dev.nethesis.it/projects/nethserver/wiki/NethServer # original work from http://www.contribs.org/development/ # # Copyright (C) 2013 Nethesis S.r.l. # http://www.nethesis.it - support@nethesis.it # # # Shorewall version 4 - Policy File # # For information about entries in this file, type "man shorewall-policy" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-policy.html # ############################################################################### #SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: # LEVEL BURST MASK # # 20policy # loc net ACCEPT # firewall can always connect outside $FW net ACCEPT # # 30policy_extra_zones # # # 40policy_static # loc $FW REJECT info # Traffic from firewall to local network is always allowed $FW loc ACCEPT # Drop traffic from external interface to firewall and local network net $FW DROP info net loc DROP info # Drop all other traffic from external interface net all DROP info # # 90reject all # # THE FOLLOWING POLICY MUST BE LAST all all REJECT info [root@nethserver ~]#
Instead of this lines:
You should find something like this:
?COMMENT httpd
ACCEPT loc $FW tcp 80
ACCEPT net $FW tcp 80
?COMMENT httpd
ACCEPT loc $FW tcp 443
ACCEPT net $FW tcp 443
I can’t reproduce the problem, could you please try to update the machine?
Better from the testing repository:
yum --enablerepo=nethserver-testing update
That did the trick! Thanks.
Out of curiousity, does only 443 need to be forwarded or 80 as well?
Thanks!
Hi,
If you want to access only https, you need only port 443.
If you want to access only http, you need only port 80.
If you need to access both, https and http, you need both ports, 443 and 80.
What is not forwarded, can’t be accessed.
Depends of your needs.
Kind regrds,
Gabriel