So… In the Minecraft balenacloud project(How to create a Minecraft Server for the Raspberry Pi 4 with balena) it used to say the SSH credentials (which are root and balena). I have used these credentials for some time and there are no other user accounts apart from these ones(Other than system ones). Today I decided to setup the ufw firewall on it(It is running Debian 10.8). When I was configuring it, it spat out that iptables did not have permission because I was not root even though I was logged in as root and using sudo(without bore the same response). I have tried to use the balenacloud terminal using the Host OS(same response). I am writing this to ask if there are any ways to be able to be able to setup ufw or any other ways to setup a firewall or escalate my permissions.
Hi,
the permission denied error occurs because you are trying to run ufw from an unprivileged container (I assume the SCP server). To manipulate host firewall rules you need a container that has network_mode: host and privileged: true. In the Minecraft server’s particular case that should be all the containers except for scp-server. You can control the firewall with iptables (or iptables-legacy on Debian) so a sanity check could be iptables-legacy -L - if you get no error and the rules are listed you will be allowed to modify them. As for ufw you need to try that, theoretically it should work but it is Ubuntu-first and may not like BalenaOS’s default firewall setup.
The cleanest solution to control firewall would be not to tamper with the existing containers and create a new one instead that would only be in charge of setting up the firewall rules.
Okay thanks for the solution but I’m a bit new to this so can you please try to explain it in a more simple way. If you cant then that’s fine but I would prefer it in a simpler form.
Here’s what I would recommend to create a separate ufw service for modifying firewall rules.
In a clone of the minecraft server project, create a new file ufw/Dockerfile.template with something similar to the following:
FROM balenalib/%%BALENA_MACHINE_NAME%%:latest
RUN install_packages ufw
CMD [ "balena-idle" ]
Then in the existing docker-compose.yml add the new ufw service before the volumes definition:
...
ufw:
build: ./ufw
network_mode: host
privileged: true
volumes:
serverfiles:
servercache:
Once this is deployed you can open a session in the ufw service via the balena dashboard and issue ufw and/or iptables commands.
Let us know if this works for you!