IPTables rules

izno · May 23, 2022, 7:56am

Hi,

I am running HomeAssistant through a docker image on an Ubuntu 21.04 LTS server.
Unfortuntely, the “default” ip tables rules prevent to connect to the 8123 port.
(I can connect when I allow all traffic over all the ports).

I tried to allow tcp traffic to 8123

iptables -A INPUT -p tcp --dport 8123 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 8123 -j ACCEPT

But it does not work.

Any help on how set iptables ?

Here is the current rules:

*filter
:INPUT DROP [32:6308]
:FORWARD DROP [0:0]
:OUTPUT DROP [6:510]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A INPUT -i eth0 -p udp -m udp --dport 1194 -m comment --comment openvpn-input-rule -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --sport 123 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -p tcp -m tcp --dport 81 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -p tcp -m tcp --dport 8200 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -p tcp -m tcp --dport 1900 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -p udp -m udp --dport 1900 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 222 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5900:5910 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 51413 -j ACCEPT
-A INPUT -p udp -m udp --dport 51413 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 49152:65535 -j ACCEPT
-A INPUT -p udp -m udp --dport 49152:65535 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9091 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,PSH,URG FIN,PSH,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -p tcp -m tcp --dport 5000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 135 -j ACCEPT
-A INPUT -p udp -m udp --dport 135 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 137 -j ACCEPT
-A INPUT -p udp -m udp --dport 137 -j ACCEPT
-A INPUT -p udp -m udp --dport 138 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 139 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 445 -j ACCEPT
-A INPUT -p udp -m udp --dport 445 -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state NEW -m udp --dport 51820 -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A FORWARD -d 10.8.0.0/24 -i eth0 -o tun0 -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment openvpn-forward-rule -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -i tun0 -o eth0 -m comment --comment openvpn-forward-rule -j ACCEPT
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o docker_gwbridge -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker_gwbridge -j DOCKER
-A FORWARD -i docker_gwbridge ! -o docker_gwbridge -j ACCEPT
-A FORWARD -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j ACCEPT
-A FORWARD -p udp -m limit --limit 1/sec -j ACCEPT
-A FORWARD -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
-A FORWARD -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker_gwbridge -o docker_gwbridge -j DROP
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -m udp --dport 123 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -s 192.168.0.0/24 -p tcp -m tcp --dport 81 -j ACCEPT
-A OUTPUT -s 192.168.0.0/24 -p tcp -m tcp --dport 8200 -j ACCEPT
-A OUTPUT -s 192.168.0.0/24 -p udp -m udp --dport 1900 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 222 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 5900:5910 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 51413 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 51413 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 9200 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 8080 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 49152:65535 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 49152:65535 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 9091 -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 5000 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 135 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 135 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 137 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 137 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 138 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 139 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 445 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 445 -j ACCEPT
-A OUTPUT -o tun+ -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 9000 -j ACCEPT
-A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 3012 -j ACCEPT
-A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i docker_gwbridge ! -o docker_gwbridge -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o docker_gwbridge -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
COMMIT
# Completed on Fri Jan 14 10:09:20 2022
# Generated by iptables-save v1.8.4 on Fri Jan 14 10:09:20 2022
*raw
:PREROUTING ACCEPT [1257:251935]
:OUTPUT ACCEPT [1268:303370]
-A PREROUTING -p tcp -m tcp --dport 21 -j CT --helper ftp
COMMIT
# Completed on Fri Jan 14 10:09:20 2022
# Generated by iptables-save v1.8.4 on Fri Jan 14 10:09:20 2022
*nat
:PREROUTING ACCEPT [292:35386]
:INPUT ACCEPT [260:29078]
:OUTPUT ACCEPT [11:862]
:POSTROUTING ACCEPT [5:352]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -m comment --comment openvpn-nat-rule -j MASQUERADE
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.18.0.0/16 ! -o docker_gwbridge -j MASQUERADE
-A POSTROUTING -s 10.6.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 9000 -j MASQUERADE
-A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 3012 -j MASQUERADE
-A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A DOCKER -i docker_gwbridge -j RETURN
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 9000 -j DNAT --to-destination 172.17.0.2:9000
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 3012 -j DNAT --to-destination 172.17.0.3:3012
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 802 -j DNAT --to-destination 172.17.0.3:80
COMMIT
# Completed on Fri Jan 14 10:09:20 2022
# Generated by iptables-save v1.8.4 on Fri Jan 14 10:09:20 2022
*mangle
:PREROUTING ACCEPT [1257:251935]
:INPUT ACCEPT [1257:251935]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1268:303370]
:POSTROUTING ACCEPT [1262:302860]
COMMIT
# Completed on Fri Jan 14 10:09:20 2022
-A INPUT -p tcp -m tcp --dport 8123 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 8123 -j ACCEPT

mikeschraven · February 12, 2023, 7:45pm

You shouldnt DROP all OUTPUT, i think