Firewall preventing netdata docker node connection | Netdata | Page 1

hybrid hull Oct 16, 2024, 2:45 PM

#

Hey there,

I have multiple Oracle Cloud Ubuntu 22.04 VMs and I am trying to setup connection to Netdata cloud with them, however, Oracle Cloud come with a preconfigured os iptables firewall, if I remove it and just use the ingress rules at the host level it works fine, but with the preconfigured firewall and added rules for acepting ports 80 and 443 it dosen't seem to work, and I would rather have a firewall at the OS level as well for extra security, maybe someone knows what could be causing this and how it could be fixed? Thank you!

#

I am using netdata docker compose for the node connection

obsidian jacinth Oct 16, 2024, 2:57 PM

#

Hi, @hybrid hull.

added rules for acepting ports 80 and 443

What iptables rules did you add?

hybrid hull Oct 16, 2024, 3:20 PM

#

obsidian jacinth Hi, <@161590281928441857>. > added rules for acepting ports 80 and 443 What i...

sudo iptables-legacy -I INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
sudo iptables-legacy -I INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
sudo iptables-legacy-save | sudo tee /etc/iptables/rules.v4
sudo reboot now

obsidian jacinth Oct 16, 2024, 3:21 PM

#

I think you need FORWARD too

#

80 is not needed

hybrid hull Oct 16, 2024, 3:31 PM

#

Tried:

sudo iptables-legacy -I FORWARD -p tcp --dport 443 -j ACCEPT
sudo iptables-legacy-save | sudo tee /etc/iptables/rules.v4
sudo reboot now

but still not getting any metrics:

obsidian jacinth Oct 16, 2024, 4:13 PM

#

No need to reboot every time.
If you use recommended way (https://learn.netdata.cloud/docs/netdata-agent/installation/docker#recommended-way) FORWARD is not needed. You can remove it.

What you need is the following:

allow INPUT ssh connection (add more lines with different dport value if you have more services)

iptables -A INPUT -p tcp --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT

allow all incoming response packets
iptables -A INPUT -p tcp -m conntrack --ctstate ESTABLISHED -j ACCEPT

#

I assume that you don't have filter rules in the OUTPUT chain

hybrid hull Oct 16, 2024, 5:19 PM

#

my system seems to be using nftables:
ubuntu@asf:~$ iptables -A INPUT -p tcp --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT
iptables v1.8.7 (nf_tables): unknown option "--dport"
Try `iptables -h' or 'iptables --help' for more information.
ubuntu@asf:~$

so that is why I was adding to rules.v4 and rebboting:

sudo iptables-legacy-save | sudo tee /etc/iptables/rules.v4
sudo reboot now

and even doing:

sudo nft add rule ip filter input ct state established accept
sudo nft add rule ip filter input tcp dport 22 ct state new accept

Same problem

obsidian jacinth Oct 16, 2024, 5:50 PM

#

Try to google/use chatGPT/ask oracle help. You need to allow input established connections, for Netdata that is enough (assuming all output connections are allowed).

#Firewall preventing netdata docker node connection