---
title: "[IPTABLES] GPG keys retrieval firewall rules"
date: 2019-01-18
url: iptables-gpg-keys-retrieval-firewall-rules
layout: post
category: Security
image: /img/blog/iptables-gpg-keys-retrieval-firewall-rules.png
description: "A very short write-up about Linux firewall rules for GPG keys retrieval"
---

[![A missing blog post image](/img/blog/iptables-gpg-keys-retrieval-firewall-rules.png)](/img/blog/iptables-gpg-keys-retrieval-firewall-rules.png)

### Introduction

Sometimes you'll need to fetch GPG keys from a remote server (let's say the [MIT's](https://pgp.mit.edu/)) to enforce some signature verifications.

"Sometimes" ?

> Yeah, I meant "often", right ? :smirk:

GPG uses a very unusual port (**11371/tcp**) for its remote connections.  
Against a _regular_ firewall configuration (containing `DROP` policies on all chains, isn't it ?), it would be blocked by default.  
You'll have to manually authorize it.

### The procedure...

#### ... when it's for the machine you are on

{% highlight bash %}
# Something like this would be required, please adapt it with your own firewall configuration.
iptables -A INPUT -i "INPUT INTERFACE" -m conntrack --ctstate ESTABLISHED -j ACCEPT

# ...

iptables -A OUTPUT -o "OUTPUT INTERFACE" -p tcp --dport 11371 -m conntrack --ctstate NEW -j ACCEPT
{% endhighlight %}

#### ... when your machine is acting as a router / firewall

{% highlight bash %}
# Something like this would be required, please adapt it with your own firewall configuration.
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT

# ...

iptables -A FORWARD -i "INPUT INTERFACE" -o "OUTPUT INTERFACE" -p tcp --dport 11371 -m conntrack --ctstate NEW -j ACCEPT
{% endhighlight %}

### Conclusion

No conclusion, 'hope it helped.