Default Balena firewall accept everything

Product support balenaOS
8

Sure.

In my dockerfile I copy a firewall configuration file to my container and also install iptables.
In my startscript of the container I run:

iptables-restore /myfolder/firewall.rules
This will add my rules to iptables in the host system as the container is running in privileged mode.

The firewall rule file look like this:

# Generated by iptables-save v1.8.4 on Fri Apr 22 18:03:03 2022
*mangle
:PREROUTING ACCEPT [41:10135]
:INPUT DROP [2:80]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [41:4374]
:POSTROUTING ACCEPT [41:4374]
:FIREWALL - [0:0]
-A INPUT -j FIREWALL
-A POSTROUTING -o wwan0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FIREWALL -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FIREWALL -m addrtype --src-type LOCAL -j ACCEPT
-A FIREWALL -m addrtype --dst-type MULTICAST -j ACCEPT
-A FIREWALL -i resin-vpn -p tcp -m tcp --dport 48484 -j ACCEPT
-A FIREWALL -i tun0 -p tcp -m tcp --dport 48484 -j ACCEPT
-A FIREWALL -i docker0 -p tcp -m tcp --dport 48484 -j ACCEPT
-A FIREWALL -i lo -p tcp -m tcp --dport 48484 -j ACCEPT
-A FIREWALL -i supervisor0 -p tcp -m tcp --dport 48484 -j ACCEPT
-A FIREWALL -i resin-vpn -p tcp -m tcp --dport 22222 -j ACCEPT
-A FIREWALL -i resin-vpn -p tcp -m tcp --dport 2375 -j ACCEPT
-A FIREWALL -i wlan0 -p udp -m udp --dport 67 -j ACCEPT
-A FIREWALL -i wlan0 -p tcp -m tcp --dport 67 -j ACCEPT
-A FIREWALL -i wlan0 -p udp -m udp --dport 53 -j ACCEPT
-A FIREWALL -i wlan0 -p tcp -m tcp --dport 53 -j ACCEPT
-A FIREWALL -i balena0 -p udp -m udp --dport 53 -j ACCEPT
COMMIT
# Completed on Fri Apr 22 18:03:03 2022

The INPUT default rule is DROP which stop iptables to look in the filter table.

The POSTROUTING is just a fix to the package size problem over modem connection. More info here: https://forums.balena.io/t/routing-problem-when-setting-up-shared-access-point/350084/47

The rest is default Balena rules copied from the filter table with a change on the port 22222 and 2375 rule to only accept connection from resin-cpn. The rules on interface wlan0 is to accept dhcp and dns request from local wifi network. (Device is working as a wifi router).

Can I lock it down even more? I’am not so sure about that LOCAL and MULTICAST rules in the beginning.

1 Like