Should Camo accept outside connections?

SpcCw · October 30, 2018, 7:51am

Allright, this is probably more of “linux newbie” question rather than “Diaspora support” question.

I set up Camo proxy on my pod and got it working just fine using these instructions.

However now I have my server responding on 8081 port and even though I run camo as separate unprivileged user I am still wondering if it is good practice. As I understand external clients connect to the webserver 443 port anyway and then the web server upstreams some content to Camo internally.

upstream camo {
server 127.0.0.1:8081;
}

So I added these firewall rules to drop outside connections (XX - external IP):

iptables -A INPUT -s 127.0.0.1 -p tcp --dport 8081 -m state --state NEW -j ACCEPT
iptables -A INPUT -s XX.XX.XX.XX -p tcp --dport 8081 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 8081 -m state --state NEW -j DROP

As soon I apply this firewall config Camo breaks (images from other sources but my pod fail to load). I remove it and it works again. Do I miss something here?

shawneric · October 30, 2018, 12:58pm

So your first rule accepts all incoming tcp connection FROM localhost on the destination port of 8081 only for connection that are NEW.

Your second rule accepts all connections from your external IP with the tcp destination port of 8081 which are also new.

And your third rule drops all new tcp requests with a destination port of 8081.

Off hand I don’t see anything wrong with your firewall rules, except maybe that state. Do me a favor and remove one at a time and try and identify which one is mucking things up, we can move from there. It could either be your second rule or your last rule (from my perspective).

SpcCw · October 30, 2018, 1:36pm

Thanks, Eric!

Not sure why I included connection state in the first place… I removed the it at all:

iptables -A INPUT -s 127.0.0.1 -p tcp --dport 8081 -j ACCEPT
iptables -A INPUT -s XX.XX.XX.XX -p tcp --dport 8081 -j ACCEPT
iptables -A INPUT -p tcp --dport 8081 -j DROP

Seems to work now!

shawneric · October 30, 2018, 1:42pm

Sweet! My first solution on this site hehe

Antisthenes · November 2, 2018, 4:56am

Hey, maybe I don’t understand the issue, but I am wondering why this is necessary?

My UFW configuration, printed below, seems to resolve the issue while at the same time blocking other stuff. That is, of course, unless I misunderstand the issue

Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    x.x.x.x                 
80/tcp                     ALLOW IN    Anywhere                  
443/tcp                    ALLOW IN    Anywhere                        
80/tcp (v6)                ALLOW IN    Anywhere (v6)             
443/tcp (v6)               ALLOW IN    Anywhere (v6)

SpcCw · November 2, 2018, 2:04pm

You have better setup with default “deny” rule set. Something I should implement too.

In my case I just wanted to close this particular port but was wondering why things kept breaking when I did.

Antisthenes · November 2, 2018, 2:23pm

Thanks for confirming. I just wanted to make sure I hadn’t overlooked something.