Dear all,
I installed a BigBlueButton server the quick way, ie ran the
bbb-install.sh script on a Ubuntu 16.04. I did not enable the automatic firewall setup with `-w` and would like to setup the appropriate rules manually via `iptables`. The documentation at https://docs.bigbluebutton.org/2.2/configure-firewall.html did not help me through since it does not describe the setup obtained after running the script. I tried the rules
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p udp --match multiport --dports 16384:32768 -j ACCEPT
iptables -P INPUT DROP
But as far as I understand that forbids some communication with the docker processes.
For completness, the set of rules that are present after running the script without `-w` are
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (2 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.18.0.2 tcp dpt:postgresql
ACCEPT tcp -- anywhere 172.18.0.3 tcp dpt:http
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Also, I am a bit suspicious about the DOCKER-ISOLATION-STAGE-1 rules since there are many repetitions. Any hint on that side would be welcome as well.
Thanks,
Vincent