Make Bitwarden reachable only from one IP

Ask the Community Password Manager
1

Good day,
How is it possible to make Bitwarden reachable only from one IP.
I’ve entered IP tabeles, but these are ignored.

sudo iptables -A INPUT -p tcp --dport 80 -j DROP
sudo iptables -A INPUT -p udp --dport 80 -j DROP
sudo iptables -A INPUT -p tcp --dport 443 -j DROP
sudo iptables -A INPUT -p udp --dport 443 -j DROP
sudo iptables -A INPUT -p tcp -s 0.0.0.0 --dport 80 -j ACCEPT
sudo iptables -A INPUT -p udp -s 0.0.0.0 --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp -s 0.0.0.0 --dport 443 -j ACCEPT
sudo iptables -A INPUT -p udp -s 0.0.0.0 --dport 443 -j ACCEPT

2

Hello,

Now, I am not fluent in the iptables language but shouldn’t you first specify what IPs that are accepted and then drop everything else? To me it looks like you are dropping everything and then the accept rules are never reached. But, what do I know…?!

/Anders

3

By the way, 0.0.0.0 is just a placeholder.
Ip tabels are executed one after the other.
First, all incoming packets are blocked to ports 80 and 443 and then released in this case only for IP 0.0.0.0.
Because Bitwarden is running in a Docker container does Bitwarder ignore these rules.
Is there possibly a solution for from Bitwarden?

4

Then only allow that specific external IP in your Router/Modem Firewall rules.Then there will be no need to add the same rule in your host.

5

Hello @sb2014,
i guess you mean a self hosted bitwarden. In that case note that Docker itself modifies your IP Tables [1]. Having yourself and docker modifying IP tables can cause unexpected behavior. You can achieve your goal by just modifying either docker-compose.yml or writing into docker-compose.override.yml the following [2]:

...
ports:
- 443:8443

into

ports:
- <ip-address>:443:8443

Hope this helps :slight_smile:

References

[1] Docker and iptables, https://docs.docker.com/network/iptables/
[2] Container Networking, https://docs.docker.com/config/containers/container-networking/

1 Like