Oracle Cloud and Firewall Solution
Čak i sam Oracle napominje u tekstu, a ja ne razumem skroz zašto, da ne koristimo UFW.
? Why aren’t these rules configured through UFW? In fact, you’re specifically advised not to enable or use UFW, because OCI docs describe a known issue that enabling UFW will prevent the instance from booting, and the stated workaround is to… not use UFW?!
I tačno je, čim sam sklonio UFW odnosno bilo koji drugi firewall, iz Control Panela na primer, sve je proradilo. Ustvari, trebalo bi se čovek muči sa nabadanjem komandi iptables
koristi ovo umesto toga
Iz nekoga razloga ja sam imao otvoreno sve ove portove na jednom drugom serveru:
tcp: 20,21,22,25,53,80,110,143,443,465,587,993,995,3306,4190,8080,8081,10000,40110:40210,22111,22333,22999 udp: 53,3306,55555,60000:61000
# da proverim ja šta je to sve
grep -E '\b(20|21|22|25|53|80|110|143|443|465|587|993|995|3306|4190|8080|8081|10000|40110|40210|22111|22333|22999|53|3306|55555|60000|61000)/' /etc/services
Počinji već
sudo apt -y install firewalld
# its empty
sudo firewall-cmd --list-ports
# systemctl enable firewalld
# systemctl disable firewalld
# custom and wierd ports:
# ssh: 22111, socks-proxy: 22333, control-panel: 22999, tailscale: 41641
# ftp extra: 12000-12100
# something-unknown: 4190, 10000, 40110-40210, udp: 55555, 60000-61000
firewall-cmd --add-port={{22111,22333,22999,41641,12000-12100,4190,10000,40110-40210}/tcp,12000-12100/udp,8080/{tcp,udp}}
# file /etc/services has the list
grep -E 'http|imap|pop3|smtp|dns|53|ftp' /etc/services
# or by ports
grep -E '\b(80|443|143|993|110|995|25|465|587|53|21|12000)/' /etc/services
# let's open the standard ports, domain=dns, dont: mysql
# jok: firewall-cmd --add-service={http,https,imap2,imaps,submission,submissions,pop3,smtp,pop3s,domain,ftp,ftp-data,mysql,http-alt,tproxy}
firewall-cmd --add-service={http,https,imap,imaps,smtp-submission,dns,dns-over-tls,smtps,pop3,smtp,pop3s,ftp,mysql}
Ludilo:
# check what's active now
firewall-cmd --list-ports
firewall-cmd --list-services
iptables -L
# to clear memory
firewall-cmd --reload
A definitivno
firewall-cmd --complete-reload
# ili možeš i flush
iptables --flush
iptables -L
Create a proper list of “firewalld” services by reading from the folder /usr/lib/firewalld/services/
, which contains the system names of services and possibly some user-defined names in /etc/firewalld/services/
. When searching for a service by number, type:
grep -r 445 /usr/lib/firewalld/services/
If you really need to see the whole list, then paste this monstrous one-liner:
find /usr/lib/firewalld/services/ -type f -exec sh -c ' f="{}"; bn=$(basename "$f" .xml); ports=$(sed -n -e "s/.*port=\"\([0-9]*\)\".*/\1/p" "$f" | paste -sd, -); printf "%-30s : %s\n" "$bn" "$ports" ' \;
I tako da došao do ove nebuloze:
nepotrebno:
syncthing: 22000/tcp, syncthing: 22000/udp, mountd: 20048/tcp, mountd: 20048/udp, samba-dc: 49152-65535/tcp, nfs: 2049/tcp, ptp: 320/udp, minidlna: 8200/tcp, mssql: 1433/tcp, mdns: 5353/udp, cfengine: 5308/tcp, llmnr-udp: 5355/udp, nfs3: 2049/tcp, nfs3: 2049/udp, jellyfin: 8920/tcp, elasticsearch: 9200/tcp, llmnr-tcp: 5355/tcp, freeipa-trust: 49152-65535,
možda:
wireguard: 51820/udp, jenkins: 8080/tcp (išao sam preko broja), RH-Satellite-6: 8080/tcp (preko broja), isns: 3205/tcp, isns: 3205/udp,
treba:
imap: 143/tcp, smtp-submission: 587/tcp, dns: 53/tcp, dns: 53/udp, dns-over-tls: 853/tcp, smtps: 465/tcp, mosh: 60000-61000/udp
Elem
firewall-cmd --add-port={{22111,22333,22999,41641,12000-12100,4190,10000,40110-40210}/tcp,12000-12100/udp,8080/{tcp,udp}}
firewall-cmd --add-service={http,https,imap,imaps,smtp-submission,dns,dns-over-tls,smtps,pop3,smtp,pop3s,ftp,mysql}
Oracle Cloud: Holy fuck!
