Help needed: Persist iptables Rule on the Host OS [Network Requirements]

My Balena devices are outside my local network, I see that to access the Balena API (Balena cloud in my case) i want to open up some ports.

I do add needed rules in iptables On reboot I see all my rules are thrown away, I see the other rules for supervision0 and resin-vpn.

What is the best practice to persist the iptables rules on the HostOS?

Kindly do let me know how can I add my rules to the list so that it is persisted each time on reboot.?

Hey @naga,

Have you tried setting your iptables rules in your Dockerfile?

Hi @jviotti

I am looking to add that on the Host OS.

Also i am trying to understand how the existing rules of the supervisor and resin-vpn are added to the Host OS iptables.

Hi @naga
I have experimented with iptables and containers a while ago and found that a container configured with host networking and possibly privileged mode can set iptables rules on the host. So you could set up a container/service that sets the rules you need.

Hi @samothx,
Thanks for the response. I am trying to understand here, can you please share some samples?

@naga Can you explain your use case a bit more. Why do you need to open ports? in general to connect to balenaCloud you shouldn’t need to alter the OS iptables rules at all, it should all just work out of the box. Is that not the case for your devices?

@shaunmulligan: The device will be outside of the local network using cellular.

As per the documentation: Balena makes use of the following ports: 443 TCP, 123 UDP, 53 UDP. and whitelist certain domains.

To whitelist i need to add those to IPTables. Right now i can create a container with the iptable rules to access the device.

Can we do directly on the HostOS so when ever it reboots it see the devices right away?

@naga I think there is some confusion here; the documentation is referring to the ports which the device will make outbound connections to, not expect inbound connections. In its default state, IPTables will not block outbound traffic so you don’t need to add any rules for this.

Are you trying to prevent the device talking to any service on the internet EXCEPT the Balena cloud services or something else?

@richbayliss Thanks for the clarification.

I am trying to do two things here

  1. I need to access my device (which outside the network and connected via Cellular connection ) via Balena Cloud. - Which i couldn’t do it as of now.

  2. Restrict all other access expect Balena.

so to address your points;

I need to access my device (which outside the network and connected via Cellular connection ) via Balena Cloud. - Which i couldn’t do it as of now.

Access to the device is via a VPN and is device initiated to our servers which operate on port 443. The host OS doesn’t need any inbound ports to be open for this to happen. Once this VPN is established then we give you access to SSH via the VPN using either the dashboard or balena ssh CLI.

Restrict all other access expect Balena

Just to clarify, do you mean prevent the device pulling data from other sites; like a cURL request to Google etc, or do you mean prevent services on the device accepting inbound connections from 3rd parties, like HTTP etc?

@richbayliss Thanks for the clarification on the VPN part.

I meant the device accepting inbound connections from 3rd parties, like HTTP.

Hi @naga I think for blocking other traffic you can probably do something similar to the guys in this thread Enable Public Device URL but not IP Address Access where they are restricting traffic to only the VPN.

1 Like