Allowed IP addresses (after iptables -A INPUT -j DROP)

mni82 · April 15, 2023, 7:29pm

My problem needs a introdcution.
I installed home assistant on raspberry pi 4.
On my NAS i installed a ubuntu docker with portainer.
I created a cloudflared tunnel to https://hassio.domainname.com.
All was working perfectly.

Matthew Hodgkins pointed me on security in his blog Securing Home Assistant with Cloudflare
To add security want to restrict the incomming (allowed) ip-ddresses. I needed another solution because i installed cloudflare on my NAS.

I used iptables on ubuntu and added the ip address from https://www.cloudflare.com/ips-v4

iptables -A INPUT -j DROP
iptables -A INPUT -s 173.245.48.0/20 -j ACCEPT
...
etc.

After that change i lost my connection to google home and get the error:

ERROR (MainThread) [homeassistant.components.google_assistant.http] Request for https://homegraph.googleapis.com/v1/devices:requestSync failed: 500

Also i see multiple update warnings like this one below:

WARNING (MainThread) [homeassistant.components.media_player] Updating media_player took longer than the scheduled update interval 0:00:10

I think i need to allow more ip address te get it back working again.
Does anyone have any experience with this?

donny007x · April 15, 2023, 11:02pm

Can you explain your setup a bit more? What role does the Ubuntu Container play in all this and how did you install the cloudflared tunnel client?

Als note that Docker does some funny stuff with networking, which complicates firewalling.

At the very least you’d want to have a rule that allows replies to outbound requests initiated by the host to go through (stateful firewalling):

iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

And a rule that allows loopback traffic:

iptables -A INPUT -i lo -j ACCEPT

The order of your rules is also important, not much will go through if your first rule tells iptables to DROP all traffic.

After doing that: watch the iptables log to see what gets dropped, then create specific rules to accept traffic that needs to be allowed.

mni82 · April 17, 2023, 9:21am

Hi @donny007x Donny, thank you for your reaction.

I installed portainer on my NAS.
In portainer i created a new Ubuntu container.
In the console i executed:

curl -L --output cloudflared.deb https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb

sudo dpkg -i cloudflared.deb

sudo cloudflared service install <Long_uniqueId>

I asked ChatGPT to explain your iptables rules:

iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

This line is an iptables rule that allows incoming network traffic that is related to or associated with an already established connection. Here is a breakdown of the individual components of the command:

iptables: This command is used to manage firewall rules in Linux.
-A INPUT: This option appends a new rule to the INPUT chain, which is responsible for handling incoming network traffic.
-m conntrack: This option specifies the module to use for connection tracking.
--ctstate RELATED,ESTABLISHED: This option matches packets that are related to or part of an established connection. This includes traffic that is associated with an existing connection such as responses to requests sent by the host or traffic related to the stateful protocol.
-j ACCEPT: This option specifies what action to take when a packet matches the rule, in this case, to accept the packet and allow it through the firewall.

iptables -A INPUT -i lo -j ACCEPT

This line is another iptables rule that allows incoming traffic on the loopback interface. Here’s a breakdown of the individual components of the command:

iptables: This command is used to manage firewall rules in Linux.
-A INPUT: This option appends a new rule to the INPUT chain, which is responsible for handling incoming network traffic.
-i lo: This option specifies the loopback interface, which is a virtual network interface that a computer uses to communicate with itself. Traffic on the loopback interface is not seen by other computers on the network.
-j ACCEPT: This option specifies what action to take when a packet matches the rule, in this case, to accept the packet and allow it through the firewall.

This rule is important because many services, such as databases and web servers, use the loopback interface to communicate with themselves. Allowing traffic on the loopback interface is necessary for these services to function properly.

But im still not sure what it does.
Can you try to explain why i should use it?
I do not understand “related to or associated with an already established connection” and “loopback interface”

donny007x · April 18, 2023, 6:55pm

Cloudflare offers cloudflared as a Docker container, this saves the hassle of having to manually install the tunnel service and streamlines the update process.

Using generative AI is discouraged in this community, see also: Want to help others? Leave your AI at the door

Instead have a look at this guide if you want to learn about setting up a basic iptables firewall: Simple stateful firewall - ArchWiki

Note that cloudflared only initiates outbound connections to both Cloudflare and your local network, so I’m not sure what you’re trying to achieve by allowing connections from the public Cloudflare IP addresses in your INPUT chain.

tszalaj · October 20, 2024, 11:28pm

This is an old post, but maybe someone will find this hint useful. You should change those instructions positions, as because of -A (append) adds them in this order to the end of iptables file, so the first one cuts all incoming packets:

iptables -A INPUT -j DROP

And the second one is never evaluated:

iptables -A INPUT -s 173.245.48.0/20 -j ACCEPT

When you change their order, when the above rule will be evaluated successfully with -j ACCEPT, then the -j DROP rule won’t be evaluated.