Yunohost firewall command line examples?

Discuss Advanced use case
1

I am trying to limit the access to a yunohost installation by ip. I first tried to install ufw and set up the commands that I know to restrict access to a few ips. But it did not have any effect. Then I found that there is a yunohost firewall command but there was not much documentation. Using --help did not give many options.

With ufw you can do what I want easily with

sudo ufw default deny incoming && sudo ufw default allow outgoing
sudo ufw allow from 1.1.1.1

How can this be achieved with the Yunohost firewall?

And is there somewhere a documentation about all the yunohost command line commands? Thanks a lot!

2

Uh you can’t really do this with yunohost’s firewall, it’s pretty “basic” and only able to allow/deny ports…

But it can be extended using some iptables commands to add whatever you want … You’ll need to create a custom hook called post_iptable_rules :

nano /etc/yunohost/hooks.d/post_iptable_rules/my_custom_rules

then the content you put in it is a bash script where you can put arbitrary commands executed each the firewall is regenerated

3

OK, I understand, thanks. Another workaround that seems to work fine, that I tried now, is using the /etc/hosts.allow (with sshd: 1.1.1.1 or other ips) and /etc/hosts.deny (with sshd: all)

4

To follow up: As workaround for us who use a VPS and need to protect our instance we might use (as alternative to iptables rules?)

1.yunohost firewall to open / close ports
2. hosts.allow and hosts.deny for blocking access to some parts of the system as ssh
3. use nginx’ ability to block access to applications

Example /etc/hosts.deny
add

sshd: All

/etc/hosts.allow

sshd: 192.168.0.0/24
sshd: 127.0.0.1/24
sshd: 10.7.0.1/24

(or any other ip)

To protect apps I found out it works this way

To protect Rainloop:

edit the file /etc/nginx/conf.d/domain.com.d/rainloop.conf

with following:

location ^~ /rainloop/ {
   allow 10.7.0.2;
   deny all;
}

replace 10.7.0.2 with any IP you use

Maybe some of the experts might review my solution, it seems to work in my case

1 Like