firewall rules

[Vincent Delecroix]

Dear all,

I installed a BigBlueButton server the quick way, ie ran the bbb-install.sh script on a Ubuntu 16.04. I did not enable the automatic firewall setup with `-w` and would like to setup the appropriate rules manually via `iptables`. The documentation at https://docs.bigbluebutton.org/2.2/configure-firewall.html did not help me through since it does not describe the setup obtained after running the script. I tried the rules

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p udp --match multiport --dports 16384:32768 -j ACCEPT
iptables -P INPUT DROP

But as far as I understand that forbids some communication with the docker processes.

For completness, the set of rules that are present after running the script without `-w` are

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DOCKER-USER  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain DOCKER (2 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             172.18.0.2           tcp dpt:postgresql
ACCEPT     tcp  --  anywhere             172.18.0.3           tcp dpt:http

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination         
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-USER (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Also, I am a bit suspicious about the DOCKER-ISOLATION-STAGE-1 rules since there are many repetitions. Any hint on that side would be welcome as well.

Thanks,

Vincent

[ICT Cloud]

Hi,

I would reset your firewall rules

``` ufw --force reset ```

Then reinstall using the install script with the -w switch  and then adjust your firewall rules afterwards. Might make things a bit easier to manage.

~b10

[Vincent Delecroix]

Thanks for your answer. I would prefer understanding what to do rather than applying blindly the install script again.

All the rules of the bbb install script seem contained in /etc/bigbluebutton/bbb-conf/apply-lib.sh lines 97:118 and, as far as I can read the ufw commands, they exactly correspond to what I did with the iptables command I wrote in my first e-mail (and are also the ones documented at https://docs.bigbluebutton.org/2.2/configure-firewall.html).

After logging the dropped packets I found out that I had to allow incoming packets from the br-ec9e78285f4e interface, that is

iptables -A INPUT -i br-ec9e78285f4e -j ACCEPT

Not sure that it has anything to do with BBB...