0

[SOLVED] -- See update below.

I installed outline-server (link) on my server and unfortunately FirewallD drops all packets coming from outline-client.

My System:

Ubuntu 18.04 x64
Linux x 4.15.0-20-generic #21-Ubuntu SMP Tue Apr 24 06:16:15 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

FirewallD Version :0.4.4.5

Docker Version: Docker version18.05.0-ce, build f150324

FirewallD rules:

root@x:~# firewall-cmd --get-active-zones
public
  interfaces: ens3 docker0

root@x:~# firewall-cmd --list-ports
{outline_server_port}/tcp {outline_server_port}/udp

The answer on this link hasn't help either.

Outline-Manager works fine for example: I can create keys and it connects successfully but Outline Client gives me the following error:

A networking error occurred. If this happens again, please submit feedback.

As soon as I stop FirewallD using the following command:

systemctl stop firewalld.service

outline-client works fine, and when I start FirewallD, it doesn't work again.

The following is from FirewallD status

root@x:~# systemctl status firewalld.service 
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2018-05-15 23:37:31 CEST; 8s ago
     Docs: man:firewalld(1)
 Main PID: 2479 (firewalld)
    Tasks: 2 (limit: 1113)
   CGroup: /system.slice/firewalld.service
           └─2479 /usr/bin/python3 -Es /usr/sbin/firewalld --nofork --nopid

May 15 23:37:31 x systemd[1]: Starting firewalld - dynamic firewall daemon...
May 15 23:37:31 x systemd[1]: Started firewalld - dynamic firewall daemon.
May 15 23:37:32 x firewalld[2479]: WARNING: COMMAND_FAILED: '/sbin/iptables -w2 -t filter -n -L DOCKER-USER' failed: iptables: No chain/target/match by that name.
May 15 23:37:32 x firewalld[2479]: WARNING: COMMAND_FAILED: '/sbin/iptables -w2 -t filter -C DOCKER-USER -j RETURN' failed: iptables: Bad rule (does a matching rule exist in that chain?).
May 15 23:37:32 x firewalld[2479]: WARNING: COMMAND_FAILED: '/sbin/iptables -w2 -t filter -C FORWARD -j DOCKER-USER' failed: iptables: No chain/target/match by that name.

I've enabled

  1. Masquerading on FirewallD too (firewall-cmd --add-masquerade)
  2. And also enabled ipv4 packet forwarding (vim /etc/sysctl.conf & net.ipv4.ip_forward=1)

Now my question is: How can I configure FirewallD to allow outline-client packets?

Thanks a lot.

Outline uses docker.

UPDATE [2018.05.16]:

The problem resides in the unique port that outline creates in docker container for each new key AKA client, so to fix the problem, do the following:

run the following command (thanks a lot @abe)

ss -tlp

now, all ss-servers with their related port will be shown, for example mine looks like the following:

root@dockerTest:~# ss -tlp
State              Recv-Q              Send-Q                            Local Address:Port                               Peer Address:Port                                                                      
LISTEN             0                   128                                     0.0.0.0:12615                                   0.0.0.0:*                  users:(("ss-server",pid=1162,fd=5))                    
LISTEN             0                   128                               127.0.0.53%lo:domain                                  0.0.0.0:*                  users:(("systemd-resolve",pid=617,fd=13))              
LISTEN             0                   128                                     0.0.0.0:ssh                                     0.0.0.0:*                  users:(("sshd",pid=824,fd=3))                          
LISTEN             0                   128                                        [::]:ssh                                        [::]:*                  users:(("sshd",pid=824,fd=4))                          
LISTEN             0                   128                                           *:47515                                         *:*                  users:(("node",pid=1103,fd=12))

now, as we can see from the output, ss-server uses the port "12615", we should allow this port in FirewallD. to do this, run the following commands:

firewall-cmd --add-port=12615/tcp
firewall-cmd --add-port=12615/udp

Check outline-client, it should connect.

if everything works as expected, run the following commands, to make changes permanent

firewall-cmd --add-port=12615/tcp --permanent
firewall-cmd --add-port=12615/udp --permanent

Thanks a lot @abe, I greatly appreciate your help.

2 Answers2

0

I installed docker on a new ubuntu 18.04 server and verified how it works the firewalld when running docker in simple way.
The image is httpd which I used. 

# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 18.04 LTS
Release:        18.04
Codename:       bionic

# uname -a 
Linux my_hostname 4.15.0-20-generic #21-Ubuntu SMP Tue Apr 24 06:16:15 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

$ sudo docker image list
REPOSITORY     TAG                 IMAGE ID            CREATED             SIZE
httpd          latest              fb2f3851a971        2 weeks ago         178MB
$ sudo docker run -d -i -t -p 80:80 httpd
$ sudo docker ps -a
CONTAINER ID   IMAGE      COMMAND              CREATED             STATUS             PORTS                NAMES
43b398cfa5b9   httpd      httpd-foreground"   31 minutes ago       Up 31 minutes       0.0.0.0:80->80/tcp   loving_northcutt
# ss -tlp
State      Recv-Q         Send-Q         Local Address:Port    Peer Address:Port
LISTEN      0              128                 *:http                 *:*          users:(("docker-proxy",pid=2101,fd=4))
# firewall-cmd --list-all
public
  target: default
  interfaces:
  sources:
  services: ssh dhcpv6-client
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

I'm really sorry for my wrong suggestions. I could connect that httpd from my pc without any changes were made.
Please see the "PORTS" of sudo docker ps -a output and docker-proxy of ss -tlp output.
I think I hope if it works to solve problems.

thanks

abe
  • 16
  • Thanks a lot man, this command solved the problem -> `ss -tlp`. See my updated post. THANKS. –  May 16 '18 at 19:48
-1

How about adding http or https port to firewalld?

firewall-cmd --add-service=https --permanent

I think jason is a web application, so client connects to the server with
http or https protocols.

abe
  • 14
  • Thanks a lot for answer. Unfortunately it doesn't work. here are the open services: `root@x:~# firewall-cmd --list-services ssh dhcpv6-client https http` –  May 16 '18 at 04:08