A quick tips to people who are having issue opening ports on oracle cloud. : oraclecloud
Ajde završpavaj
Kada se bootuje sistem, pre svega sam backupovao ali tako da ne prepišem preko već postojećeg backupa:
# backup original files without overwrite
for V in 4 6; do F="/etc/iptables/rules.v${V}"; [ ! -f "$F.bak" ] && cp -n "$F" "$F.bak"; done
Ubuntu images in OCI don’t rely on UFW for changing the host firewall configuration. Opening ports requires changing the iptables configuration by editing /etc/iptables/rules.v{4,6}
.
Enabling Network Traffic to Ubuntu Images in Oracle Cloud Infrastructure
Mislim da oni koriste iptables-persistent
jer on baš upisuje u /etc/iptables/rules.v{4-6},
ali nisam siguran. best way to configure iptables on “oracle cloud” ubuntu
Tačno je, jer je odmah bilo:
apt list --installed | grep iptables-persistent
http: TCP 80 https: TCP 443 imap: TCP 143 imaps: TCP 993 smtp-submission: TCP 587 dns: TCP/UDP 53 dns-over-tls: TCP 853 smtps: TCP 465 pop3: TCP 110 smtp: TCP 25 pop3s: TCP 995 ftp: TCP 20, 21 mysql: TCP 3306
# dash is now ":"
# we can do this, but...
echo {{22111,22333,22999,41641,12000:12100,4190,10000,40110:40210}/tcp,12000:12100/udp,8080/{tcp,udp}} |
xargs -n1 | xargs -I{} bash -c 'IFS='/' read -r port protocol <<< "$1"; echo iptables -A INPUT -p "$protocol" --dport "$port" -j ACCEPT ' _ {}
https://stackoverflow.com/a/63648081/586898 https://docs.oracle.com/en-us/iaas/developer-tutorials/tutorials/apache-on-ubuntu/01oci-ubuntu-apache-summary.htm
SAMO NATRPAO PONOVLJENO
Može stvarno da se napravi “ludački” pa rekoh da napišem, čak iako je ovo vrlo staro pitanje.
Every possible combination in one line
# simple
firewall-cmd --add-port={80,443}/tcp
# both protocols
firewall-cmd --add-port={80,443}/{tcp,udp}
# can be a bit complex - notice nested brackets
firewall-cmd --add-port={{80,443}/{tcp,udp},{110,995}/tcp}
Then check what you’ve done :) with:
firewall-cmd --list-ports
Services are nicer
I’ve also experimented with --add-services
, the names of which can be found in the /etc/services
file. It’s even more elegant than using ports.
The names and the ports are there, so for example list some of them:
grep -E 'http|imap|pop3|smtp|dns|ftp' /etc/services
So we can open ports by just typing the following:
# readable
firewall-cmd --add-service={http,https}
firewall-cmd --list-services
Hopefully it shows how to do this elegantly.
Hosting
IPTables Explained for Oracle
Objašnjenje komande iptables-save | awk ... | iptables-restore
proper clear; see: https://serverfault.com/a/200642/69638
iptables-save | awk '/^[*]/ { print $1 } /^:[A-Z]+ [^-]/ { print $1 " ACCEPT" ; } /COMMIT/ { print $0; }' | iptables-restore
iptables-save
dumps the current iptables rules to the console and then this awk
command extracts all the chains in all tables, and modifies them so that all policies are set to “ACCEPT”. Then iptables-restore
applies the modified rules.
This effectively opens all the firewall chains by setting their default policy to ACCEPT, tako da je ovo ustvari “iptables reset”.
Objašnjenje komande iptables -I INPUT 6 ....
The -I option in iptables is used to insert a rule. The number 6 refers where this new rule will be inserted. Without specifying a rule number it will be inserted the top of the chain. But in our case, the rule will be the 6th rule in the INPUT chain.
The order of rules in iptables matters. Packet is evaluated from the top of the chain until it matches a rule. Once it matches, it follows the jump (-j) target of that rule which could be to ACCEPT, DROP, REJECT the packet, or jump to another chain, or whatever. After a rule is matched it stops processing further rules for that packet.
Resetuj iptables iptables-save | awk ‘/^[*]/ { print $1 } /^:[A-Z]+ [^-]/ { print $1 " ACCEPT" ; } /COMMIT/ { print $0; }’ | iptables-restore iptables –flush; ip6tables –flush
Pogledaj jel prazno iptables –list; ip6tables –list
Izvuci početno Oracle stanje iz backupa iptables-restore < /etc/iptables/rules.v4.bak ip6tables-restore < /etc/iptables/rules.v6.bak
Dodaj svoje nove policy. Use the multiport module with iptables iptables -I INPUT 6 -p tcp -m state –state NEW -m multiport –dports “80,443,143,993,587,53,853,465,110,25,995,20,21,3306,22111” -j ACCEPT iptables -I INPUT 6 -p tcp -m state –state NEW -m multiport –dports “22333,22999,41641,12000:12100,4190,10000,40110:40210,8080,8443” -j ACCEPT iptables -I INPUT 6 -p udp -m state –state NEW -m multiport –dports “60000:61000,12000:12100,8080,53” -j ACCEPT
Port 8443 je za CloudPanel Web UI.
