Setting up iptables filter to allow Git

user3396509 asked:

Sorry I am new at this server stuff, so bare with me and if I’m missing any info let me know!

I’m trying to setup my Ubuntu 14.04.2 LTS server to have a solid iptables firewall. Right now I think it is pretty good, however, I cannot do any git pulls on the server when iptables is active… so the workaround is to turn off the firewall, do a pull, then re-activate the firewall. It’s annoying, and introduces human error of not turning the firewall back on.

I made my iptables from a couple resources, and the git rules from here:
http://www.nigeldunn.com/2011/06/29/iptables-rules-to-allow-git/

I tried putting logging in to see what packets are getting blocked by the git pull, but nothing shows up in /var/log/kern.log (although other things get logged in there unrelated so I know it’s working).

When doing a git pull I get this:

ssh: Could not resolve hostname equity1.projectlocker.com: Name or service not known
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

Here is my iptables configuration:

#!/bin/sh

echo "Flushing iptable rules"
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

echo "Setting default drop rules"
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

echo "Enabling loopback"
# Allow unlimited traffic on loopback
#iptables -A INPUT -i lo -j ACCEPT
#iptables -A OUTPUT -o lo -j ACCEPT

echo "Allowing new and established incoming connections to port 22,80,443,3000, and 9418"
# Multiport - Allow incoming + outgoing 
#       SSH (22),
#       Web Traffic (80, 3000),
#       Secure Web Traffic (443)
#       Git (9418)
iptables -A INPUT -i eth0 -p tcp -m multiport --dports 22,80,443,3000,9418 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 22,80,443,3000,9418 -m state --state ESTABLISHED -j ACCEPT

echo "Port forwarding from port 3000 to 80"
# Port Forward to 3000
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 3000

echo "Enabling ICMP (Pings, echos)"
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

echo "Preventing DDOS attacks"
# Prevent DOS Attacks
iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT

echo "Enabling logging"
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7
iptables -A LOGGING -j DROP

# lastly:
# make sure nothing comes or goes out of this box
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP

Updated:

echo "Flushing iptable rules"
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

echo "Setting default drop rules"
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Allow DNS Queries for Git
iptables -A OUTPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT  -p udp --sport 53 -m state --state ESTABLISHED     -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT  -p tcp --sport 53 -m state --state ESTABLISHED     -j ACCEPT
...

My answer:


You forgot to allow outgoing DNS queries, thus ssh can’t find the IP address for the hostname.

You need to allow outgoing traffic to TCP port 53 and UDP port 53.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.