Network Management

This section describes the tools available in the “Network Management” panel.
They allow you to build a flexible, scalable, and secure network for internal services and employees.
All components are designed to work together: firewall rules filter traffic, N2N eliminates unnecessary hops between critical nodes, WireGuard provides secure connections for manual use, and the proxy is a powerful tool for applications.

Firewall

The firewall is the central tool for controlling incoming network traffic.

Node Groups

• Combine machines into logical groups (e.g., db-cluster, app-frontend, ci-runners).
• All nodes within a group are allowed to communicate with each other.
• Rules apply only to incoming traffic.

Note

Traffic for interfaces such as local [lo] (127.0.0.0/8) and docker [docker0] is allowed by default.
However, for others, such as those starting with [br-..., veth...] (subnets: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 ...), you may need to manually add their subnets to the allowlist.

Docker DNAT Protection

Cloudnetip Firewall protects against Docker DNAT exposed ports because it intercepts traffic at the PREROUTING stage before Docker applies DNAT and inserts its own routing rules.

When a packet arrives from outside to a published Docker port, the standard Linux packet flow is:

PREROUTING (raw/mangle/nat)
↓
DNAT (Docker)
↓
routing decision
↓
FORWARD / INPUT
↓
container

Docker performs DNAT in PREROUTING and “rewrites” the destination address from:

public_ip:published_port → container_ip:container_port

🎉 Cloudnetip Firewall inserts rules into PREROUTING before the Docker DNAT chain, which means it:

1. Sees the original packet before destination address translation
   dst = server_ip:published_port
2. Can apply filtering before Docker, if the packet:
   • is not allowed by source IP
   • does not match policy
   • matches a drop rule

The packet is dropped before DNAT, therefore:

❌ Docker never even sees the packet

❌ the container receives no traffic

❌ the published port is effectively “closed from the outside”

Cloudnetip Firewall works as a pre-DNAT security layer. Without this level of filtering, Docker ports:

• automatically become externally accessible when using -p
• bypass a regular firewall if it only filters in INPUT/FORWARD
• require separate iptables/nftables configuration

Blackhole

• Blackhole — temporary, instant blocking of incoming traffic for selected nodes.
• Implemented via API: bulk setting of IPv4/IPv6 addresses to a "drop" state without creating persistent rules.
• Useful during incidents (DDoS, mass compromise) — quickly disable incoming traffic.

Warning: Blackhole immediately stops receiving packets but does not remove connection states on the peer side.

N2N

Netip N2N (Node to Node) — a high-speed secure tunnel established directly between two nodes with flexible
configuration of allowed ports.

When to Use

• For private data exchange between critical services without intermediate relays.
• When minimal latency and predictable bandwidth are required.

WireGuard

WireGuard is a lightweight and fast VPN protocol focused on simplicity and security.

Deployment and Management

• From the panel, you can deploy a WireGuard server and create client profiles.
• Connection monitoring and tx/rx traffic control are supported.

Proxies

The goal is to enable browsers and other programs that use the TCP protocol to work through a proxy.

HTTP/S and CONNECT

• HTTP/S proxy — the main way to set up proxying for browsers and TCP applications.
• The CONNECT method is used for tunneling.
• A single instance can be deployed on all nodes.

SSRF Protection

Built-in checks prevent the proxy from being used as a vector for SSRF (Server-Side Request Forgery).

HTTPS Certificate

An HTTPS proxy requires a valid certificate for the domain upon connection.
If not installed, a self-signed certificate is generated automatically — proper functionality is not guaranteed.