1.7 KiB
| title | date | url | layout | category | image | description |
|---|---|---|---|---|---|---|
| [IPTABLES] GPG keys retrieval firewall rules | 2019-01-18 | iptables-gpg-keys-retrieval-firewall-rules | post | Security | /img/blog/iptables-gpg-keys-retrieval-firewall-rules.png | A very short write-up about Linux firewall rules for GPG keys retrieval |
Introduction
Sometimes you'll need to fetch GPG keys from a remote server (let's say the MIT's) to enforce some signature verifications.
"Sometimes" ?
Yeah, I meant "often", right ? 😏
GPG uses a very unusual port (11371/tcp) for its remote connections.
Against a regular firewall configuration (containing DROP policies on all chains, isn't it ?), it would be blocked by default.
You'll have to manually authorize it.
The procedure...
... when it's for the machine you are on
{% highlight bash %}
Something like this would be required, please adapt it with your own firewall configuration.
iptables -A INPUT -i "INPUT INTERFACE" -m conntrack --ctstate ESTABLISHED -j ACCEPT
...
iptables -A OUTPUT -o "OUTPUT INTERFACE" -p tcp --dport 11371 -m conntrack --ctstate NEW -j ACCEPT {% endhighlight %}
... when your machine is acting as a router / firewall
{% highlight bash %}
Something like this would be required, please adapt it with your own firewall configuration.
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
...
iptables -A FORWARD -i "INPUT INTERFACE" -o "OUTPUT INTERFACE" -p tcp --dport 11371 -m conntrack --ctstate NEW -j ACCEPT {% endhighlight %}
Conclusion
No conclusion, 'hope it helped.