Google Compute Engine (GCE) firewall and iptables at VM host

After I click “Allow HTTP” and “Allow HTTPS” in the settings of Centos 7 vm, I can get http or https pages of my site. What? I thought I need to explicitly allow port 80 and port 443 in iptables like I did in other servers. Why don’t I need to touch iptables in this case?

sudo iptables -L -n | less

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
INPUT_direct  all  --  0.0.0.0/0            0.0.0.0/0           
INPUT_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0           
INPUT_ZONES  all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0            ctstate INVALID
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
...
Chain INPUT_ZONES (1 references)
target     prot opt source               destination         
IN_trusted  all  --  0.0.0.0/0            0.0.0.0/0           
IN_trusted  all  --  0.0.0.0/0            0.0.0.0/0 
...
Chain IN_trusted (2 references)
target     prot opt source               destination         
IN_trusted_log  all  --  0.0.0.0/0            0.0.0.0/0           
IN_trusted_deny  all  --  0.0.0.0/0            0.0.0.0/0           
IN_trusted_allow  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0    
...

The last line “ACCEPT all” does not look right to me. In Chain IN_trusted, iptables does IN_trusted_{log,deny,allow} and “ACCEPT all” for the rest. Should it DROP all the others by default for security?

(Since GCE has its own firewall and it blocks all except for things allowed, “ACCEPT all” here in iptables probably won’t bring any security issues.)

When I delete the last rule, I cannot get access to my sites by port 80.

[X ~]$ sudo iptables -L IN_trusted --line-numbers

Chain IN_trusted (2 references)
num  target     prot opt source               destination         
1    IN_trusted_log  all  --  anywhere             anywhere            
2    IN_trusted_deny  all  --  anywhere             anywhere            
3    IN_trusted_allow  all  --  anywhere             anywhere            
4    ACCEPT     all  --  anywhere             anywhere

[X ~]$ sudo iptables -D IN_trusted 4
[X ~]$ sudo iptables -L IN_trusted --line-numbers

Chain IN_trusted (2 references)
num  target     prot opt source               destination         
1    IN_trusted_log  all  --  anywhere             anywhere            
2    IN_trusted_deny  all  --  anywhere             anywhere            
3    IN_trusted_allow  all  --  anywhere             anywhere 

I checked other server images, in Fedora 25 server edition:

Chain FWDI_FedoraServer (2 references)
target     prot opt source               destination         
FWDI_FedoraServer_log  all  --  0.0.0.0/0            0.0.0.0/0           
FWDI_FedoraServer_deny  all  --  0.0.0.0/0            0.0.0.0/0           
FWDI_FedoraServer_allow  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0 

It only accepts icmp for the rests, which make much more sense to me.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s