Publishes a new post about firewall rules for GPG server connections

_posts/2019-01-18-iptables-gpg-keys-retrieval-firewall-rules.md

@@ -0,0 +1,51 @@
+---
+title: "[IPTABLES] GPG keys retrieval firewall rules"
+date: 2019-01-18
+url: iptables-gpg-keys-retrieval-firewall-rules
+layout: post
+category: Security
+image: /img/blog/iptables-gpg-keys-retrieval-firewall-rules.png
+description: "A very short write-up about Linux firewall rules for GPG keys retrieval"
+---
+
+[![A missing blog post image](/img/blog/iptables-gpg-keys-retrieval-firewall-rules.png)](/img/blog/iptables-gpg-keys-retrieval-firewall-rules.png)
+
+### Introduction
+
+Sometimes you'll need to fetch GPG keys from a remote server (let's say the [MIT's](https://pgp.mit.edu/)) to enforce some signature verifications.
+
+"Sometimes" ?
+
+> Yeah, I meant "often", right ? :smirk:
+
+GPG uses a very unusual port (**11371/tcp**) for its remote connections.  
+Against a _regular_ firewall configuration (containing `DROP` policies on all chains, isn't it ?), it would be blocked by default.  
+You'll have to manually authorize it.
+
+### The procedure...
+
+#### ... when it's for the machine you are on
+
+{% highlight bash %}
+# Something like this would be required, please adapt it with your own firewall configuration.
+iptables -A INPUT -i "INPUT INTERFACE" -m conntrack --ctstate ESTABLISHED -j ACCEPT
+
+# ...
+
+iptables -A OUTPUT -o "OUTPUT INTERFACE" -p tcp --dport 11371 -m conntrack --ctstate NEW -j ACCEPT
+{% endhighlight %}
+
+#### ... when your machine is acting as a router / firewall
+
+{% highlight bash %}
+# Something like this would be required, please adapt it with your own firewall configuration.
+iptables -A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
+
+# ...
+
+iptables -A FORWARD -i "INPUT INTERFACE" -o "OUTPUT INTERFACE" -p tcp --dport 11371 -m conntrack --ctstate NEW -j ACCEPT
+{% endhighlight %}
+
+### Conclusion
+
+No conclusion, 'hope it helped.