Publishes a new post about firewall rules for GPG server connections
This commit is contained in:
parent
a57e61809a
commit
ab7693e2f3
@ -0,0 +1,51 @@
|
||||
---
|
||||
title: "[IPTABLES] GPG keys retrieval firewall rules"
|
||||
date: 2019-01-18
|
||||
url: iptables-gpg-keys-retrieval-firewall-rules
|
||||
layout: post
|
||||
category: Security
|
||||
image: /img/blog/iptables-gpg-keys-retrieval-firewall-rules.png
|
||||
description: "A very short write-up about Linux firewall rules for GPG keys retrieval"
|
||||
---
|
||||
|
||||
[](/img/blog/iptables-gpg-keys-retrieval-firewall-rules.png)
|
||||
|
||||
### Introduction
|
||||
|
||||
Sometimes you'll need to fetch GPG keys from a remote server (let's say the [MIT's](https://pgp.mit.edu/)) to enforce some signature verifications.
|
||||
|
||||
"Sometimes" ?
|
||||
|
||||
> Yeah, I meant "often", right ? :smirk:
|
||||
|
||||
GPG uses a very unusual port (**11371/tcp**) for its remote connections.
|
||||
Against a _regular_ firewall configuration (containing `DROP` policies on all chains, isn't it ?), it would be blocked by default.
|
||||
You'll have to manually authorize it.
|
||||
|
||||
### The procedure...
|
||||
|
||||
#### ... when it's for the machine you are on
|
||||
|
||||
{% highlight bash %}
|
||||
# Something like this would be required, please adapt it with your own firewall configuration.
|
||||
iptables -A INPUT -i "INPUT INTERFACE" -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
||||
|
||||
# ...
|
||||
|
||||
iptables -A OUTPUT -o "OUTPUT INTERFACE" -p tcp --dport 11371 -m conntrack --ctstate NEW -j ACCEPT
|
||||
{% endhighlight %}
|
||||
|
||||
#### ... when your machine is acting as a router / firewall
|
||||
|
||||
{% highlight bash %}
|
||||
# Something like this would be required, please adapt it with your own firewall configuration.
|
||||
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
||||
|
||||
# ...
|
||||
|
||||
iptables -A FORWARD -i "INPUT INTERFACE" -o "OUTPUT INTERFACE" -p tcp --dport 11371 -m conntrack --ctstate NEW -j ACCEPT
|
||||
{% endhighlight %}
|
||||
|
||||
### Conclusion
|
||||
|
||||
No conclusion, 'hope it helped.
|
BIN
img/blog/iptables-gpg-keys-retrieval-firewall-rules.png
(Stored with Git LFS)
Normal file
BIN
img/blog/iptables-gpg-keys-retrieval-firewall-rules.png
(Stored with Git LFS)
Normal file
Binary file not shown.
Loading…
x
Reference in New Issue
Block a user