How to enable internet access to ns7b2/nextcloud in server mode? (only 1 eth)

Hello all,
Have a newly installed nethserver 7 beta 2 using internal LDAP with nextcloud as only application. Running in server mode as only have one ethernet port, which nethserver install configured as green interface. I can connect to nextcloud internally, but all external traffic is dropped by default shorewall rules. I see the drops in firewall.log, but need help changing rules to allow access to nextcloud via https.

Hi Larry,

Do you want access to Nextcloud/NS from WAN?
In this case, you can try this (if my scenario is correct):

If your NS server has only one NIC configured as GREEN, that mean your NS server is behind a router/firewall, placed in LAN.
In this case, you don’t need the firewall module of NS. Or, if is installed, you can set a firewall rule like this:
Create rule at top
Action: Accept
Source: Any
Destination: Any
Service: Any
Time condition: Always

To have access to your NS/Nextcloud from WAN through your router, you can configure on router/firewall, port forwarding to your Nextcloud.

firewall module is not installed (and I have no management interface for it in the webgui), yet shorewall still runs and blocks WAN access.Router is already configured to allow https access. I see in nethserver log viewer that all wan traffic is dropped. So if I don’t install the firewall module, how to I edit the rule that is blocking access from WAN? I only wish to allow access to nextcloud from WAN, not management portal or any other services at this time. Not sure where/how to modify existing shorewall rules.
Suggestions?

can you check if the access to the httpd service is allowed from green and red?
From Security -> Network services

is set to "ACCEPT:red, green " even though I only have green…

Can you provide the output of the following commands, if you don’t mind:

iptables -nvL | grep 'httpd[^-]'
cat /etc/shorewall/rules
cat /etc/shorewall/policy
[root@nethserver ~]# iptables -nvL | grep 'httpd[^-]'
    1    60 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 /* httpd */
 3129  163K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 /* httpd */
[root@nethserver ~]#

-----------------------------------------------------------------------------

[root@nethserver ~]# cat /etc/shorewall/rules
# ================= DO NOT MODIFY THIS FILE =================
#
# Manual changes will be lost when this file is regenerated.
#
# Please read the developer's guide, which is available
# at https://dev.nethesis.it/projects/nethserver/wiki/NethServer
# original work from http://www.contribs.org/development/
#
# Copyright (C) 2013 Nethesis S.r.l.
# http://www.nethesis.it - support@nethesis.it
#
#
# Shorewall version 4 - Rules File
#
# For information on the settings in this file, type "man shorewall-rules"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-rules.html
#
######################################################################################################################################################################################
#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL  RATE            USER/   MARK    CONNLIMIT       TIME         HEADERS         SWITCH
#                                                       PORT    PORT(S)         DEST              LIMIT           GROUP
#SECTION ALL
#
#
# SECTION ESTABLISHED
#
?SECTION ESTABLISHED


#
# SECTION RELATED
#
?SECTION RELATED


#
# SECTION NEW
#
?SECTION NEW

#
# Accept Ping from the "bad" net zone.
#
Ping/ACCEPT   net             $FW

#
#  Make ping work bi-directionally between the dmz, net, Firewall and local zone
#  (assumes that the loc-> net policy is ACCEPT).
#
Ping/ACCEPT     loc            $FW

#
#       Accept DNS connections from the firewall to the Internet
#
DNS/ACCEPT      $FW             net

#
# 50pf -- PORT FORWARDING
#



#
# 60rules
#



#
#       Service: chronyd Access: green
#
?COMMENT chronyd
ACCEPT  loc     $FW     udp     123
#
#       Service: dnsmasq Access: green
#
?COMMENT dnsmasq
ACCEPT  loc     $FW     tcp     53
?COMMENT dnsmasq
ACCEPT  loc     $FW     udp     53
?COMMENT dnsmasq
ACCEPT  loc     $FW     udp     67
?COMMENT dnsmasq
ACCEPT  loc     $FW     udp     69
#
#       Service: httpd Access: red,green
#
?COMMENT httpd
ACCEPT  loc     $FW     tcp     80
?COMMENT httpd
ACCEPT  loc     $FW     tcp     443
#
#       Service: httpd-admin Access: green
#
?COMMENT httpd-admin
ACCEPT  loc     $FW     tcp     980
#
#       Service: mysqld Access: green
#
?COMMENT mysqld
ACCEPT  loc     $FW     tcp     3306
#
#       Service: slapd Access: green
#
?COMMENT slapd
ACCEPT  loc     $FW     tcp     389
#
#       Service: sshd Access: green
#
?COMMENT sshd
ACCEPT  loc     $FW     tcp     2222

#
# 90dns_blue
#

[root@nethserver ~]#
------------------------------------------------------------

[root@nethserver ~]# cat /etc/shorewall/policy
# ================= DO NOT MODIFY THIS FILE =================
#
# Manual changes will be lost when this file is regenerated.
#
# Please read the developer's guide, which is available
# at https://dev.nethesis.it/projects/nethserver/wiki/NethServer
# original work from http://www.contribs.org/development/
#
# Copyright (C) 2013 Nethesis S.r.l.
# http://www.nethesis.it - support@nethesis.it
#
#
# Shorewall version 4 - Policy File
#
# For information about entries in this file, type "man shorewall-policy"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-policy.html
#
###############################################################################
#SOURCE DEST    POLICY          LOG     LIMIT:          CONNLIMIT:
#                               LEVEL   BURST           MASK
#
# 20policy
#
loc             net             ACCEPT


# firewall can always connect outside
$FW     net     ACCEPT

#
# 30policy_extra_zones
#


#
# 40policy_static
#

loc             $FW             REJECT          info

# Traffic from firewall to local network is always allowed
$FW             loc             ACCEPT

# Drop traffic from external interface to firewall and local network
net             $FW             DROP            info
net             loc             DROP            info

# Drop all other traffic from external interface
net             all             DROP            info

#
# 90reject all
#

# THE FOLLOWING POLICY MUST BE LAST
all             all             REJECT          info

[root@nethserver ~]#

Instead of this lines:

You should find something like this:

?COMMENT httpd
ACCEPT loc $FW tcp 80
ACCEPT net $FW tcp 80
?COMMENT httpd
ACCEPT loc $FW tcp 443
ACCEPT net $FW tcp 443

I can’t reproduce the problem, could you please try to update the machine?
Better from the testing repository:

yum --enablerepo=nethserver-testing update
2 Likes

That did the trick! Thanks.

2 Likes

Out of curiousity, does only 443 need to be forwarded or 80 as well?

Thanks!

Hi,

If you want to access only https, you need only port 443.
If you want to access only http, you need only port 80.
If you need to access both, https and http, you need both ports, 443 and 80.

What is not forwarded, can’t be accessed.

Depends of your needs.

Kind regrds,
Gabriel

1 Like