52 lines
1.7 KiB
Markdown
52 lines
1.7 KiB
Markdown
---
|
|
title: "[IPTABLES] GPG keys retrieval firewall rules"
|
|
date: 2019-01-18
|
|
url: iptables-gpg-keys-retrieval-firewall-rules
|
|
layout: post
|
|
category: Security
|
|
image: /img/blog/iptables-gpg-keys-retrieval-firewall-rules.png
|
|
description: "A very short write-up about Linux firewall rules for GPG keys retrieval"
|
|
---
|
|
|
|
[](/img/blog/iptables-gpg-keys-retrieval-firewall-rules.png)
|
|
|
|
### Introduction
|
|
|
|
Sometimes you'll need to fetch GPG keys from a remote server (let's say the [MIT's](https://pgp.mit.edu/)) to enforce some signature verifications.
|
|
|
|
"Sometimes" ?
|
|
|
|
> Yeah, I meant "often", right ? :smirk:
|
|
|
|
GPG uses a very unusual port (**11371/tcp**) for its remote connections.
|
|
Against a _regular_ firewall configuration (containing `DROP` policies on all chains, isn't it ?), it would be blocked by default.
|
|
You'll have to manually authorize it.
|
|
|
|
### The procedure...
|
|
|
|
#### ... when it's for the machine you are on
|
|
|
|
{% highlight bash %}
|
|
# Something like this would be required, please adapt it with your own firewall configuration.
|
|
iptables -A INPUT -i "INPUT INTERFACE" -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
|
|
|
# ...
|
|
|
|
iptables -A OUTPUT -o "OUTPUT INTERFACE" -p tcp --dport 11371 -m conntrack --ctstate NEW -j ACCEPT
|
|
{% endhighlight %}
|
|
|
|
#### ... when your machine is acting as a router / firewall
|
|
|
|
{% highlight bash %}
|
|
# Something like this would be required, please adapt it with your own firewall configuration.
|
|
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
|
|
|
# ...
|
|
|
|
iptables -A FORWARD -i "INPUT INTERFACE" -o "OUTPUT INTERFACE" -p tcp --dport 11371 -m conntrack --ctstate NEW -j ACCEPT
|
|
{% endhighlight %}
|
|
|
|
### Conclusion
|
|
|
|
No conclusion, 'hope it helped.
|