I snimi ih za boot. Mora i ova komanda “persistent”. iptables-save > /etc/iptables/rules.v4 ip6tables-save > /etc/iptables/rules.v6 netfilter-persistent save
- Procedura simuliranja šta se dešava prilikom boota
Resetujem jer je tako kada se uključi iptables-save | awk ‘/^[*]/ { print $1 } /^:[A-Z]+ [^-]/ { print $1 " ACCEPT" ; } /COMMIT/ { print $0; }’ | iptables-restore iptables –flush; ip6tables –flush
Apply policy: iptables-restore < /etc/iptables/rules.v4 ip6tables-restore < /etc/iptables/rules.v6
- Neke osnovne operacije
Pregled chainova iptables -L iptables -L | grep 41641 cat /etc/iptables/rules.v4 iptables –list –line-numbers
New region in Jovanovac, Serbia - Oracle Cloud Infrastructure Release Notes Regions and Availability Domains
Promena porta i root login
# change ssh port
echo "Port 22111" > /etc/ssh/sshd_config.d/99-change-port.conf
# dodaj public key kako bi se logovao kao root
#
curl https://github.com/cvladan.keys -o ~/.ssh/authorized_keys && chmod 600 $_
# or: wget github.com/cvladan.keys -O ~/.ssh/authorized_keys && chmod 600 $_
# disable password login
echo -e "# PermitRootLogin prohibit-password\n# PubkeyAuthentication yes\nPasswordAuthentication no" > /etc/ssh/sshd_config.d/50-root-login.conf
# restart service
service sshd restart
Also if you would like to setup FTP make sure to allow 20,21,49152-65534 on your server too.
Uputstvo za install CloudPanel on Oracle Cloud je odlično.
Zatim dodaj još jedan password:
clpctl cloudpanel:enable:basic-auth --userName=upravitelj --password='kr5manija+Usne'
A potom podesi u admin: Settings > CloudPanel Custom Domain:
https://otto.s.savioko.com:8443
Networking in Oracle Cloud Infrastructure – Harish KM
AVIF podrška na CloudPanel
Nekako je potrebno skloniti njihov PHP i staviti neki sa Ondrej’s PPA, jer ondrej imaju uključen AVIF za GD library.
apt list --installed | grep php8.3
# https://gist.github.com/bhuiyanmobasshir94/87e234444e1c2e10170a2112869ad54b
add-apt-repository ppa:ondrej/php -y
apt install php8.3 php8.3-{apcu,bcmath,bz2,cli,common,curl,fpm,gd,gmp,imap,imagick,intl,mbstring,mysql,opcache,pspell,readline,soap,sqlite3,tidy,xml,xmlrpc,xsl,zip}
# ovo je bitan deo
dpkg --remove --force-depends php8.3 php8.3-{apcu,bcmath,bz2,cli,common,curl,fpm,gd,gmp,imap,imagick,intl,mbstring,mysql,opcache,pspell,readline,soap,sqlite3,tidy,xml,xmlrpc,xsl,zip,igbinary,redis}
apt --fix-broken install php8.3 php8.3-{apcu,bcmath,bz2,cli,common,curl,fpm,gd,gmp,imap,imagick,intl,mbstring,mysql,opcache,pspell,readline,soap,sqlite3,tidy,xml,xmlrpc,xsl,zip,igbinary,redis}
CloudPanel seems to NOT automatically renew Lets Encrypt certificates, although it probably does so for Cloudflare certificates. This same issue was raised by others as well in a discussion thread Automatic renewal of Lets Encrypt certificates. As a result, a script was created and is available on the repository named cloudpanel-autorenew-letsencrypt-certs to renew certificates via the command line.
Ja sam iz toga scripta zaključio da se renew radi komandom:
clpctl lets-encrypt:install:certificate --domainName=agape-kristali.hr
Ovo ustvari nije renew, nego se samo doda i aktivira novi sertifikat, ali i to je dovoljno.
Ili za spisak domena:
domains=(agape-kristali.hr agape.jao.rs cnc24.jao.rs orotec.jao.rs weddy.jao.rs www.jao.rs);
for domain in "${domains[@]}"; do clpctl lets-encrypt:install:certificate --domainName=$domain; done