Own iptables rules alongside froxlor?

[Leapfrog]

Froxlor (0.10.22-1) is running nicely on my server (Debian 10 Buster).

But now I plan to install a service on this public server, which needs a few ports more opened in iptables.
I am not sure how to create some rules that do not conflict with froxlor? What is the recommended way to install a few persistent rules, that do not disturb froxlor?

Status:

iptables is running and is showing some rules, example:

[code]
# iptables -nvL
...
  152  7784 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
  513 25024 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
...
[/code]

I find these active rules persistent in /etc/iptables/rules.v4

[code]
# Generated by xtables-save v1.8.2 on Mon Feb 10 20:44:30 2020
*filter
...
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
...
# Completed on Mon Feb 10 20:44:30 2020
[/code]

As far as I've seen these rules are loaded at boottime by systemd's netfilter-persistent.service.

Installed Debian packages:
[code]
ii  iptables             1.8.2-4      amd64        administration tools for packet filtering and NAT
ii  iptables-persistent  1.0.11       all          boot-time loader for netfilter rules, iptables plugin
ii  netfilter-persistent 1.0.11       all          boot-time loader for netfilter configuration
[/code]

Has Froxlor generated the /etc/iptables/rules.v4?

How can I add a few more rules to rules.v4? For example allowing incoming ports 10000/udp and 5349/tcp?

Kind regards

[d00p]

9 minutes ago, Leapfrog said:

Has Froxlor generated the /etc/iptables/rules.v4?

no

10 minutes ago, Leapfrog said:

How can I add a few more rules to rules.v4? For example allowing incoming ports 10000/udp and 5349/tcp?

this is froxlor, not the iptables project. You might just wanna google that, there are millions of examples. Also, you might wanna try "ufw" - very simple interface for iptables, might suit your better

[Leapfrog]

Ok, I thought froxlor has been responsible for the /etc/iptables/rules.v4, sorry.

That froxlor was not, is a very important info for me, thank you very much!

I have to find out now, where those existing iptables came from. My only candidates at the moment are

* the existing rules are a default in the OS Linux image of my Hoster?

* the existing rules were generated during a Wordpress Installation?

Anyway, it is good to know, that froxlor cannot overwrite those persistent rules.

Kind regards

 

[d00p]

the file is possibly created when you run iptables-save or some shutdown script that's saves it there before rebooting so the rules can be restored

[Leapfrog]

Yes, these saves and restores are done by the script ...

/usr/share/netfilter-persistent/plugins.d/15-ip4tables

... from the debian package iptables-persistent.

But this is no explanation, where the contents of the rules.v4 initially came from (which match so wonderful the requirements of a froxlor installation).

Some intelligent entity must have created those rules - and that hasn't been me 😉

[Leapfrog]

Just for the record:
Because I already have an existing /etc/iptables/rules.v4 and the package iptables-persistent is installed, opening a few ports more is easy, example:

# iptables -A INPUT -p udp --dport 10000 -j ACCEPT
# iptables -A INPUT -p tcp --dport 5349 -j ACCEPT
(activates both rules)

# netfilter-persistent save
(saves the running iptables to /etc/iptables/rules.v4 and the new rules are bootfix then)
(This command is documented in /usr/share/doc/iptables-persistent/README)

# iptables -nvL
...
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:10000
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5349
...
(success control after reboot)